mirror of
https://github.com/willnorris/imageproxy.git
synced 2024-12-16 21:56:43 -05:00
don't require redirect URLs to match AllowHosts
When following redirects, ensure that the final URL is not in the configured DenyHosts list, but do not further enforce presence in the AllowHosts list. This was initially added in #237, and the original use case was about protecting against redirects being used to bypass denied hosts. They were using URL signatures and deny lists (for localhost, etc), but not allow lists. So really, checking against the deny list is all that was needed in that case. This came up recently for me as I was trying to proxy images on a remote host that redirects to Amazon S3. Even though the original URL was signed, the redirect was being denied because s3-us-west-2.amazonaws.com isn't on of my allowed host. But I don't want to allow all of S3, just the signed URLs.
This commit is contained in:
parent
4229b98cb3
commit
2008a17f5e
1 changed files with 1 additions and 1 deletions
|
@ -197,7 +197,7 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
return errTooManyRedirects
|
return errTooManyRedirects
|
||||||
}
|
}
|
||||||
if hostMatches(p.DenyHosts, newreq.URL) || (len(p.AllowHosts) > 0 && !hostMatches(p.AllowHosts, newreq.URL)) {
|
if hostMatches(p.DenyHosts, newreq.URL) {
|
||||||
http.Error(w, msgNotAllowedInRedirect, http.StatusForbidden)
|
http.Error(w, msgNotAllowedInRedirect, http.StatusForbidden)
|
||||||
return errNotAllowed
|
return errNotAllowed
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue