Commit graph

187 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
7396aa945a Add hugo.Deps
Fixes #8949
2022-01-11 18:06:23 +01:00
Bjørn Erik Pedersen
2b6063c3e3 Misc depreation updates
* Deprecate .Page.Path when backed by a file
* site.Permalinks
* --ignoreVendor (use --ignoreVendorPaths)

Closes #9348
Closes #9349
2022-01-04 17:10:39 +01:00
Bjørn Erik Pedersen
56ab83a597 Make the deprecated Page/File methods (from Hugo 0.55) ERROR
Closes #9346
2022-01-04 17:10:39 +01:00
Paul Gottschling
d3c4fdb8ff Fix surprise OutputFormat.Rel overwriting
In page.NewOutputFormat, we take an output.Format f and use it to
create a page.OutputFormat. If the format is canonical, we assign
the final OutputFormat's Rel to "canonical" rather than using
f.Rel. However, this leads to unexpected behavior for custom
output formats, where a user can define a "rel" for a format
via the config file.

For example, the standard for "humans.txt" files requires using
rel="author" in HTML "link" elements. Meanwhile, humans.txt is
usually the only format used for its content. As a result, for
Hugo configurations that define a humans.txt custom output format,
Hugo will render "link" elements to content in this format with
rel="canonical," rather than "author" as required by the standard.

This commit changes page.NewOutputFormat to check whether a given
format is user defined and, if so, skips assigning Rel to
"canonical," even if isCanonical is true.

Fixes #8030
2022-01-04 10:38:38 +01:00
Bjørn Erik Pedersen
6779117f72 media: Also consider extension in FromContent
As used in `resources.GetRemote`.

This will now reject image files with text and text files with images.
2021-12-22 11:35:53 +01:00
Bjørn Erik Pedersen
44954497bc
Always use content to resolve content type in resources.GetRemote
This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`.

This commit also adds ttf and otf media type definitions to Hugo.

Fixes #9302
Fixes #9301
2021-12-17 09:50:28 +01:00
Bjørn Erik Pedersen
22ef5da20d
Add resources.GetRemote
In Hugo 0.89 we added remote support to `resources.Get`.

In hindsight that was not a great idea, as a poll from many Hugo users showed. See Issue #9285 for more details.

After this commit `resources.Get` only supports local resource lookups. If you want to support both, you need to use a construct similar to:

Also improve some option case handling.

```
{{ resource := "" }}
{{ if (urls.Parse $url).IsAbs }}
{{ $resource = resources.GetRemote $url }}
{{ else }}
{{ $resource = resources.Get $url }}
{{ end }}
```

Fixes #9285
Fixes #9296
2021-12-17 09:33:51 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Joe Mooring
a037be774d
Improve handling of remote image/jpeg resources (#9278)
Add jpe, jif, and jfif to image/jpeg extensions.
For remote image/jpeg without extension, always use jpg extension.

Closes #9275
2021-12-13 08:55:15 +01:00
Bjørn Erik Pedersen
e4d6ec94b5 Allow user to handle/ignore errors in resources.Get
In Hugo 0.90.0 we introduced remote support in `resources.Get`.

But with remote resources comes with a higher chance of failing a build (network issues, remote server down etc.).

Before this commit we always failed the build on any unexpected error.

This commit allows the user to check for any error (and potentially fall back to a default local resource):

```htmlbars
{{ $result := resources.Get "https://gohugo.io/img/hugo-logo.png" }}
{{ with $result }}
        {{ if .Err }}
        {{/* log the error, insert a default image etc. *}}
        {{ else }}
        <img src="{{ .RelPermalink }}" width="{{ .Width }}" height="{{ .Height }}" alt="">
        {{ end }}
{{ end }}
```

Note that the default behaviour is still to fail the build, but we will delay that error until you start using the `Resource`.

Fixes #9529
2021-12-10 11:10:41 +01:00
Bjørn Erik Pedersen
6260455ba7 Make resource.Get return nil on 404 not found
This is in line with the interface declaration and also how local lookups work.

Fixes #9267
2021-12-10 11:10:41 +01:00
Bjørn Erik Pedersen
965a6cbff9 Update to Go 1.17.4 and remove timeout in resources.Get
Fixes #9265
2021-12-09 13:33:30 +01:00
Bjørn Erik Pedersen
e71d715b9b Add custom font support to images.Text
Fixes #9253
2021-12-07 16:53:02 +01:00
Bjørn Erik Pedersen
e61cdf335f images: Fix cache busting of image text filter
See #9238
2021-12-07 16:53:02 +01:00
Paul van Brouwershaven
283394a4fd
images: Text filter that draws text with the given options (#9239)
Fixes #9238
2021-12-07 11:29:55 +01:00
Bjørn Erik Pedersen
93572e5318 resources: Add timeout to the HTTP request in Get
Workaround for https://github.com/golang/go/issues/49366
2021-12-02 16:11:14 +01:00
Bjørn Erik Pedersen
94f149b21e Add a remote retry for resources.Get 2021-12-02 16:11:14 +01:00
Paul van Brouwershaven
66753416b5
Make resources.Get use a file cache for remote resources
Closes #9228
2021-12-02 12:56:25 +01:00
Bjørn Erik Pedersen
08a863e1e8
resources: Adjust the remote Get cache so it does not get evicted on restarts
We fill improve this, soon.
2021-11-30 16:54:01 +01:00
Paul van Brouwershaven
8aa7257f65
Add remote support to resources.Get
Closes #5255
Supports #9044
2021-11-30 11:49:51 +01:00
Anthony Fok
dce49d1333 resources: Rename excepted filenames for image golden testdata
As documented in commit 30eea3915b,
some filenames have changed due to cache busting of PNG and Webp images.

This resolves recent TestImageOperationsGolden failure on arm64, ppc64le
and s390x.

See #6387 and #8729
2021-10-30 08:47:22 +02:00
Bjørn Erik Pedersen
9830ca9e31
resources: Always preserve the original transform error 2021-10-19 20:38:38 +02:00
Joe Mooring
64abc83fc4 Allow multiple plugins in the PostCSS options map
Usage:
{{ $options := dict "use" "autoprefixer postcss-color-alpha" }}
{{ $style := resources.Get "main.css" | resources.PostCSS $options }}

Fixes #9015
2021-10-10 11:11:43 +02:00
Paul Gottschling
e03f82eef2
Pass minification errors to the user
Previously, *minifyTransformation.Transform suppressed the
error returned by t.m.Minify. This meant that when minification
returned an error, the error would not reach the user. Instead,
minification would silently fail. For example, if a JavaScript
file included a call to the Date constructor with:

new Date(2020, 04, 02)

The package that the minification library uses to parse JS files,
github.com/tdewolff/parse would return an error, since "04" would
be parsed as a legacy octal. However, the JS file would remain
un-minified with no error.

Fixing this is not as simple as replacing "_" with an "err" in
*minifyTransformation.Transform, however (though this is
necessary). If we only returned this error from Transform,
then hugolib.TestResourceMinifyDisabled would fail. Instead of
being a no-op, as TestResourceMinifyDisabled expects, using the
"minify" template function with a "disableXML=true" config
setting instead returns the error, "minifier does not exist for
mimetype."

The "minifier does not exist" error is returned because of the
way minifiers.New works. If the user's config disables
minification for a particular MIME type, minifiers.New does
not add it to the resulting Client's *minify.M. However, this
also means that when the "minify" template function is executed,
 a *resourceAdapter's transformations still add a minification.
When it comes time to call the minify.Minifier for a specific
MIME type via *M.MinifyMimetype, the github.com/tdewolff/minify
library throws the "does not exist" error for the missing MIME
type.

The solution was to change minifiers.New so, instead of skipping
a minifier for each disabled MIME type, it adds  a NoOpMinifier,
which simply copies the source to the destination without
minification. This means that when the "minify" template
function is used for a particular resource, and that resource's
MIME type has minification disabled, minification is genuinely
skipped, and does not result in an error.

In order to add this, I've fixed a possibly unwanted interaction
between minifiers.TestConfigureMinify and
hugolib.TestResourceMinifyDisabled. The latter disables
minification and expects minification to be a no-op. The former
disables minification and expects it to result in an error. The
only reason hugolib.TestResourceMinifyDisabled passes in the
original code is that the "does not exist" error is suppressed.
However, we shouldn't suppress minification errors, since they
can leave users perplexed. I've changed the test assertion in
minifiers.TestConfigureMinify to expect no errors and a no-op
if minification is disabled for a particular MIME type.

Fixes #8954
2021-09-22 20:54:40 +02:00
Emmanuel T Odeke
7c21eca74f
resources: Use default math/rand.Source for concurrency safety
The source from NewSource is documented not to be safe for
concurrency, and instead use the eefault source which is documented
as safe.

Fixes #8981
2021-09-19 12:18:30 +02:00
Bjørn Erik Pedersen
cf73cc2ece js: Fix import order for ./foo when both ./foo.js and ./foo/index.js exists
This is in line with how both Node and ESBuild's native import resolver does it.

The ambiguous situations above were discovered trying to build AlpineJS v3.

Note that the above was never an issue if you used `./foo.js` and similar to import the component.

Fixes #8945
2021-09-01 10:47:41 +02:00
Bjørn Erik Pedersen
bc0743ed8e Prevent minifier from removing quoutes around post-processed attributes
Fixes #8884
2021-08-22 12:47:47 +02:00
Bjørn Erik Pedersen
726fe9c3c9
Go back to WARNING for Page deprecations
Do that in the next release, let's reduce the noise, we have enough changes as it is.
2021-07-29 16:18:38 +02:00
Bjørn Erik Pedersen
b5de37ee79
Handle toml.LocalDate and toml.LocalDateTime in front matter
See #8801
2021-07-28 18:02:42 +02:00
Bjørn Erik Pedersen
efa5760db5 Add timezone support for front matter dates without one
Fixes #8810
2021-07-27 19:02:48 +02:00
Bjørn Erik Pedersen
91cbb96302 Bump all long-living deprecations to ERRORs 2021-07-25 17:17:21 +02:00
Bjørn Erik Pedersen
c19f65f956 minifiers: Make keepWhitespace = true default for HTML
Fixes #8771
2021-07-19 23:35:20 +02:00
Bjørn Erik Pedersen
022c479551
hugofs: Make FileMeta a struct
This commit started out investigating a `concurrent map read write` issue, ending by replacing the map with a struct.

This is easier to reason about, and it's more effective:

```
name                                  old time/op    new time/op    delta
SiteNew/Regular_Deep_content_tree-16    71.5ms ± 3%    69.4ms ± 5%    ~     (p=0.200 n=4+4)

name                                  old alloc/op   new alloc/op   delta
SiteNew/Regular_Deep_content_tree-16    29.7MB ± 0%    27.9MB ± 0%  -5.82%  (p=0.029 n=4+4)

name                                  old allocs/op  new allocs/op  delta
SiteNew/Regular_Deep_content_tree-16      313k ± 0%      303k ± 0%  -3.35%  (p=0.029 n=4+4)
```

See #8749
2021-07-15 17:14:26 +02:00
Bjørn Erik Pedersen
5cb52c2315 Add config.cascade
This commit adds support for using the `cascade` keyword in your configuration file(s), e.g. `config.toml`.

Note that

* Every feature of `cascade` is available, e.g. `_target` to target specific page sets.
* Pages, e.g. the home page, can overwrite the cascade defined in config.

Fixes #8741
2021-07-10 11:13:41 +02:00
Bjørn Erik Pedersen
30eea3915b resources: Regenerate image golden testdata
Keep this as a separate commit as this isn't because the files have changed. The filenames have changed due to cache busting of PNG and Webp images.

See #8729
2021-07-07 17:25:14 +02:00
Bjørn Erik Pedersen
8f40f34cd1 Fix transparency problem when converting 32-bit images to WebP
Fixes #8729
2021-07-07 17:25:14 +02:00
Brandon Woodford
07919d1ccb exif: Log warning for metadata decode error
see #8519
2021-07-05 10:31:35 +02:00
Bjørn Erik Pedersen
93aad3c543
Split out the puthe path/filepath functions into common/paths
So they can be used from the config package without cyclic troubles.

Updates #8654
2021-06-18 10:55:00 +02:00
Bjørn Erik Pedersen
5af045ebab resources/image: Fix fill with smartcrop sometimes returning 0 bytes images
Fixes #7955
2021-06-17 23:52:27 +02:00
Bjørn Erik Pedersen
d392893cd7
Misc config loading fixes
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster:

```
BenchmarkDefaultConfigProvider/Viper-16         	  252418	      4546 ns/op	    2720 B/op	      30 allocs/op
BenchmarkDefaultConfigProvider/Custom-16        	  450756	      2651 ns/op	    1008 B/op	       6 allocs/op
```

Fixes #8633
Fixes #8618
Fixes #8630
Updates #8591
Closes #6680
Closes #5192
2021-06-14 17:00:32 +02:00
Bjørn Erik Pedersen
9b5debe4b8 Upgrade Instagram shortcode
Fixes #7879
2021-06-08 10:30:45 +02:00
Bjørn Erik Pedersen
f55d2f4376
tpl/fmt: Add erroridf template func
Fixes #8613
2021-06-07 19:11:03 +02:00
Bjørn Erik Pedersen
c13d368746
resources/page: Fix permalinks pattern detection for some of the sections variants
See #8363
2021-04-25 16:57:09 +02:00
Bjørn Erik Pedersen
33d5f80592
Add webp image encoding support
Fixes #5924
2021-04-15 17:22:55 +02:00
Bjørn Erik Pedersen
2dc222cec4
Add slice syntax to sections permalinks config
Fixes #8363
2021-03-30 07:55:24 +02:00
Bjørn Erik Pedersen
ba1d0051b4 media: Make Type comparable
So we can use it and output.Format as map key etc.

This commit also fixes the media.Type implementation so it does not need to mutate itself to handle different suffixes for the same MIME type, e.g. jpg vs. jpeg.

This means that there are no Suffix or FullSuffix on media.Type anymore.

Fixes #8317
Fixes #8324
2021-03-14 15:21:54 +01:00
Bjørn Erik Pedersen
1b1dcf586e deps: Update to esbuild v0.9.0 2021-03-14 11:51:25 +01:00
Cameron Moore
f6612d8bd8 exif: Fix handling of utf8 runes in nullString() 2021-03-13 21:20:10 +01:00
Cameron Moore
0a2ab3f8fe exif: Allow more spacing characters in strings
The root cause of issue #8079 was a non-breaking space (U+0160).
`unicode.IsPrint` only allows the ASCII space (U+0020).  Be more lenient
by using `unicode.IsGraphic` instead.

Fixes #8079
2021-03-13 21:20:10 +01:00
Bjørn Erik Pedersen
b60e9279ab js: Fix potential path issue on Windows 2021-02-16 16:10:46 +01:00