mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 19:13:38 +08:00
SECURITY: do not follow redirect by default when downloading hotlinked images
This commit is contained in:
parent
621b86dbb3
commit
488d4eebbe
|
@ -6,7 +6,7 @@ class FileHelper
|
|||
filename =~ images_regexp
|
||||
end
|
||||
|
||||
def self.download(url, max_file_size, tmp_file_name)
|
||||
def self.download(url, max_file_size, tmp_file_name, follow_redirect=false)
|
||||
raise Discourse::InvalidParameters.new(:url) unless url =~ /^https?:\/\//
|
||||
|
||||
uri = URI.parse(url)
|
||||
|
@ -14,7 +14,7 @@ class FileHelper
|
|||
tmp = Tempfile.new([tmp_file_name, extension])
|
||||
|
||||
File.open(tmp.path, "wb") do |f|
|
||||
downloaded = uri.open("rb", read_timeout: 5)
|
||||
downloaded = uri.open("rb", read_timeout: 5, redirect: follow_redirect)
|
||||
while f.size <= max_file_size && data = downloaded.read(max_file_size)
|
||||
f.write(data)
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user