-
-
Notifications
You must be signed in to change notification settings - Fork 7.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add validation for alias #1418
Comments
But this
It needs some validation, but I'm not sure about the "High Priority". |
What I worry is a scenario where a naïve user tries out a sample Hugo-based website that he/she downloads from somewhere, and then blindly tries to build it with Hugo... Worse, he/she runs Hugo as Granted, the chances of that happening are slim, and probably a malicious attacker could only create/overwrite certain So, I think it would qualify as a security issue, though probably not a "High Priority" one, so I have removed that label. |
Add validation before creating aliases: * Prevent creating aliases outside webroot (public/ dir) * Skip empty "" alias * Skip "/" → "/index.html", which gets overwritten anyway * Refuse to create Windows-invalid filenames on Windows; warn on other platforms * In case of invalid aliases, after skipping them, return `err = nil` to prevent the error passing up all the way to `hugolib.Render()` and causing Hugo to abort. * Update alias tests. Fixes #701: Add support for alias with whitespace Fixes gohugoio#1418: Add validation for alias
Add validation before creating aliases: * Prevent creating aliases outside webroot (public/ dir) * Skip empty "" alias * Skip "/" → "/index.html", which gets overwritten anyway * Refuse to create Windows-invalid filenames on Windows; warn on other platforms * In case of invalid aliases, after skipping them, return `err = nil` to prevent the error passing up all the way to `hugolib.Render()` and causing Hugo to abort. * Update alias tests. Fixes gohugoio#701: Add support for alias with whitespace Fixes gohugoio#1418: Add validation for alias
Add validation before creating aliases: * Prevent creating aliases outside webroot (public/ dir) * Skip empty "" alias * Skip "/" → "/index.html", which gets overwritten anyway * Refuse to create Windows-invalid filenames on Windows; warn on other platforms * In case of invalid aliases, after skipping them, return `err = nil` to prevent the error passing up all the way to `hugolib.Render()` and causing Hugo to abort. * Update alias tests. Fixes gohugoio#701: Add support for alias with whitespace Fixes gohugoio#1418: Add validation for alias
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Following some tests related to the discussions at Issue #701, I came to realize that Hugo would happily create aliases (redirections) outside of the
public/
directory if a content page contains aliases that traverse up parent directories. For example:After a Hugo run,
some-page-2/
would be created in the same parent directory aspublic/
, whereassome-page-3/index.html
would be created outside of the web site source directory altogether.At least Hugo v0.13, v0.14, as well as the current HEAD are affected. (I did not test v0.12.)
The text was updated successfully, but these errors were encountered: