shithub: hugo

Download patch

ref: 0f1fb8c7d8e404fc8e395fc7e8e751dfa7af8bb6
parent: 35bb72c83efbdd868af9b32af034993c245b4584
author: Bjørn Erik Pedersen <[email protected]>
date: Fri Aug 7 16:08:23 EDT 2015 

Avoid panic in shortcode param handling

Fixes #1337


--- a/hugolib/shortcode.go
+++ b/hugolib/shortcode.go
@@ -271,6 +271,8 @@
 
 }
 
+var shortCodeIllegalState = errors.New("Illegal shortcode state")
+
 // pageTokens state:
 // - before: positioned just before the shortcode start
 // - after: shortcode(s) consumed (plural when they are nested)
@@ -353,8 +355,12 @@
 					params[currItem.val] = pt.next().val
 					sc.params = params
 				} else {
-					params := sc.params.(map[string]string)
-					params[currItem.val] = pt.next().val
+					if params, ok := sc.params.(map[string]string); ok {
+						params[currItem.val] = pt.next().val
+					} else {
+						return sc, shortCodeIllegalState
+					}
+
 				}
 			} else {
 				// positional params
@@ -363,9 +369,13 @@
 					params = append(params, currItem.val)
 					sc.params = params
 				} else {
-					params := sc.params.([]string)
-					params = append(params, currItem.val)
-					sc.params = params
+					if params, ok := sc.params.([]string); ok {
+						params = append(params, currItem.val)
+						sc.params = params
+					} else {
+						return sc, shortCodeIllegalState
+					}
+
 				}
 			}
 
--- a/hugolib/shortcode_test.go
+++ b/hugolib/shortcode_test.go
@@ -18,14 +18,22 @@
 }
 
 func CheckShortCodeMatch(t *testing.T, input, expected string, template tpl.Template) {
+	CheckShortCodeMatchAndError(t, input, expected, template, false)
+}
 
+func CheckShortCodeMatchAndError(t *testing.T, input, expected string, template tpl.Template, expectError bool) {
+
 	p, _ := pageFromString(SIMPLE_PAGE, "simple.md")
 	output, err := HandleShortcodes(input, p, template)
 
-	if err != nil {
+	if err != nil && !expectError {
 		t.Fatalf("Shortcode rendered error %s. Expected: %q, Got: %q", err, expected, output)
 	}
 
+	if err == nil && expectError {
+		t.Fatalf("No error from shortcode")
+	}
+
 	if output != expected {
 		t.Fatalf("Shortcode render didn't match. got %q but exxpected %q", output, expected)
 	}
@@ -89,6 +97,14 @@
 	tem := tpl.New()
 	tem.AddInternalShortcode("video.html", `Playing Video {{ .Get 1 }}`)
 	CheckShortCodeMatch(t, "{{< video 47238zzb >}}", "Playing Video error: index out of range for positional param at position 1", tem)
+}
+
+// some repro issues for panics in Go Fuzz testing
+func TestShortcodeGoFuzzRepros(t *testing.T) {
+	tt := tpl.New()
+	tt.AddInternalShortcode("inner.html", `Shortcode... {{ with .Get 0 }}{{ . }}{{ end }}-- {{ with .Get 1 }}{{ . }}{{ end }}- {{ with .Inner }}{{ . }}{{ end }}`)
+	// Issue #1337
+	CheckShortCodeMatchAndError(t, "{{%inner\"\"\"\"=\"\"", "", tt, true)
 }
 
 func TestNamedParamSC(t *testing.T) {