Add validation for alias #1418
Comments
|
But this
It needs some validation, but I'm not sure about the "High Priority". |
|
What I worry is a scenario where a naïve user tries out a sample Hugo-based website that he/she downloads from somewhere, and then blindly tries to build it with Hugo... Worse, he/she runs Hugo as Granted, the chances of that happening are slim, and probably a malicious attacker could only create/overwrite certain So, I think it would qualify as a security issue, though probably not a "High Priority" one, so I have removed that label. |
bep
changed the title
anthonyfok
added a commit
to anthonyfok/hugo
that referenced
this issue
Sep 13, 2015
Add validation before creating aliases: * Prevent creating aliases outside webroot (public/ dir) * Skip empty "" alias * Skip "/" → "/index.html", which gets overwritten anyway * Refuse to create Windows-invalid filenames on Windows; warn on other platforms * In case of invalid aliases, after skipping them, return `err = nil` to prevent the error passing up all the way to `hugolib.Render()` and causing Hugo to abort. * Update alias tests. Fixes #701: Add support for alias with whitespace Fixes gohugoio#1418: Add validation for alias
bramp
pushed a commit
to bramp/hugo
that referenced
this issue
Dec 17, 2015
Add validation before creating aliases: * Prevent creating aliases outside webroot (public/ dir) * Skip empty "" alias * Skip "/" → "/index.html", which gets overwritten anyway * Refuse to create Windows-invalid filenames on Windows; warn on other platforms * In case of invalid aliases, after skipping them, return `err = nil` to prevent the error passing up all the way to `hugolib.Render()` and causing Hugo to abort. * Update alias tests. Fixes gohugoio#701: Add support for alias with whitespace Fixes gohugoio#1418: Add validation for alias
tychoish
pushed a commit
to tychoish/hugo
that referenced
this issue
Aug 13, 2017
Add validation before creating aliases: * Prevent creating aliases outside webroot (public/ dir) * Skip empty "" alias * Skip "/" → "/index.html", which gets overwritten anyway * Refuse to create Windows-invalid filenames on Windows; warn on other platforms * In case of invalid aliases, after skipping them, return `err = nil` to prevent the error passing up all the way to `hugolib.Render()` and causing Hugo to abort. * Update alias tests. Fixes gohugoio#701: Add support for alias with whitespace Fixes gohugoio#1418: Add validation for alias
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Following some tests related to the discussions at Issue #701, I came to realize that Hugo would happily create aliases (redirections) outside of the
public/directory if a content page contains aliases that traverse up parent directories. For example:After a Hugo run,
some-page-2/would be created in the same parent directory aspublic/, whereassome-page-3/index.htmlwould be created outside of the web site source directory altogether.At least Hugo v0.13, v0.14, as well as the current HEAD are affected. (I did not test v0.12.)
The text was updated successfully, but these errors were encountered: