SECURITY: do not follow redirect by default when downloading hotlinke…

…d images

lib/file_helper.rb

@@ -6,15 +6,15 @@ def self.is_image?(filename)
     filename =~ images_regexp
   end
 
-  def self.download(url, max_file_size, tmp_file_name)
+  def self.download(url, max_file_size, tmp_file_name, follow_redirect=false)
     raise Discourse::InvalidParameters.new(:url) unless url =~ /^https?:\/\//
 
     uri = URI.parse(url)
     extension = File.extname(uri.path)
     tmp = Tempfile.new([tmp_file_name, extension])
 
     File.open(tmp.path, "wb") do |f|
-      downloaded = uri.open("rb", read_timeout: 5)
+      downloaded = uri.open("rb", read_timeout: 5, redirect: follow_redirect)
       while f.size <= max_file_size && data = downloaded.read(max_file_size)
         f.write(data)
       end