External Executable Not Allowed to Run after Hugo v0.91?
Today I upgrade Hugo from v0.75 to the latest version (v0.92). When I run the deployment script to build the site and push, I saw the following error:
error: Error building site: “/Users/jdhao/Blog/content/post/back-propagation-in-mlp-explained.pdc:1:1”: access denied: “pandoc” is not whitelisted in policy “security.exec.allow”;
From the release note of v0.91, we can find the reason (the part about
New Security Configuration).
This release also adds some new security hardening measures for the Hugo build runtime in the form of a new security configuration. There are some rarely used features in Hugo that would be good to have disabled by default. One example would be the “external helpers”.
So Hugo v0.91 introduces a set of security config meant to harden the building environment.
If we use external tools like
pandoc (as the Markdown renderer),
emacs (as the new content editor),
we now need to allow them explicitly in our configuration. Otherwise, they are not allowed to run.
The solution is simple. Edit the
config.toml under site root, and add the following security section:
[security] enableInlineShortcodes = false [security.exec] allow = ['^dart-sass-embedded$', '^go$', '^npx$', '^postcss$', '^pandoc$', '^nvim$'] osEnv = ['(?i)^(PATH|PATHEXT|APPDATA|TMP|TEMP|TERM)$'] [security.funcs] getenv = ['^HUGO_'] [security.http] methods = ['(?i)GET|POST'] urls = ['.*']
Add the needed executable to the
security.exec.allow white list. After that, the error should disappear.
License CC BY-NC-ND 4.0