Skip to content

v0.79.1

Compare
Choose a tag to compare
@bep bep released this 19 Dec 15:55
· 2624 commits to master since this release

Hugo depends on Go's os/exec for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH% on Windows. However, if a malicious file with the same name (exe or bat) was found in the current working directory at the time of running hugo, the malicious command would be invoked instead of the system one.

Windows users who ran hugo inside untrusted Hugo sites was affected.

The origin of this issue comes from Go, see golang/go#38736

We have fixed this in Hugo by using a patched version of exec.LookPath from https://github.com/cli/safeexec (thanks to @mislav for the implementation).

Thanks to @Ry0taK for the bug report.