diff options
| author | Bjørn Erik Pedersen <[email protected]> | 2021-12-16 15:12:13 +0100 |
|---|---|---|
| committer | Bjørn Erik Pedersen <[email protected]> | 2021-12-17 09:50:28 +0100 |
| commit | 44954497bcb2d6d589b9340a43323663061c7b42 (patch) | |
| tree | 0d0d06b11e462ccff1a908c2b1c4dfd039b82787 /resources/resource_spec.go | |
| parent | 22ef5da20d1685dfe6aff3bd9364c9b1f1d0d8f8 (diff) | |
| download | hugo-44954497bcb2d6d589b9340a43323663061c7b42.tar.gz hugo-44954497bcb2d6d589b9340a43323663061c7b42.zip | |
Always use content to resolve content type in resources.GetRemote
This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`.
This commit also adds ttf and otf media type definitions to Hugo.
Fixes #9302
Fixes #9301
Diffstat (limited to 'resources/resource_spec.go')
| -rw-r--r-- | resources/resource_spec.go | 37 |
1 files changed, 22 insertions, 15 deletions
diff --git a/resources/resource_spec.go b/resources/resource_spec.go index 897c1bbaa..cd1e5010d 100644 --- a/resources/resource_spec.go +++ b/resources/resource_spec.go @@ -272,21 +272,28 @@ func (r *Spec) newResource(sourceFs afero.Fs, fd ResourceSourceDescriptor) (reso fd.RelTargetFilename = sourceFilename } - ext := strings.ToLower(filepath.Ext(fd.RelTargetFilename)) - mimeType, suffixInfo, found := r.MediaTypes.GetFirstBySuffix(strings.TrimPrefix(ext, ".")) - // TODO(bep) we need to handle these ambiguous types better, but in this context - // we most likely want the application/xml type. - if suffixInfo.Suffix == "xml" && mimeType.SubType == "rss" { - mimeType, found = r.MediaTypes.GetByType("application/xml") - } + mimeType := fd.MediaType + if mimeType.IsZero() { + ext := strings.ToLower(filepath.Ext(fd.RelTargetFilename)) + var ( + found bool + suffixInfo media.SuffixInfo + ) + mimeType, suffixInfo, found = r.MediaTypes.GetFirstBySuffix(strings.TrimPrefix(ext, ".")) + // TODO(bep) we need to handle these ambiguous types better, but in this context + // we most likely want the application/xml type. + if suffixInfo.Suffix == "xml" && mimeType.SubType == "rss" { + mimeType, found = r.MediaTypes.GetByType("application/xml") + } - if !found { - // A fallback. Note that mime.TypeByExtension is slow by Hugo standards, - // so we should configure media types to avoid this lookup for most - // situations. - mimeStr := mime.TypeByExtension(ext) - if mimeStr != "" { - mimeType, _ = media.FromStringAndExt(mimeStr, ext) + if !found { + // A fallback. Note that mime.TypeByExtension is slow by Hugo standards, + // so we should configure media types to avoid this lookup for most + // situations. + mimeStr := mime.TypeByExtension(ext) + if mimeStr != "" { + mimeType, _ = media.FromStringAndExt(mimeStr, ext) + } } } @@ -301,7 +308,7 @@ func (r *Spec) newResource(sourceFs afero.Fs, fd ResourceSourceDescriptor) (reso mimeType) if mimeType.MainType == "image" { - imgFormat, ok := images.ImageFormatFromExt(ext) + imgFormat, ok := images.ImageFormatFromMediaSubType(mimeType.SubType) if ok { ir := &imageResource{ Image: images.NewImage(imgFormat, r.imaging, nil, gr), |