v0.79.1
Hugo depends on Go's os/exec
for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system %PATH%
on Windows. However, if a malicious file with the same name (exe
or bat
) was found in the current working directory at the time of running hugo
, the malicious command would be invoked instead of the system one.
Windows users who ran hugo
inside untrusted Hugo sites was affected.
The origin of this issue comes from Go, see golang/go#38736
We have fixed this in Hugo by using a patched version of exec.LookPath
from https://github.com/cli/safeexec (thanks to @mislav for the implementation).
Thanks to @Ry0taK for the bug report.