From 488d4eebbe4215d618591429bd8d0b259d3fe9c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Sun, 27 Jul 2014 17:21:47 +0200
Subject: [PATCH] SECURITY: do not follow redirect by default when downloading
 hotlinked images

---
 lib/file_helper.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/file_helper.rb b/lib/file_helper.rb
index f390272d0b..046540a847 100644
--- a/lib/file_helper.rb
+++ b/lib/file_helper.rb
@@ -6,7 +6,7 @@ class FileHelper
     filename =~ images_regexp
   end
 
-  def self.download(url, max_file_size, tmp_file_name)
+  def self.download(url, max_file_size, tmp_file_name, follow_redirect=false)
     raise Discourse::InvalidParameters.new(:url) unless url =~ /^https?:\/\//
 
     uri = URI.parse(url)
@@ -14,7 +14,7 @@ class FileHelper
     tmp = Tempfile.new([tmp_file_name, extension])
 
     File.open(tmp.path, "wb") do |f|
-      downloaded = uri.open("rb", read_timeout: 5)
+      downloaded = uri.open("rb", read_timeout: 5, redirect: follow_redirect)
       while f.size <= max_file_size && data = downloaded.read(max_file_size)
         f.write(data)
       end