security: Dangerous baseurls in themes

[MarkDBlackwell]

A lot of themes have baseurl = "replace-this-with-your-hugo-site.com" in their default config.toml—see [many] examples in the wild.

This URL may be clicked unknowingly by a new user (I did, LOL) and it's very suspicious—it executes scripts redirecting to pages my adblocker dislikes, pops up notices about an infected computer, plays beeping sounds, etc.

An enterprising scammer has registered replace-this-with-your-hugo-site.com (don't bother trying it—popups, beeping, probably exploits), which I accidentally discovered after deploying a misconfigured website, and leading some customers to this very problematic place.

A thorough search of Hugo's theme collection revealed some bad baseurls (from the point of view of security); see Hugo issues here and here.

I assume the best place for us to edit these themes is directly in this repository. Is this assumption correct?

Following are (all of) the bad ones (converted to lower case), along with some good ones:

Good:

• baseurl = ""
• baseurl = "/"
• baseurl = "http://0.0.0.0/"
• baseurl = "http://example.org/"

Bad:

• baseurl = "http://hugosite.com":
  1. anybodyhome/exampleSite/config.toml
• baseurl = "http://mysite.com/":
  1. aurora/exampleSite/config.toml
• baseurl = "http://username.github.io"
  1. beautifulhugo/exampleSite/config.toml
• baseurl = "http://you.github.io/"
  1. cocoa/exampleSite/config.toml
• baseurl = "http://your.base.url/"
  1. hugo-mdl/exampleSite/config.toml
• baseurl = "http://your-site-here/":
  1. hugo-theme-geppaku/exampleSite/config.toml
• baseurl = "http://your_website_url":
  1. hugo-theme-nix/exampleSite/config.toml
• baseurl = "http://yourdomain.com":
  1. landing-page-hugo/exampleSite/config.toml
  2. landing-page-hugo/exampleSite/landing-page-hugo/exampleSite/config.toml
• baseurl = "http://yoursitehere":
  1. hugo-base-theme/exampleSite/hugo-base-theme/exampleSite/config.toml

[digitalcraftsman]

Now, I'm using https://example.org in the example config files of all my themes, namely:

• Strata
• Steam
• Agency
• Type
• Creative
• Freelancer
• Artists
• material-docs
• icarus
• cactus
• alabaster
• minimalist
• hikari

[digitalcraftsman]

During the last days I began to open issues to inform theme owners about this (potential) form of abuse. At the same time I updated your list @MarkDBlackwell and removed themes that switched to a save base url.

[digitalcraftsman]

Some of the urls will not work even if somebody would like to abuse them:

• http://username.github.io can't be used because GitHub prevents users to register an account with the handle since it is a reserved word.
• http://your-site-here/ and http://your_website_url are not a valid urls

[MarkDBlackwell]

http://your-site-here and http://your_website_url aren't valid URLs

Regarding DNS names which include hyphens or underscores ("-" or "_"):

1. Both hyphens and underscores are allowed in DNS names;
2. Underscores are illegal in host names; and
3. Some software might "helpfully" convert underscores within DNS names into hyphens (see below); some users might similarly "correct" them.

Regarding DNS names which lack top-level domains (".com", etc.): various key combinations reportedly cause certain browsers (IE and Safari) sometimes to append ".com".

Some web browsers (if appropriately configured) sometimes append ".com" automatically to DNS names. For example, in:

1. Mozilla SeaMonkey, under Preferences-Browser-Location Bar-Unknown Locations:
   1. "Add ... '.com' to the location if a web page is not found"; and
2. Google Chrome, under Settings-Privacy (perhaps):
   1. "Use a prediction service to help complete ... URLs typed in the address bar";
   2. "Use a web service to help resolve navigation errors"; or
   3. "Use a web service to help resolve spelling errors".

Because of the vagueness of our understanding of the above software, IMO we should err on the side of safety.

tl;dr Some users' or organizations' browsers might automatically append ".com" to DNS names which lack top-level domains.

After appending ".com" (in all the browsers I checked), http://your-site-here currently rewrites to http://www.your-site-here.com/responsive/wordpress/.

Therefore, IMO we should discourage http://your-site-here and http://your_website_url strongly, as well.

Ref.: Underscores in DNS – SourceForge DNS domain name syntax examples – Stack Overflow ".com" auto-add – Google (web search)

[pacollins]

Since this was never closed, wouldn't it make sense to just make this a requirement in the README.md like screenshots?

Also, hugo-future-imperfect still uses http://hugo.spf13.com/ as the base url - should we change that then?

[digitalcraftsman]

Since this was never closed, wouldn't it make sense to just make this a requirement in the README.md like screenshots?

That's a good idea. I'll update the guide in the README accordingly.

Also, hugo-future-imperfect still uses http://hugo.spf13.com as the base url - should we change that then?

Are you just talking about the future-imperfect theme?

[pacollins]

Yeah, its just our theme that I know of (maybe it was part if the default config?).