knadh/listmonk
1
1
Fork 0
mirror of https://github.com/knadh/listmonk.git synced 2025-10-06 21:36:54 +08:00
Code Issues Projects Releases Packages Wiki Activity

Remove dangerous tpl funcs in Sprig that's enabled by default.

Browse source 
`env` and `expandenv` template functions in the Sprig library allow
accessing system environment variables within campaign templates.
This commit is contained in:
Kailash Nadh 2025-06-08 15:06:56 +05:30
parent 6fc6c1ecea
commit d27d2c32cf
2 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
cmd/init.go
View file

@ -988,7 +988,11 @@ func initTplFuncs(i *i18n.I18n, u *UrlConfig) template.FuncMap {
}
// Copy spring functions.
maps.Copy(funcs, sprig.GenericFuncMap())
sprigFuncs := sprig.GenericFuncMap()
delete(sprigFuncs, "env")
delete(sprigFuncs, "expandenv")
maps.Copy(funcs, sprigFuncs)
return funcs
}

6
internal/manager/manager.go
View file

@ -621,7 +621,11 @@ func (m *Manager) makeGnericFuncMap() template.FuncMap {
}
// Copy spring functions.
maps.Copy(funcs, sprig.GenericFuncMap())
sprigFuncs := sprig.GenericFuncMap()
delete(sprigFuncs, "env")
delete(sprigFuncs, "expandenv")
maps.Copy(funcs, sprigFuncs)
return funcs
}