summaryrefslogtreecommitdiffstats
path: root/docs/content/en/news/0.79.1-relnotes/index.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/content/en/news/0.79.1-relnotes/index.md')
-rw-r--r--docs/content/en/news/0.79.1-relnotes/index.md13
1 files changed, 8 insertions, 5 deletions
diff --git a/docs/content/en/news/0.79.1-relnotes/index.md b/docs/content/en/news/0.79.1-relnotes/index.md
index 76b431223..2a3f32765 100644
--- a/docs/content/en/news/0.79.1-relnotes/index.md
+++ b/docs/content/en/news/0.79.1-relnotes/index.md
@@ -1,19 +1,22 @@
---
date: 2020-12-19
-title: "Hugo 0.79.1: A couple of Bug Fixes"
-description: "This version fixes a couple of bugs introduced in 0.79.0."
+title: "Hugo 0.79.1: One Security Patch for Hugo on Windows"
+description: "Disallow running of e.g. Pandoc in the current directory."
categories: ["Releases"]
images:
- images/blog/hugo-bug-poster.png
---
-
+Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. However, if a malicious file with the same name (`exe` or `bat`) was found in the current working directory at the time of running `hugo`, the malicious command would be invoked instead of the system one.
-This is a bug-fix release with one important fix.
+Windows users who ran `hugo` inside untrusted Hugo sites were affected.
-* Improve LookPath [4a8267d6](https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab) [@bep](https://github.com/bep)
+The origin of this issue comes from Go, see https://github.com/golang/go/issues/38736
+We have fixed this in Hugo by [using](https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab) a patched version of `exec.LookPath` from https://github.com/cli/safeexec (thanks to [@mislav](https://github.com/mislav) for the implementation).
+
+Thanks to [@Ry0taK](https://github.com/Ry0taK) for the bug report.
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-29 00:48:52 +0000