[mod] data scheme URL : allow only images (png, jpeg, pjpeg, gif, webp)

git-svn-id: file:///srv/svn/repo/yukari/trunk@61 f3bd38d9-da89-464d-a02a-eb04e43141b5
2016-12-01 13:01:22 +00:00 · 2016-12-01 13:01:22 +00:00 · 809239ddc1
commit 809239ddc1
parent b9f693e84b
1 changed files with 11 additions and 1 deletions
--- a/morty.go
+++ b/morty.go
@ -687,7 +687,17 @@ func (rc *RequestConfig) ProxifyURI(uri []byte) (string, error) {

 	// TODO check malicious data: - e.g. data:script
 	if scheme == "data:" {
-		return string(uri), nil
+		if bytes.HasPrefix(uri, []byte("data:image/png")) ||
+			bytes.HasPrefix(uri, []byte("data:image/jpeg")) ||
+			bytes.HasPrefix(uri, []byte("data:image/pjpeg")) ||
+			bytes.HasPrefix(uri, []byte("data:image/gif")) ||
+			bytes.HasPrefix(uri, []byte("data:image/webp")) {
+			// should be safe
+			return string(uri), nil
+		} else {
+			// unsafe data
+			return "", nil
+		}
 	}

 	// parse the uri