Commit graph

22 commits

Author SHA1 Message Date
Bjørn Erik Pedersen
098254f175
Merge commit 'a8e9fc699a6ff7d578f97a7c553ce844efad8fdb' 2022-01-12 08:16:35 +01:00
Bjørn Erik Pedersen
f4389e48ce
Add some basic security policies with sensible defaults
This ommmit contains some security hardening measures for the Hugo build runtime.

There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers".

For `asciidoctor` and some others we use Go's `os/exec` package to start a new process.

These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off.

You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do.

The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all.

```toml
[security]
  enableInlineShortcodes = false
  [security.exec]
    allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']
    osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$']

  [security.funcs]
    getenv = ['^HUGO_']

  [security.http]
    methods = ['(?i)GET|POST']
    urls = ['.*']
```
2021-12-16 09:40:22 +01:00
Bjørn Erik Pedersen
d7b22aee46
Merge commit 'c239c643fee10bfa217cb108755b798f8f5f3b10' 2021-05-01 11:45:45 +02:00
Daniel Atwood
ba16a14c6e
Add support for Google Analytics v4 2021-03-03 13:30:06 +01:00
Josh Gerdes
edc5c4741c tpl: Add Do Not Track (dnt) option to Vimeo shortcode
Added a Vimeo EnableDNT privacy option to the Hugo config. This will enable the Vimeo 'Do Not Track' flag when either Vimeo shortcode tempalte options are used. When enabled, it will force the Vimeo player to be blocked from tracking any session data, including all cookies and stats.

Fixes #7700
2020-10-02 23:02:38 +02:00
Bjørn Erik Pedersen
b9e4f5898b
Merge commit '7d7771b673e5949f554515a2c236b23192c765c8' 2020-09-07 21:37:51 +02:00
Bjørn Erik Pedersen
0a9172672a
Merge commit 'efa74c5c6e6ff1daddeb5834ea7c69bed2acf171' 2020-06-16 14:19:31 +02:00
Onur Yaman
cd4d820201 docs: Fix typo in Hugo's Security Model 2020-04-18 14:16:42 +02:00
Bjørn Erik Pedersen
740b72558b
Merge commit '8a4005cf2b0ef34265ff8051a6b76226685fc226' 2019-12-22 22:51:45 +01:00
Bjørn Erik Pedersen
bfb9613a14
Add Goldmark as the new default markdown handler
This commit adds the fast and CommonMark compliant Goldmark as the new default markdown handler in Hugo.

If you want to continue using BlackFriday as the default for md/markdown extensions, you can use this configuration:

```toml
[markup]
defaultMarkdownHandler="blackfriday"
```

Fixes #5963
Fixes #1778
Fixes #6355
2019-11-23 14:12:24 +01:00
Bjørn Erik Pedersen
27aef3f1fb Merge commit 'b9bd35d72e14932fb6588ff62b90cddef0a060fc' as 'docs' 2019-10-21 10:22:28 +02:00
Bjørn Erik Pedersen
39121de4d9
docs: Replace /docs 2019-10-21 10:21:51 +02:00
Bjørn Erik Pedersen
4b2738d871
Merge commit '74309fe5699a595080fdb3a14711e0869babce99' 2018-10-29 09:23:25 +01:00
Bjørn Erik Pedersen
b7ca3e1b3a
Merge commit '13e64d72763bf8d6d92d4cdfc15ed45ee9debfab' 2018-09-14 08:35:23 +02:00
Bjørn Erik Pedersen
1639fd20d8
Merge commit '3a44bf182fed5f34621f450114083a6dd7e88a07' 2018-08-08 13:54:42 +02:00
Bjørn Erik Pedersen
e6dd54943f
Merge commit '766085c2dc6fc95ac30fda2a9ebde2355fc12554' 2018-08-01 10:01:49 +02:00
Bjørn Erik Pedersen
59ebc83d72
Merge commit 'b6b37a1f00f808f3c0d2715f65ca2d3091f36495' 2018-07-18 11:05:58 +02:00
Bjørn Erik Pedersen
0efd374805
Merge commit '98293eaa1570b5aff4452021c8b6d6c8560b3f06' 2018-07-06 17:53:17 +02:00
Bjørn Erik Pedersen
e02629f81a
Merge commit 'b239595af5a9fc1fc9a1ccc666c3ab06ccc32f04' 2018-06-11 22:32:19 +02:00
Alexandros
65deb72dc4 tplimpl: Remove speakerdeck shortcode
Fixes #4830
2018-06-09 11:13:36 +02:00
Bjørn Erik Pedersen
c71f201fd9
docs: Document the GDPR Privacy Config
See #4751
2018-05-25 17:25:33 +02:00
Bjørn Erik Pedersen
914cc85e22
Merge commit '83bef6955e014d40c0f00db9cebe09113154e999' 2018-05-04 09:44:59 +02:00