-
-
Notifications
You must be signed in to change notification settings - Fork 7.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow whitelisting mediaTypes used in resources.GetRemote #10286
Comments
I encounter the same problem, on hugo 0.108.0, with Adding it to config.yaml does not help (same error message) mediaTypes:
image/avif:
suffixes:
- avif |
The mime TYPE detection in GetRemote is a little bit restrictive, we don't just look at the suffix. This comes from security concerns, but that means that in its current form there will always be reports like the above. So I suggest that we allow setting the MediaType directly:
|
@bep Would you consider this?
This would represent additional media types, so the naming may not be great. |
@jmooring yea, that would probably be a better idea. I don't have a better name on the tip of my tongue. |
@jmooring OK, thanks for bringing this to my attention. Looking back at now, I don't see why we couldn't simply do:
I don't see any obvious security implications in the above??? |
If we do this...
...we would have to know the expected media type in the response header before making the request. That wouldn't work with this (contrived) example: content/about.md
So I'm back to...
or similar. |
OK, now I think I get it; so in the examples above:
Is that correct? So an additional security config would whitelist some types saying we trust the response header value? |
Yes.
Yes. But I think we need to remember that, based on past behavior, someone will inevitably will do this:
But if you aim for your own foot, I think you deserve the consequences. |
I said this before, but: The security config is there mainly to avoid ... spring-guns. |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
What version of Hugo are you using (
hugo version
)?Does this issue reproduce with the latest release?
yes
Hi there
I got a build error -
resources.GetRemote : failed to resolve media type for remote resource
while trying to get remote resources with content types of MS Office files:
application/msword
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/vnd.ms-excel
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.ms-powerpoint
application/vnd.openxmlformats-officedocument.presentationml.presentation
MediaType are also added to config file and with other additional MediaTypes like zip
application/zip
resources.GetRemote
works ok. Trying to add Options with "Content-Type" to GetRemote request have no effect.P.S.
also found mistake in docs
correct mime type for PowerPoint
application/vnd.ms-powerpoint
, notapplication/vnd.mspowerpoint
The text was updated successfully, but these errors were encountered: