SECURITY: do not follow redirect by default when downloading hotlinked images

lib/file_helper.rb

@@ -6,7 +6,7 @@ class FileHelper
     filename =~ images_regexp
   end
 
-  def self.download(url, max_file_size, tmp_file_name)
+  def self.download(url, max_file_size, tmp_file_name, follow_redirect=false)
     raise Discourse::InvalidParameters.new(:url) unless url =~ /^https?:\/\//
 
     uri = URI.parse(url)
@@ -14,7 +14,7 @@ class FileHelper
     tmp = Tempfile.new([tmp_file_name, extension])
 
     File.open(tmp.path, "wb") do |f|
-      downloaded = uri.open("rb", read_timeout: 5)
+      downloaded = uri.open("rb", read_timeout: 5, redirect: follow_redirect)
       while f.size <= max_file_size && data = downloaded.read(max_file_size)
         f.write(data)
       end