IMGPROXY_MAX_REDIRECTS config (#797)

* IMGPROXY_MAX_REDIRECTS config * Apply suggestions from code review Co-authored-by: Travis-Turner <32389151+Travis-Turner@users.noreply.github.com> Co-authored-by: Travis-Turner <32389151+Travis-Turner@users.noreply.github.com>
2024-11-24 08:12:38 +02:00 · 2022-02-16 15:42:09 +06:00 · 2022-02-16 15:42:09 +06:00 · ec02fc53a5
commit ec02fc53a5
parent 3997a0fea0
4 changed files with 17 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,6 +1,8 @@
 # Changelog

 ## [Unreleased]
+### Added
+- Add the `IMGPROXY_MAX_REDIRECTS` config.

 ## [3.2.2] - 2022-02-08
 ### Fix
--- a/config/config.go
+++ b/config/config.go
@ -37,6 +37,7 @@ var (
 	MaxSrcFileSize     int
 	MaxAnimationFrames int
 	MaxSvgCheckBytes   int
+	MaxRedirects       int

 	JpegProgressive       bool
 	PngInterlaced         bool
@ -174,6 +175,7 @@ func Reset() {
 	MaxSrcFileSize = 0
 	MaxAnimationFrames = 1
 	MaxSvgCheckBytes = 32 * 1024
+	MaxRedirects = 10

 	JpegProgressive = false
 	PngInterlaced = false
@ -303,6 +305,8 @@ func Configure() error {

 	configurators.Int(&MaxAnimationFrames, "IMGPROXY_MAX_ANIMATION_FRAMES")

+	configurators.Int(&MaxRedirects, "IMGPROXY_MAX_REDIRECTS")
+
 	configurators.Patterns(&AllowedSources, "IMGPROXY_ALLOWED_SOURCES")

 	configurators.Bool(&JpegProgressive, "IMGPROXY_JPEG_PROGRESSIVE")
--- a/docs/configuration.md
+++ b/docs/configuration.md
@ -67,6 +67,10 @@ To check if the source image is SVG, imgproxy reads some amount of bytes; by def

 * `IMGPROXY_MAX_SVG_CHECK_BYTES`: the maximum number of bytes imgproxy will read to recognize SVG files. If imgproxy is unable to recognize your SVG, try increasing this number. Default: `32768` (32KB)

+Requests to some image sources may go through too many redirects or enter an infinite loop. You can limit the number of allowed redirects:
+
+* `IMGPROXY_MAX_REDIRECTS`: the max number of redirects imgproxy can follow while requesting the source image
+
 You can also specify a secret key to enable authorization with the HTTP `Authorization` header for use in production environments:

 * `IMGPROXY_SECRET`: the authorization token. If specified, the HTTP request should contain the `Authorization: Bearer %secret%` header.
--- a/imagedata/download.go
+++ b/imagedata/download.go
@ -97,6 +97,13 @@ func initDownloading() error {
 	downloadClient = &http.Client{
 		Timeout:   time.Duration(config.DownloadTimeout) * time.Second,
 		Transport: transport,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			redirects := len(via)
+			if redirects >= config.MaxRedirects {
+				return fmt.Errorf("stopped after %d redirects", redirects)
+			}
+			return nil
+		},
 	}

 	return nil