+++ /dev/null
----
-linktitle: ""
-description: ""
-publishdate: ""
-lastmod: ""
-categories: []
-tags: []
-weight: 00
-slug: ""
-aliases: []
-toc: false
----
--- /dev/null
+---
+title: "{{ replace .Name "-" " " | title }}"
+description: ""
+date: {{ .Date }}
+---
+
paginate = 100
defaultContentLanguage = "en"
enableEmoji = true
+timeZone = "Europe/Oslo"
# Set the unicode character used for the "return" link in page footnotes.
footnotereturnlinkcontents = "↩"
languageCode = "en-us"
--- /dev/null
+
+ enableInlineShortcodes = false
+
+ [exec]
+ allow = ['^go$']
+ osEnv = ['^PATH$']
+
+ [funcs]
+ getenv = ['^HUGO_', '^REPOSITORY_URL$', '^BRANCH$']
+
+ [http]
+ methods = ['(?i)GET|POST']
+ urls = ['.*']
But when developing and building your site, the runtime is the `hugo` executable. Securing a runtime can be [a real challenge](https://blog.logrocket.com/how-to-protect-your-node-js-applications-from-malicious-dependencies-5f2e60ea08f9/).
-**Hugo's main approach is that of sandboxing:**
+**Hugo's main approach is that of sandboxing and a security policy with strict defaults:**
* Hugo has a virtual file system and only the main project (not third-party components) is allowed to mount directories or files outside the project root.
* Only the main project can walk symbolic links.
* User-defined components have only read-access to the filesystem.
-* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined. General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
+* We shell out to some external binaries to support [Asciidoctor](/content-management/formats/#list-of-content-formats) and similar, but those binaries and their flags are predefined and disabled by default (see [Security Policy](#security-policy)). General functions to run arbitrary external OS commands have been [discussed](https://github.com/gohugoio/hugo/issues/796), but not implemented because of security concerns.
-Hugo will soon introduce a concept of _Content Source Plugins_ (AKA _Pages from Data_), but the above will still hold true.
+
+## Security Policy
+
+{{< new-in "0.91.0" >}}
+
+Hugo has a built-in security policy that restricts access to [os/exec](https://pkg.go.dev/os/exec), remote communication and similar.
+
+The default configuration is listed below. And build using features not whitelisted in the security policy will faill with a detailed message about what needs to be done. Most of these settings are whitelists (string or slice, [Regular Expressions](https://pkg.go.dev/regexp) or `none` which matches nothing).
+
+{{< code-toggle config="security" />}}
+
+Note that these and other config settings in Hugo can be overridden by the OS environment. If you want to block all remote HTTP fetching of data:
+
+```
+HUGO_SECURITY_HTTP_URLS=none hugo
+```
## Dependency Security
# disk space reasons more than anything.
# If you want it all, put ".*" in this config setting.
# Note that if neither this or ExcludeFields is set, Hugo will return a small
-# default set.
+# default set: GPS|Exif|Exposure[M|P|B]|Contrast|Resolution|Sharp|JPEG|Metering|Sensing|Saturation|ColorSpace|Flash|WhiteBalance
includeFields = ""
# Regexp matching the Exif fields you want to exclude. This may be easier to use
GaussianBlur creates a filter that applies a gaussian blur to an image.
-### Grayscale
+## Grayscale
{{% funcsig %}}
images.Grayscale
### sectionPagesMenu
See ["Section Menu for Lazy Bloggers"](/templates/menu-templates/#section-menu-for-lazy-bloggers).
+### security
+
+See [Security Policy](/about/security-model/#security-policy)
+
### sitemap
Default [sitemap configuration](/templates/sitemap-template/#configure-sitemapxml).
aliases: [/assets/]
---
-## Get Resource with resources.Get
+## Get Resource with resources.Get and resources.GetRemote
-In order to process an asset with Hugo Pipes, it must be retrieved as a `Resource` using `resources.Get`. The first argument can be either a local the path to file relative to the `asset` directory/directories or a remote URL.
+In order to process an asset with Hugo Pipes, it must be retrieved as a `Resource` using `resources.Get` or `resources.GetRemote`.
+
+With `resources.Get`, the first argument is a local path relative to the `assets` directory/directories:
```go-html-template
{{ $local := resources.Get "sass/main.scss" }}
-{{ $remote := resources.Get "https://www.example.com/styles.scss" }}
```
-`resources.Get` will always return `nil` if the resource could not be found.
+With `resources.GetRemote`, the first argument is a remote URL:
+
+```go-html-template
+{{ $remote := resources.GetRemote "https://www.example.com/styles.scss" }}
+```
+
+`resources.Get` and `resources.GetRemote` return `nil` if the resource is not found.
### Error Handling
-{{< new-in "0.90.1" >}}
+{{< new-in "0.91.0" >}}
-The return value from `resources.Get` includes an `.Err` method that will return an error if the call failed. If you want to just log any error as a `WARNING` you can use a construct similar to the one below.
+The return value from `resources.GetRemote` includes an `.Err` method that will return an error if the call failed. If you want to just log any error as a `WARNING` you can use a construct similar to the one below.
```go-html-template
-{{ with resources.Get "https://gohugo.io/images/gohugoio-card-1.png" }}
+{{ with resources.GetRemote "https://gohugo.io/images/gohugoio-card-1.png" }}
{{ with .Err }}
{{ warnf "%s" . }}
{{ else }}
### Remote Options
-When fetching a remote `Resource`, `resources.Get` takes an optional options map as the last argument, e.g.:
+When fetching a remote `Resource`, `resources.GetRemote` takes an optional options map as the last argument, e.g.:
```go-html-template
-{{ $resource := resources.Get "https://example.org/api" (dict "headers" (dict "Authorization" "Bearer abcd")) }}
+{{ $resource := resources.GetRemote "https://example.org/api" (dict "headers" (dict "Authorization" "Bearer abcd")) }}
```
If you need multiple values for the same header key, use a slice:
```go-html-template
-{{ $resource := resources.Get "https://example.org/api" (dict "headers" (dict "X-List" (slice "a" "b" "c"))) }}
+{{ $resource := resources.GetRemote "https://example.org/api" (dict "headers" (dict "X-List" (slice "a" "b" "c"))) }}
```
You can also change the request method and set the request body:
```go-html-template
-{{ $postResponse := resources.Get "https://example.org/api" (dict
+{{ $postResponse := resources.GetRemote "https://example.org/api" (dict
"method" "post"
"body" `{"complete": true}`
"headers" (dict
### Caching of Remote Resources
-Remote resources fetched with `resources.Get` will be cached on disk. See [Configure File Caches](/getting-started/configuration/#configure-file-caches) for details.
+Remote resources fetched with `resources.GetRemote` will be cached on disk. See [Configure File Caches](/getting-started/configuration/#configure-file-caches) for details.
## Asset directory
Asset files must be stored in the asset directory. This is `/assets` by default, but can be configured via the configuration file's `assetDir` key.
-
### Asset Publishing
-Assets will only be published (to `/public`) if `.Permalink` or `.RelPermalink` is used. You can use `.Content` to inline the asset.
+Hugo publishes assets to the to the `publishDir` (typically `public`) when you invoke `.Permalink`, `.RelPermalink`, or `.Publish`. You can use `.Content` to inline the asset.
## Go Pipes
--- /dev/null
+---
+title: "Release Notes now on GitHub Only"
+date: 2021-12-17T12:22:47+01:00
+slug: "no-more-releasenotes-here"
+description: "Hugo Release Notes now gets released on GitHub Only"
+
+---
+
+For details about release notes, you need to go here: https://github.com/gohugoio/hugo/releases -- see this for an Atom feed: https://github.com/gohugoio/hugo/releases.atom
+
--- /dev/null
+---
+title: "Fixes the “Stuck on Build” Bug"
+description: "Hugo 0.91.2 is the last release before Christmas!"
+date: 2021-12-23T17:47:41+01:00
+---
+
+Read the full change log on [GitHub](https://github.com/gohugoio/hugo/releases/tag/v0.91.2).
+
+**Merry Christmas to all of you!**
{{< code-toggle file="jacopastorius" >}}
discography = [
-"1974 – Modern American Music … Period! The Criteria Sessions",
-"1974 – Jaco",
+"1974 - Modern American Music … Period! The Criteria Sessions",
+"1974 - Jaco",
"1976 - Jaco Pastorius",
"1981 - Word of Mouth",
"1981 - The Birthday Concert (released in 1995)",
: the filename without extension (e.g., `foo.en`)
.File.Ext
-: the file extension of the content file (e.g., `md`); this can also be called using `.File.Extension` as well. Note that it is *only* the extension without `.`.
+: the file extension of the content file (e.g., `md`).
.File.Lang
: the language associated with the given file if Hugo's [Multilingual features][multilingual] are enabled (e.g., `en`)
: the abbreviated commit hash (e.g., `866cbcc`)
.AuthorName
-: the author's name, respecting `.mailmap`
+: the author's name, respecting [`.mailmap`](https://git-scm.com/docs/gitmailmap)
.AuthorEmail
-: the author's email address, respecting `.mailmap`
+: the author's email address, respecting [`.mailmap`](https://git-scm.com/docs/gitmailmap)
.AuthorDate
: the author date
.Aliases
: aliases of this page
+.BundleType
+: the [bundle] type: `leaf`, `branch`, or an empty string if the page is not a bundle.
+
.Content
: the content itself, defined below the front matter.
[gitinfo]: /variables/git/
[File Variables]: /variables/files/
+[bundle]: {{< relref "content-management/page-bundles" >}}
"permalinks": {
"_merge": "none"
},
+ "privacy": {
+ "_merge": "none"
+ },
"related": {
"_merge": "none"
},
+ "security": {
+ "_merge": "none"
+ },
"sitemap": {
"_merge": "none"
},
"keepWhitespace": false
}
}
+ },
+ "security": {
+ "enableInlineShortcodes": false,
+ "exec": {
+ "allow": [
+ "^dart-sass-embedded$",
+ "^go$",
+ "^npx$",
+ "^postcss$"
+ ],
+ "osEnv": [
+ "(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"
+ ]
+ },
+ "funcs": {
+ "getenv": [
+ "^HUGO_"
+ ]
+ },
+ "http": {
+ "methods": [
+ "(?i)GET|POST"
+ ],
+ "urls": [
+ ".*"
+ ]
+ }
}
},
"media": {
"yml"
]
},
+ {
+ "mainType": "font",
+ "subType": "otf",
+ "delimiter": ".",
+ "firstSuffix": {
+ "suffix": "otf",
+ "fullSuffix": ".otf"
+ },
+ "type": "font/otf",
+ "string": "font/otf",
+ "suffixes": [
+ "otf"
+ ]
+ },
+ {
+ "mainType": "font",
+ "subType": "ttf",
+ "delimiter": ".",
+ "firstSuffix": {
+ "suffix": "ttf",
+ "fullSuffix": ".ttf"
+ },
+ "type": "font/ttf",
+ "string": "font/ttf",
+ "suffixes": [
+ "ttf"
+ ]
+ },
{
"mainType": "image",
"subType": "jpeg",
"string": "image/jpeg",
"suffixes": [
"jpg",
- "jpeg"
+ "jpeg",
+ "jpe",
+ "jif",
+ "jfif"
]
},
{
"Examples": null
},
"Get": {
- "Description": "Get locates the filename given in Hugo's assets filesystem or downloads\na file from an URL and creates a Resource object that can be used for\nfurther transformations.\n\nFor URLs an additional argument with options can be provided.",
+ "Description": "Get locates the filename given in Hugo's assets filesystem and\ncreates a Resource object that can be used for\nfurther transformations.",
"Args": [
- "args"
+ "filename"
],
"Aliases": null,
"Examples": []
"Aliases": null,
"Examples": null
},
+ "GetRemote": {
+ "Description": "GetRemote gets the URL (via HTTP(s)) in the first argument in args and creates Resource object that can be used for\nfurther transformations.\n\nA second argument may be provided with an option map.\n\nNote: This method does not return any error as a second argument,\nfor any error situations the error can be checked in .Err.",
+ "Args": [
+ "args"
+ ],
+ "Aliases": null,
+ "Examples": []
+ },
"Match": {
"Description": "",
"Args": null,
<a href="{{ .Permalink }}">{{ .Title }}</a>
</td>
<td class="pv2 ph3">
- <a href="{{.Site.Params.ghrepo}}blob/master/content/{{.Lang }}/{{.Path}}">
+ <a href="{{.Site.Params.ghrepo}}blob/master/content/{{.Lang }}/{{.File.Path}}">
{{ with .GitInfo }}{{ .Subject }}{{ else }}Source{{ end }}
</a>
</td>
command = "hugo --gc --minify"
[context.production.environment]
-HUGO_VERSION = "0.90.1"
+HUGO_VERSION = "0.91.2"
HUGO_ENV = "production"
HUGO_ENABLEGITINFO = "true"
command = "hugo --gc --minify --enableGitInfo"
[context.split1.environment]
-HUGO_VERSION = "0.90.1"
+HUGO_VERSION = "0.91.2"
HUGO_ENV = "production"
[context.deploy-preview]
command = "hugo --gc --minify --buildFuture -b $DEPLOY_PRIME_URL"
[context.deploy-preview.environment]
-HUGO_VERSION = "0.90.1"
+HUGO_VERSION = "0.91.2"
[context.branch-deploy]
command = "hugo --gc --minify -b $DEPLOY_PRIME_URL"
[context.branch-deploy.environment]
-HUGO_VERSION = "0.90.1"
+HUGO_VERSION = "0.91.2"
[context.next.environment]
HUGO_ENABLEGITINFO = "true"
projects / brevno-suite / hugo / commitdiff
