Commit: 86fbb0f7a8 — security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when security.http.urls was introduced) through v0.161.1.
Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to resources.GetRemote.
Description. resources.GetRemote enforces security.http.urls on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, http://localhost/ or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.
Mitigation. v0.162.0 installs a CheckRedirect on the HTTP client used by resources.GetRemote that re-runs security.http.urls on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.
References
Commit: 86fbb0f7a8 — security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when
security.http.urlswas introduced) through v0.161.1.Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on
security.http.urlsas a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed toresources.GetRemote.Description.
resources.GetRemoteenforcessecurity.http.urlson the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example,http://localhost/or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.Mitigation. v0.162.0 installs a
CheckRedirecton the HTTP client used byresources.GetRemotethat re-runssecurity.http.urlson every redirect target and caps the redirect chain at 10 hops. No configuration change is required.References