-
Notifications
You must be signed in to change notification settings - Fork 479
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a file types whitelist #42
Conversation
is this still needed, even with the new(-ish) signature support? |
It should be for the case where you don't use the signature option. |
I'm still not completely sure of the best approach here, but here are some thoughts while it's on my mind: One of the simplest fixes is to update The above will not work for requests that don't contain any transformation options, since the A better option would be to call We could also just look at the declared content-type in the response headers, but if the point here is to prevent abuse, we shouldn't really trust those headers. Content sniffing is probably the best approach. Trying to do any kind of whitelisting based on file extension is not really going to be robust enough. |
I agree than file extension check can leads to complications and can be easily bypass for security, the use of http.DetectContentType looks like the best and more robust option. See #53 for this. |
No description provided.