Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate aliases to prevent directory traversal etc. #1427

Closed
wants to merge 1 commit into from
Closed

Validate aliases to prevent directory traversal etc. #1427

wants to merge 1 commit into from

Conversation

anthonyfok
Copy link
Member

Add validation before creating aliases:

  • Prevent creating aliases outside webroot (public/ dir)
  • Skip empty "" alias
  • Skip "/" → "/index.html", which gets overwritten anyway
  • Refuse to create Windows-invalid filenames on Windows;
    warn on other platforms
  • In case of invalid aliases, after skipping them,
    return err = nil to prevent the error passing up
    all the way to hugolib.Render() and causing Hugo to abort.
  • Update alias tests.

Fixes #701: Add support for alias with whitespace
Fixes #1418: Add validation for alias

@anthonyfok anthonyfok mentioned this pull request Sep 13, 2015
Closed
@anthonyfok anthonyfok force-pushed the alias-validation branch 5 times, most recently from 65050e5 to f476018 Compare September 13, 2015 12:27
@anthonyfok
Validate aliases to prevent directory traversal etc.
32bad86 
Add validation before creating aliases:

 * Prevent creating aliases outside webroot (public/ dir)
 * Skip empty "" alias
 * Skip "/" → "/index.html", which gets overwritten anyway
 * Refuse to create Windows-invalid filenames on Windows;
   warn on other platforms
 * In case of invalid aliases, after skipping them,
   return `err = nil` to prevent the error passing up
   all the way to `hugolib.Render()` and causing Hugo to abort.
 * Update alias tests.

Fixes #701: Add support for alias with whitespace
Fixes gohugoio#1418: Add validation for alias
@bep
Copy link
Member

bep commented Sep 13, 2015

Merged in e71bef7

@bep bep closed this Sep 13, 2015
@anthonyfok anthonyfok mentioned this pull request Feb 22, 2022
Merged
@github-actions
Copy link

github-actions bot commented Mar 1, 2022

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add validation for alias Add support for alias with whitespace
2 participants
@anthonyfok @bep