From 8c28dca762dcc38d3f8f7ec1f6c6dab6af70ccee Mon Sep 17 00:00:00 2001 From: Will Norris Date: Fri, 21 Feb 2020 08:24:23 +0000 Subject: [PATCH] include referer header in remote requests this is an optional feature which is disabled by default, since it is only needed in a few select cases and risks accidentally exposing internal URLs. Fixes #216 --- cmd/imageproxy/main.go | 2 ++ docs/changelog.md | 2 ++ imageproxy.go | 8 ++++++++ 3 files changed, 12 insertions(+) diff --git a/cmd/imageproxy/main.go b/cmd/imageproxy/main.go index 3613eba..2b8cc1d 100644 --- a/cmd/imageproxy/main.go +++ b/cmd/imageproxy/main.go @@ -46,6 +46,7 @@ var addr = flag.String("addr", "localhost:8080", "TCP address to listen on") var allowHosts = flag.String("allowHosts", "", "comma separated list of allowed remote hosts") var denyHosts = flag.String("denyHosts", "", "comma separated list of denied remote hosts") var referrers = flag.String("referrers", "", "comma separated list of allowed referring hosts") +var includeReferer = flag.Bool("includeReferer", false, "include referer header in remote requests") var baseURL = flag.String("baseURL", "", "default base URL for relative remote URLs") var cache tieredCache var signatureKeys signatureKeyList @@ -87,6 +88,7 @@ func main() { } } + p.IncludeReferer = *includeReferer p.Timeout = *timeout p.ScaleUp = *scaleUp p.Verbose = *verbose diff --git a/docs/changelog.md b/docs/changelog.md index 5e27986..a05ca92 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -7,6 +7,8 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] [Unreleased]: https://github.com/willnorris/imageproxy/compare/v0.9.0...HEAD + - added option to include referer header in remote requests + ([#216](https://github.com/willnorris/imageproxy/issues/216)) ## [0.9.0] (2019-06-10) [0.9.0]: https://github.com/willnorris/imageproxy/compare/v0.8.0...v0.9.0 diff --git a/imageproxy.go b/imageproxy.go index e8bb9c8..d5654aa 100644 --- a/imageproxy.go +++ b/imageproxy.go @@ -56,6 +56,10 @@ type Proxy struct { // hosts are allowed. Referrers []string + // IncludeReferer controls whether the original Referer request header + // is included in remote requests. + IncludeReferer bool + // DefaultBaseURL is the URL that relative remote URLs are resolved in // reference to. If nil, all remote URLs specified in requests must be // absolute. @@ -166,6 +170,10 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) { if len(p.ContentTypes) != 0 { actualReq.Header.Set("Accept", strings.Join(p.ContentTypes, ", ")) } + if p.IncludeReferer { + // pass along the referer header from the original request + copyHeader(actualReq.Header, r.Header, "referer") + } resp, err := p.Client.Do(actualReq) if err != nil {