mirror of
https://github.com/gohugoio/hugo.git
synced 2024-11-14 20:37:55 -05:00
e48ffb7635
ef9c4913c Clean up and removal of outdated examples 46122c9aa add godot tutorials to showcase 06d1d1ea2 Update scss-sass.md 1fc63c100 Spelling fix in 0.79.1 release notes ad2f50e3d Update plainwords description (#1296) 33021d451 Update substr examples (#1304) 6b1cc59bb Release 0.80.0 521db8c6d Merge branch 'tempv0.80.0' 58626c2b3 releaser: Add release notes to /docs for release of 0.80.0 f81d118af dartsass: Dart Sass only supports `expanded` and `compressed` 7da6f54be Add Dart Sass support b1f2661bb Replace jsconfig.js with jsconfig.json 38de0c1a4 Update index.md 223ceae80 Update index.md f7ac0e59d Release v0.79.1 2d4583d43 Merge branch 'temp791-2' 1d34e609b releaser: Add release notes to /docs for release of 0.79.1 e26769988 Merge branch 'temp791' 75694d904 Fix Resource.ResourceType so it always returns MIME's main type 0f65d7783 Typo s/adds/add (#1298) 0b896b2c0 images: Add images.Overlay filter 0d4257dcd Clarify documentation on shimming fcf601ddf Update index.html 6bf9bc1c1 Update index.html 1ce76bf3a Update index.html e7d976eec Update index.html db2996e64 Update index.html 245e5bfc9 news: Add post about Apple M1 3ad4115ed tpl: Add title parameter to YouTube shortcode 76ed976f8 Added two useful extensions to the list (#1243) e5a30dd11 Update related.md 25cf8f48b Improve substr examples e16e57e9a Update path.Split.md 2749b88fd Update path.Split.md d76cad3ff Release 0.79.0 f5ccfbe98 releaser: Add release notes to /docs for release of 0.79.0 ebf1b87b0 Merge commit '9f1265fde4b9ef186148337c99f08601633b6056' 1f1e8f39c Allow setting the delimiter used for setting config via OS env, e.g. HUGO_ e9b1414dd deps: Update to github.com/evanw/esbuild 0.8.11 to 0.8.14 0f76cf66c docs: Regen docshelper 1ada5d47e Add menu params 1c120aef0 Revert "docs: Regenerate docshelper" 7b60b5624 docs: Regenerate docshelper git-subtree-dir: docs git-subtree-split: ef9c4913cdcf95d62ec12d872f412f97e55a55ad
22 lines
1.1 KiB
Markdown
22 lines
1.1 KiB
Markdown
|
|
---
|
|
date: 2020-12-19
|
|
title: "Hugo 0.79.1: One Security Patch for Hugo on Windows"
|
|
description: "Disallow running of e.g. Pandoc in the current directory."
|
|
categories: ["Releases"]
|
|
images:
|
|
- images/blog/hugo-bug-poster.png
|
|
|
|
---
|
|
|
|
Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. However, if a malicious file with the same name (`exe` or `bat`) was found in the current working directory at the time of running `hugo`, the malicious command would be invoked instead of the system one.
|
|
|
|
Windows users who ran `hugo` inside untrusted Hugo sites were affected.
|
|
|
|
The origin of this issue comes from Go, see https://github.com/golang/go/issues/38736
|
|
|
|
We have fixed this in Hugo by [using](https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab) a patched version of `exec.LookPath` from https://github.com/cli/safeexec (thanks to [@mislav](https://github.com/mislav) for the implementation).
|
|
|
|
Thanks to [@Ry0taK](https://github.com/Ry0taK) for the bug report.
|
|
|
|
|