diff options
| author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2021-12-16 15:12:13 +0100 |
|---|---|---|
| committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2021-12-17 09:50:28 +0100 |
| commit | 44954497bcb2d6d589b9340a43323663061c7b42 (patch) | |
| tree | 0d0d06b11e462ccff1a908c2b1c4dfd039b82787 /tpl/resources/resources.go | |
| parent | 22ef5da20d1685dfe6aff3bd9364c9b1f1d0d8f8 (diff) | |
Always use content to resolve content type in resources.GetRemote
This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`.
This commit also adds ttf and otf media type definitions to Hugo.
Fixes #9302
Fixes #9301
Diffstat (limited to 'tpl/resources/resources.go')
| -rw-r--r-- | tpl/resources/resources.go | 23 |
1 files changed, 7 insertions, 16 deletions
diff --git a/tpl/resources/resources.go b/tpl/resources/resources.go index 4433e56e5..8cd670603 100644 --- a/tpl/resources/resources.go +++ b/tpl/resources/resources.go @@ -110,30 +110,21 @@ func (ns *Namespace) getscssClientDartSass() (*dartsass.Client, error) { // Get locates the filename given in Hugo's assets filesystem and // creates a Resource object that can be used for // further transformations. -func (ns *Namespace) Get(filename interface{}) resource.Resource { - get := func(args ...interface{}) (resource.Resource, error) { - filenamestr, err := cast.ToStringE(filename) - if err != nil { - return nil, err - } - return ns.createClient.Get(filepath.Clean(filenamestr)) - } - - r, err := get(filename) +func (ns *Namespace) Get(filename interface{}) (resource.Resource, error) { + filenamestr, err := cast.ToStringE(filename) if err != nil { - // This allows the client to reason about the .Err in the template. - // This is not as relevant for local resources as remotes, but - // it makes this method work the same way as resources.GetRemote. - return resources.NewErrorResource(errors.Wrap(err, "error calling resources.Get")) + return nil, err } - return r - + return ns.createClient.Get(filepath.Clean(filenamestr)) } // GetRemote gets the URL (via HTTP(s)) in the first argument in args and creates Resource object that can be used for // further transformations. // // A second argument may be provided with an option map. +// +// Note: This method does not return any error as a second argument, +// for any error situations the error can be checked in .Err. func (ns *Namespace) GetRemote(args ...interface{}) resource.Resource { get := func(args ...interface{}) (resource.Resource, error) { if len(args) < 1 { |