Always use content to resolve content type in resources.GetRemote

This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`. This commit also adds ttf and otf media type definitions to Hugo. Fixes #9302 Fixes #9301
2025-08-20 21:31:32 +02:00 · 2021-12-16 15:12:13 +01:00
parent 22ef5da20d
commit 44954497bc
26 changed files with 378 additions and 49 deletions
--- a/resources/resource.go
+++ b/resources/resource.go
@@ -69,6 +69,9 @@ type ResourceSourceDescriptor struct {

 	Fs afero.Fs

+	// Set when its known up front, else it's resolved from the target filename.
+	MediaType media.Type
+
 	// The relative target filename without any language code.
 	RelTargetFilename string