Always use content to resolve content type in resources.GetRemote

This is a security hardening measure; don't trust the URL extension or any `Content-Type`/`Content-Disposition` header on its own, always look at the file content using Go's `http.DetectContentType`. This commit also adds ttf and otf media type definitions to Hugo. Fixes #9302 Fixes #9301
2025-08-28 22:19:59 +02:00 · 2021-12-16 15:12:13 +01:00
parent 22ef5da20d
commit 44954497bc
26 changed files with 378 additions and 49 deletions
--- a/resources/resource_spec.go
+++ b/resources/resource_spec.go
@@ -272,21 +272,28 @@ func (r *Spec) newResource(sourceFs afero.Fs, fd ResourceSourceDescriptor) (reso
 		fd.RelTargetFilename = sourceFilename
 	}

-	ext := strings.ToLower(filepath.Ext(fd.RelTargetFilename))
-	mimeType, suffixInfo, found := r.MediaTypes.GetFirstBySuffix(strings.TrimPrefix(ext, "."))
-	// TODO(bep) we need to handle these ambiguous types better, but in this context
-	// we most likely want the application/xml type.
-	if suffixInfo.Suffix == "xml" && mimeType.SubType == "rss" {
-		mimeType, found = r.MediaTypes.GetByType("application/xml")
-	}
+	mimeType := fd.MediaType
+	if mimeType.IsZero() {
+		ext := strings.ToLower(filepath.Ext(fd.RelTargetFilename))
+		var (
+			found      bool
+			suffixInfo media.SuffixInfo
+		)
+		mimeType, suffixInfo, found = r.MediaTypes.GetFirstBySuffix(strings.TrimPrefix(ext, "."))
+		// TODO(bep) we need to handle these ambiguous types better, but in this context
+		// we most likely want the application/xml type.
+		if suffixInfo.Suffix == "xml" && mimeType.SubType == "rss" {
+			mimeType, found = r.MediaTypes.GetByType("application/xml")
+		}

-	if !found {
-		// A fallback. Note that mime.TypeByExtension is slow by Hugo standards,
-		// so we should configure media types to avoid this lookup for most
-		// situations.
-		mimeStr := mime.TypeByExtension(ext)
-		if mimeStr != "" {
-			mimeType, _ = media.FromStringAndExt(mimeStr, ext)
+		if !found {
+			// A fallback. Note that mime.TypeByExtension is slow by Hugo standards,
+			// so we should configure media types to avoid this lookup for most
+			// situations.
+			mimeStr := mime.TypeByExtension(ext)
+			if mimeStr != "" {
+				mimeType, _ = media.FromStringAndExt(mimeStr, ext)
+			}
 		}
 	}

@@ -301,7 +308,7 @@ func (r *Spec) newResource(sourceFs afero.Fs, fd ResourceSourceDescriptor) (reso
 		mimeType)

 	if mimeType.MainType == "image" {
-		imgFormat, ok := images.ImageFormatFromExt(ext)
+		imgFormat, ok := images.ImageFormatFromMediaSubType(mimeType.SubType)
 		if ok {
 			ir := &imageResource{
 				Image:        images.NewImage(imgFormat, r.imaging, nil, gr),