Commit graph

8 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
9f978d387f
Pull in the latest code from Go's template packages (#11771)
Fixes #10707
Fixes #11507
2023-12-04 12:07:54 +01:00
David Karlsson
6c9ea022a9
config: Expand default security.exec.osEnv policy
To better support private Hugo modules and automatically
launching a text editor on content creation, this change
adds the following environment variables to the default
security policy:

- HOME
- XDG_CONFIG_HOME
- USERPROFILE
- SSH_AUTH_SOCK
- DISPLAY
- LANG

Fixes #9333
2023-07-07 13:54:06 +02:00
Bjørn Erik Pedersen
ee359df172 Fix upstream Go templates bug with reversed key/value assignment
The template packages are based on go1.20.5 with the patch in befec5ddbbfbd81ec84e74e15a38044d67f8785b  added.

This also includes a security fix that now disallows Go template actions in JS literals (inside backticks).

This will throw an error saying "... appears in a JS template literal".

If you're really sure this isn't a security risk in your case, you can revert to the old behaviour:

```toml
[security]
[security.gotemplates]
allowActionJSTmpl = true
```

See https://github.com/golang/go/issues/59234

Fixes #11112
2023-06-15 23:04:33 +02:00
Bjørn Erik Pedersen
f210188da3 Upgrade to v2 of the Dart Sass Embedded Protocol
Fixes #11059
2023-06-12 13:47:38 +02:00
Bjørn Erik Pedersen
2637b4ef4d Allow whitelisting mediaTypes used in resources.GetRemote
Fixes #10286
2023-05-20 20:16:45 +02:00
Bjørn Erik Pedersen
c6b3887696
config/security: Add O\w+ (e.g. GOROOT) to the default allowed list
Fixes #10429
2023-01-17 10:52:51 +01:00
septs
dc44bca963
config/security: Add CI env var to whitelist 2022-12-02 12:13:34 +01:00
Ricardo N Feliciano
e3f31352d4
config/security: Fix filename 2022-10-02 12:52:04 +02:00
Renamed from config/security/securityonfig_test.go (Browse further)