config/security: Add O\w+ (e.g. GOROOT) to the default allowed list - hugo - [fork] hugo port for 9front
HTML git clone git@git.drkhsh.at/hugo.git
DIR Log
DIR Files
DIR Refs
DIR Submodules
DIR README
DIR LICENSE
---
DIR commit c6b3887696162335d806ff25e9b9db27d73611de
DIR parent 21af5b359f020ed19558141ffa309fd2ff381c6c
HTML Author: Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com>
Date: Tue, 17 Jan 2023 10:52:51 +0100
config/security: Add O\w+ (e.g. GOROOT) to the default allowed list
Fixes #10429
Diffstat:
M config/security/securityConfig.go | 2 +-
M config/security/securityConfig_tes… | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
---
DIR diff --git a/config/security/securityConfig.go b/config/security/securityConfig.go
@@ -42,7 +42,7 @@ var DefaultConfig = Config{
),
// These have been tested to work with Hugo's external programs
// on Windows, Linux and MacOS.
- OsEnv: NewWhitelist("(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM)$"),
+ OsEnv: NewWhitelist(`(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\w+)$`),
},
Funcs: Funcs{
Getenv: NewWhitelist("^HUGO_", "^CI$"),
DIR diff --git a/config/security/securityConfig_test.go b/config/security/securityConfig_test.go
@@ -140,7 +140,7 @@ func TestToTOML(t *testing.T) {
got := DefaultConfig.ToTOML()
c.Assert(got, qt.Equals,
- "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
+ "[security]\n enableInlineShortcodes = false\n\n [security.exec]\n allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$']\n osEnv = ['(?i)^((HTTPS?|NO)_PROXY|PATH(EXT)?|APPDATA|TE?MP|TERM|GO\\w+)$']\n\n [security.funcs]\n getenv = ['^HUGO_', '^CI$']\n\n [security.http]\n methods = ['(?i)GET|POST']\n urls = ['.*']",
)
}
@@ -163,4 +163,8 @@ func TestDecodeConfigDefault(t *testing.T) {
c.Assert(pc.HTTP.Methods.Accept("GET"), qt.IsTrue)
c.Assert(pc.HTTP.Methods.Accept("get"), qt.IsTrue)
c.Assert(pc.HTTP.Methods.Accept("DELETE"), qt.IsFalse)
+
+ c.Assert(pc.Exec.OsEnv.Accept("PATH"), qt.IsTrue)
+ c.Assert(pc.Exec.OsEnv.Accept("GOROOT"), qt.IsTrue)
+ c.Assert(pc.Exec.OsEnv.Accept("MYSECRET"), qt.IsFalse)
}