From 65d30640c63bb3dd610bcf6efee55d3418007d27 Mon Sep 17 00:00:00 2001 From: Blake Stoddard Date: Fri, 16 Oct 2020 11:15:32 -0400 Subject: [PATCH 1/3] Delegate Content-Type verification solely to contentTypeMatches() Some customer-proxied files have been hosted on servers that will kick back errors if we a) provide a list of Accept'ed Content-Types, or b) provide a Content-Type in the Accept list that the server does not know about. --- imageproxy.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/imageproxy.go b/imageproxy.go index 2f1d6f684..3fe0173f4 100644 --- a/imageproxy.go +++ b/imageproxy.go @@ -180,12 +180,10 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) { req.Options.ScaleUp = p.ScaleUp actualReq, _ := http.NewRequest("GET", req.String(), nil) + actualReq.Header.Set("Accept", "*/*") if p.UserAgent != "" { actualReq.Header.Set("User-Agent", p.UserAgent) } - if len(p.ContentTypes) != 0 { - actualReq.Header.Set("Accept", strings.Join(p.ContentTypes, ", ")) - } if p.IncludeReferer { // pass along the referer header from the original request copyHeader(actualReq.Header, r.Header, "referer") From fc97bd1862421af6c51882822be8075c79d11692 Mon Sep 17 00:00:00 2001 From: Blake Stoddard Date: Fri, 16 Oct 2020 11:16:36 -0400 Subject: [PATCH 2/3] Add an Accept-Language header to requested images Some financial institutions will return an error via text/html if a request is made without an Accept-Language header. --- imageproxy.go | 1 + 1 file changed, 1 insertion(+) diff --git a/imageproxy.go b/imageproxy.go index 3fe0173f4..3ba4f2d11 100644 --- a/imageproxy.go +++ b/imageproxy.go @@ -181,6 +181,7 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) { actualReq, _ := http.NewRequest("GET", req.String(), nil) actualReq.Header.Set("Accept", "*/*") + actualReq.Header.Set("Accept-Language", "*") if p.UserAgent != "" { actualReq.Header.Set("User-Agent", p.UserAgent) } From 6ed31170538c5ce04edca03bc7ee58eb17c7d549 Mon Sep 17 00:00:00 2001 From: Blake Stoddard Date: Fri, 13 Nov 2020 16:35:44 -0500 Subject: [PATCH 3/3] Disallow anything with svg in the content-type header --- imageproxy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/imageproxy.go b/imageproxy.go index 3ba4f2d11..9a5826f6a 100644 --- a/imageproxy.go +++ b/imageproxy.go @@ -239,7 +239,7 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) { resp.Body = ioutil.NopCloser(b) contentType = peekContentType(b) } - if resp.ContentLength != 0 && !contentTypeMatches(p.ContentTypes, contentType) { + if (resp.ContentLength != 0 && !contentTypeMatches(p.ContentTypes, contentType)) || strings.Contains(contentType, "svg") { p.logf("content-type not allowed: %q", contentType) http.Error(w, msgNotAllowed, http.StatusForbidden) return