Always use content to resolve content type in resources.GetRemote

This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`.

This commit also adds ttf and otf media type definitions to Hugo.

Fixes #9302
Fixes #9301

3 files changed, 11 insertions, 17 deletions

diff --git a/tpl/resources/resources.go b/tpl/resources/resources.go
index 4433e56e5..8cd670603 100644
--- a/tpl/resources/resources.go
+++ b/tpl/resources/resources.go
@@ -110,30 +110,21 @@ func (ns *Namespace) getscssClientDartSass() (*dartsass.Client, error) {
 // Get locates the filename given in Hugo's assets filesystem and
 // creates a Resource object that can be used for
 // further transformations.
-func (ns *Namespace) Get(filename interface{}) resource.Resource {
-	get := func(args ...interface{}) (resource.Resource, error) {
-		filenamestr, err := cast.ToStringE(filename)
-		if err != nil {
-			return nil, err
-		}
-		return ns.createClient.Get(filepath.Clean(filenamestr))
-	}
-
-	r, err := get(filename)
+func (ns *Namespace) Get(filename interface{}) (resource.Resource, error) {
+	filenamestr, err := cast.ToStringE(filename)
 	if err != nil {
-		// This allows the client to reason about the .Err in the template.
-		// This is not as relevant for local resources as remotes, but
-		// it makes this method work the same way as resources.GetRemote.
-		return resources.NewErrorResource(errors.Wrap(err, "error calling resources.Get"))
+		return nil, err
 	}
-	return r
-
+	return ns.createClient.Get(filepath.Clean(filenamestr))
 }
 
 // GetRemote gets the URL (via HTTP(s)) in the first argument in args and creates Resource object that can be used for
 // further transformations.
 //
 // A second argument may be provided with an option map.
+//
+// Note: This method does not return any error as a second argument,
+// for any error situations the error can be checked in .Err.
 func (ns *Namespace) GetRemote(args ...interface{}) resource.Resource {
 	get := func(args ...interface{}) (resource.Resource, error) {
 		if len(args) < 1 {
diff --git a/tpl/tplimpl/template_funcs_test.go b/tpl/tplimpl/template_funcs_test.go
index 6ddf13b76..711d1350d 100644
--- a/tpl/tplimpl/template_funcs_test.go
+++ b/tpl/tplimpl/template_funcs_test.go
@@ -37,7 +37,6 @@ import (
 	"github.com/gohugoio/hugo/tpl/internal"
 	"github.com/gohugoio/hugo/tpl/partials"
 	"github.com/spf13/afero"
-	
 )
 
 var logger = loggers.NewErrorLogger()
diff --git a/tpl/transform/unmarshal.go b/tpl/transform/unmarshal.go
index aa84ca1f8..c59269577 100644
--- a/tpl/transform/unmarshal.go
+++ b/tpl/transform/unmarshal.go
@@ -95,6 +95,10 @@ func (ns *Namespace) Unmarshal(args ...interface{}) (interface{}, error) {
 		return nil, errors.Errorf("type %T not supported", data)
 	}
 
+	if dataStr == "" {
+		return nil, errors.New("no data to transform")
+	}
+
 	key := helpers.MD5String(dataStr)
 
 	return ns.cache.GetOrCreate(key, func() (interface{}, error) {