Always use content to resolve content type in resources.GetRemote

This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`. This commit also adds ttf and otf media type definitions to Hugo. Fixes #9302 Fixes #9301
2025-09-01 22:42:45 +02:00 · 2021-12-16 15:12:13 +01:00
parent 22ef5da20d
commit 44954497bc
26 changed files with 378 additions and 49 deletions
--- a/resources/images/config.go
+++ b/resources/images/config.go
@@ -20,6 +20,7 @@ import (
 	"strings"

 	"github.com/gohugoio/hugo/helpers"
+	"github.com/gohugoio/hugo/media"

 	"github.com/pkg/errors"

@@ -45,6 +46,15 @@ var (
 		".webp": WEBP,
 	}

+	imageFormatsBySubType = map[string]Format{
+		media.JPEGType.SubType: JPEG,
+		media.PNGType.SubType:  PNG,
+		media.TIFFType.SubType: TIFF,
+		media.BMPType.SubType:  BMP,
+		media.GIFType.SubType:  GIF,
+		media.WEBPType.SubType: WEBP,
+	}
+
 	// Add or increment if changes to an image format's processing requires
 	// re-generation.
 	imageFormatsVersions = map[Format]int{
@@ -102,6 +112,11 @@ func ImageFormatFromExt(ext string) (Format, bool) {
 	return f, found
 }

+func ImageFormatFromMediaSubType(sub string) (Format, bool) {
+	f, found := imageFormatsBySubType[sub]
+	return f, found
+}
+
 const (
 	defaultJPEGQuality    = 75
 	defaultResampleFilter = "box"