Merge pull request #705 from jacebrowning/reject-302-backgrounds

Reject backgrounds that permanently redirect
jacebrowning · Mar 5, 2022 · 0ce649f · 0ce649f
2 parents 4a10d9d + dd3c2db
commit 0ce649f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/app/tests/test_views_images.py b/app/tests/test_views_images.py
@@ -348,6 +348,13 @@ def it_handles_missing_urls(expect, client):
             expect(response.status) == 415
             expect(response.headers["content-type"]) == "image/png"
 
+        def it_handles_redirect_urls(expect, client):
+            request, response = client.get(
+                "/images/custom/test.png?background=https://i.imgur.com/zw1eny2.jpg"
+            )
+            expect(response.status) == 415
+            expect(response.headers["content-type"]) == "image/png"
+
         def it_ignores_placeholder_values(expect, client):
             request, response = client.get(
                 "/images/custom/string.png?background=string"

diff --git a/app/utils/http.py b/app/utils/http.py
@@ -21,6 +21,10 @@ async def download(url: str, path: AsyncPath) -> bool:
         try:
             async with session.get(url, timeout=10) as response:
 
+                if response.history and response.history[0].status == 302:
+                    logger.error(f"302 response from {url}")
+                    return False
+
                 if response.status == 200:
                     f = await aiofiles.open(path, mode="wb")  # type: ignore
                     await f.write(await response.read())