Revert "config/security: Add HOME to default exec env var whitelist"

There have been one report in the wild suggesting that this needs to be tested better before doing: https://discourse.gohugo.io/t/hugo-mod-failing-in-v0-91-1-but-works-in-v0-91-0/36180/5 This reverts commit fca266ebbb.
2025-08-21 21:35:28 +02:00 · 2021-12-23 12:46:04 +01:00
parent aee9e11a40
commit 623dda7174
3 changed files with 12 additions and 3 deletions
--- a/config/security/securityConfig.go
+++ b/config/security/securityConfig.go
@@ -42,7 +42,7 @@ var DefaultConfig = Config{
 		),
 		// These have been tested to work with Hugo's external programs
 		// on Windows, Linux and MacOS.
-		OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|HOME|TMP|TEMP|TERM)$"),
+		OsEnv: NewWhitelist("(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$"),
 	},
 	Funcs: Funcs{
 		Getenv: NewWhitelist("^HUGO_"),
@@ -110,6 +110,7 @@ func (c Config) CheckAllowedExec(name string) error {
 		}
 	}
 	return nil
+
 }

 func (c Config) CheckAllowedGetEnv(name string) error {
@@ -158,6 +159,7 @@ func (c Config) ToSecurityMap() map[string]interface{} {
 		"security": m,
 	}
 	return sec
+
 }

 // DecodeConfig creates a privacy Config from a given Hugo configuration.
@@ -187,6 +189,7 @@ func DecodeConfig(cfg config.Provider) (Config, error) {
 	}

 	return sc, nil
+
 }

 func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
@@ -202,6 +205,7 @@ func stringSliceToWhitelistHook() mapstructure.DecodeHookFuncType {
 		wl := types.ToStringSlicePreserveString(data)

 		return NewWhitelist(wl...), nil
+
 	}
 }