aboutsummaryrefslogtreecommitdiffhomepage
path: root/config
diff options
context:
space:
mode:
authorBjørn Erik Pedersen <[email protected]>2021-12-23 12:46:04 +0100
committerBjørn Erik Pedersen <[email protected]>2021-12-23 16:23:15 +0100
commit623dda71747c58dd052dbde3a0dbed1fb75b0c41 (patch)
tree3449eb3386f533438b6155b7cba6bcebef90fe6b /config
parentaee9e11a400ac231eb9e91c005f1fe039b106396 (diff)
downloadhugo-623dda71747c58dd052dbde3a0dbed1fb75b0c41.tar.gz
hugo-623dda71747c58dd052dbde3a0dbed1fb75b0c41.zip
Revert "config/security: Add HOME to default exec env var whitelist"
There have been one report in the wild suggesting that this needs to be tested better before doing: https://discourse.gohugo.io/t/hugo-mod-failing-in-v0-91-1-but-works-in-v0-91-0/36180/5 This reverts commit fca266ebbb81af3d4479873a7a79759033c7ce25.
Diffstat (limited to 'config')
-rw-r--r--config/security/securityConfig.go6
-rw-r--r--config/security/securityonfig_test.go7
2 files changed, 11 insertions, 2 deletions
diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go
index 8b0a52698..09c5cb625 100644
--- a/config/security/securityConfig.go
+++ b/config/security/securityConfig.go
@@ -42,7 +42,7 @@ var DefaultConfig = Config{
),
// These have been tested to work with Hugo's external programs
// on Windows, Linux and MacOS.
- OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"),
+ OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"),
},
Funcs: Funcs{
Getenv: NewWhitelist("^HUGO_"),
@@ -110,6 +110,7 @@ func (c Config) CheckAllowedExec(name string) error {
}
}
return nil
+
}
func (c Config) CheckAllowedGetEnv(name string) error {
@@ -158,6 +159,7 @@ func (c Config) ToSecurityMap() map[string]interface{} {
"security": m,
}
return sec
+
}
// DecodeConfig creates a privacy Config from a given Hugo configuration.
@@ -187,6 +189,7 @@ func DecodeConfig(cfg config.Provider) (Config, error) {
}
return sc, nil
+
}
func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
@@ -202,6 +205,7 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
wl := types.ToStringSlicePreserveString(data)
return NewWhitelist(wl...), nil
+
}
}
diff --git a/config/security/securityonfig_test.go b/config/security/securityonfig_test.go
index bafb4e766..d0416a20d 100644
--- a/config/security/securityonfig_test.go
+++ b/config/security/securityonfig_test.go
@@ -53,6 +53,7 @@ getEnv=["a", "b"]
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
c.Assert(pc.Funcs.Getenv.Accept("a"), qt.IsTrue)
c.Assert(pc.Funcs.Getenv.Accept("c"), qt.IsFalse)
+
})
c.Run("String whitelist", func(c *qt.C) {
@@ -79,6 +80,7 @@ osEnv="b"
c.Assert(pc.Exec.Allow.Accept("d"), qt.IsFalse)
c.Assert(pc.Exec.OsEnv.Accept("b"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
+
})
c.Run("Default exec.osEnv", func(c *qt.C) {
@@ -103,6 +105,7 @@ allow="a"
c.Assert(pc.Exec.Allow.Accept("a"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
c.Assert(pc.Exec.OsEnv.Accept("e"), qt.IsFalse)
+
})
c.Run("Enable inline shortcodes, legacy", func(c *qt.C) {
@@ -126,7 +129,9 @@ osEnv="b"
pc, err := DecodeConfig(cfg)
c.Assert(err, qt.IsNil)
c.Assert(pc.EnableInlineShortcodes, qt.IsTrue)
+
})
+
}
func TestToTOML(t *testing.T) {
@@ -135,7 +140,7 @@ func TestToTOML(t *testing.T) {
got := DefaultConfig.ToTOML()
c.Assert(got, qt.Equals,
- "[security]\n enableInlineShortcodes = false\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
+ "[security]\n enableInlineShortcodes = false\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
)
}