summaryrefslogtreecommitdiffstats
path: root/config/defaultConfigProvider.go
AgeCommit message (Collapse)Author
2021-12-16Add some basic security policies with sensible defaultsBjørn Erik Pedersen
This ommmit contains some security hardening measures for the Hugo build runtime. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the "external helpers". For `asciidoctor` and some others we use Go's `os/exec` package to start a new process. These are a predefined set of binary names, all loaded from `PATH` and with a predefined set of arguments. Still, if you don't use `asciidoctor` in your project, you might as well have it turned off. You can configure your own in the new `security` configuration section, but the defaults are configured to create a minimal amount of site breakage. And if that do happen, you will get clear instructions in the loa about what to do. The default configuration is listed below. Note that almost all of these options are regular expression _whitelists_ (a string or a slice); the value `none` will block all. ```toml [security] enableInlineShortcodes = false [security.exec] allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$'] osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$'] [security.funcs] getenv = ['^HUGO_'] [security.http] methods = ['(?i)GET|POST'] urls = ['.*'] ```
2021-08-22Fix it so disableKinds etc. does not get merged in from themeBjørn Erik Pedersen
Unless the merge strategy is set up to do so. For `disableKinds` the current workaround is to make sure the project config has an entry, even if is empty: ``` disableKinds = [] ``` Note that this issue only touches root, non-map config-values that either is not set in project config or in Hugo's defaults. Fixes #8866
2021-07-26Deprecate Blackfriday and fix a potential deadlock in configBjørn Erik Pedersen
Note that the deadlock has not been seen earlier, in tests on in real Hugo sites. Fixes #8792 Fixes #8791
2021-07-10Add config.cascadeBjørn Erik Pedersen
This commit adds support for using the `cascade` keyword in your configuration file(s), e.g. `config.toml`. Note that * Every feature of `cascade` is available, e.g. `_target` to target specific page sets. * Pages, e.g. the home page, can overwrite the cascade defined in config. Fixes #8741
2021-06-29config: Fix handling of invalid OS env config overridesBjørn Erik Pedersen
Fixes #8709
2021-06-27Fix config handling with empty config entries after mergeBjørn Erik Pedersen
Fixes #8701
2021-06-24Fix language menu config regressionBjørn Erik Pedersen
Fixes #8672
2021-06-22config: Fix merge of config with map[string]string values.Bjørn Erik Pedersen
Fixes #8679
2021-06-14Misc config loading fixesBjørn Erik Pedersen
The main motivation behind this is simplicity and correctnes, but the new small config library is also faster: ``` BenchmarkDefaultConfigProvider/Viper-16 252418 4546 ns/op 2720 B/op 30 allocs/op BenchmarkDefaultConfigProvider/Custom-16 450756 2651 ns/op 1008 B/op 6 allocs/op ``` Fixes #8633 Fixes #8618 Fixes #8630 Updates #8591 Closes #6680 Closes #5192
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 06:41:52 +0000