diff --git a/content/en/news/0.79.1-relnotes/index.md b/content/en/news/0.79.1-relnotes/index.md index 76b431223..ce0ee2ba2 100644 --- a/content/en/news/0.79.1-relnotes/index.md +++ b/content/en/news/0.79.1-relnotes/index.md @@ -1,19 +1,22 @@ --- date: 2020-12-19 -title: "Hugo 0.79.1: A couple of Bug Fixes" -description: "This version fixes a couple of bugs introduced in 0.79.0." +title: "Hugo .79.1: One Security Patch for Hugo on Windows" +description: "Disallow running of e.g. Pandoc in the current directory." categories: ["Releases"] images: - images/blog/hugo-bug-poster.png --- - +Hugo depends on Go's `os/exec` for certain features, e.g. for rendering of Pandoc documents if these binaries are found in the system `%PATH%` on Windows. However, if a malicious file with the same name (`exe` or `bat`) was found in the current working directory at the time of running `hugo`, the malicious command would be invoked instead of the system one. -This is a bug-fix release with one important fix. - -* Improve LookPath [4a8267d6](https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab) [@bep](https://github.com/bep) +Windows users who ran `hugo` inside untrusted Hugo sites was affected. +The origin of this issue comes from Go, see https://github.com/golang/go/issues/38736 + +We have fixed this in Hugo by [using](https://github.com/gohugoio/hugo/commit/4a8267d64a40564aced0695bca05249da17b0eab) a patched version of `exec.LookPath` from https://github.com/cli/safeexec (thanks to [@mislav](https://github.com/mislav)) for the implementation). + +Thanks to [@Ry0taK](https://github.com/Ry0taK) for the bug report. diff --git a/netlify.toml b/netlify.toml index 1cf6853e7..9dfac9003 100644 --- a/netlify.toml +++ b/netlify.toml @@ -3,7 +3,7 @@ publish = "public" command = "hugo --gc --minify" [context.production.environment] -HUGO_VERSION = "0.79.0" +HUGO_VERSION = "0.79.1" HUGO_ENV = "production" HUGO_ENABLEGITINFO = "true" @@ -11,20 +11,20 @@ HUGO_ENABLEGITINFO = "true" command = "hugo --gc --minify --enableGitInfo" [context.split1.environment] -HUGO_VERSION = "0.79.0" +HUGO_VERSION = "0.79.1" HUGO_ENV = "production" [context.deploy-preview] command = "hugo --gc --minify --buildFuture -b $DEPLOY_PRIME_URL" [context.deploy-preview.environment] -HUGO_VERSION = "0.79.0" +HUGO_VERSION = "0.79.1" [context.branch-deploy] command = "hugo --gc --minify -b $DEPLOY_PRIME_URL" [context.branch-deploy.environment] -HUGO_VERSION = "0.79.0" +HUGO_VERSION = "0.79.1" [context.next.environment] HUGO_ENABLEGITINFO = "true"