mirror of
https://github.com/willnorris/imageproxy.git
synced 2024-12-16 21:56:43 -05:00
Add option to disable following redirects (#237)
When redirects are followed, ensure that they are still allowed per AllowHosts/DenyHosts
This commit is contained in:
parent
32a8bea35f
commit
52f4360543
2 changed files with 22 additions and 1 deletions
|
@ -48,6 +48,7 @@ var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed
|
|||
var denyHosts = flag.String("denyHosts", "", "comma separated list of denied remote hosts")
|
||||
var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts")
|
||||
var includeReferer = flag.Bool("includeReferer", false, "include referer header in remote requests")
|
||||
var followRedirects = flag.Bool("followRedirects", true, "follow redirects")
|
||||
var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs")
|
||||
var cache tieredCache
|
||||
var signatureKeys signatureKeyList
|
||||
|
@ -90,6 +91,7 @@ func main() {
|
|||
}
|
||||
|
||||
p.IncludeReferer = *includeReferer
|
||||
p.FollowRedirects = *followRedirects
|
||||
p.Timeout = *timeout
|
||||
p.ScaleUp = *scaleUp
|
||||
p.Verbose = *verbose
|
||||
|
|
|
@ -63,6 +63,9 @@ type Proxy struct {
|
|||
// is included in remote requests.
|
||||
IncludeReferer bool
|
||||
|
||||
// FollowRedirects controls whether imageproxy will follow redirects or not.
|
||||
FollowRedirects bool
|
||||
|
||||
// DefaultBaseURL is the URL that relative remote URLs are resolved in
|
||||
// reference to. If nil, all remote URLs specified in requests must be
|
||||
// absolute.
|
||||
|
@ -186,6 +189,21 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
|
|||
// pass along the referer header from the original request
|
||||
copyHeader(actualReq.Header, r.Header, "referer")
|
||||
}
|
||||
if p.FollowRedirects {
|
||||
// FollowRedirects is true (default), ensure that the redirected host is allowed
|
||||
p.Client.CheckRedirect = func(newreq *http.Request, via []*http.Request) error {
|
||||
if hostMatches(p.DenyHosts, newreq.URL) || (len(p.AllowHosts) > 0 && !hostMatches(p.AllowHosts, newreq.URL)) {
|
||||
http.Error(w, msgNotAllowedInRedirect, http.StatusForbidden)
|
||||
return errNotAllowed
|
||||
}
|
||||
return nil
|
||||
}
|
||||
} else {
|
||||
// FollowRedirects is false, don't follow redirects
|
||||
p.Client.CheckRedirect = func(newreq *http.Request, via []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
}
|
||||
}
|
||||
resp, err := p.Client.Do(actualReq)
|
||||
|
||||
if err != nil {
|
||||
|
@ -271,7 +289,8 @@ var (
|
|||
errDeniedHost = errors.New("request contains a denied host")
|
||||
errNotAllowed = errors.New("request does not contain an allowed host or valid signature")
|
||||
|
||||
msgNotAllowed = "requested URL is not allowed"
|
||||
msgNotAllowed = "requested URL is not allowed"
|
||||
msgNotAllowedInRedirect = "requested URL in redirect is not allowed"
|
||||
)
|
||||
|
||||
// allowed determines whether the specified request contains an allowed
|
||||
|
|
Loading…
Reference in a new issue