From 2008a17f5e6c7777cbbe247aa680a4007275c46b Mon Sep 17 00:00:00 2001
From: Will Norris <will@willnorris.com>
Date: Fri, 12 May 2023 12:27:40 -0700
Subject: [PATCH] don't require redirect URLs to match AllowHosts

When following redirects, ensure that the final URL is not in the
configured DenyHosts list, but do not further enforce presence in the
AllowHosts list.

This was initially added in #237, and the original use case was about
protecting against redirects being used to bypass denied hosts. They
were using URL signatures and deny lists (for localhost, etc), but not
allow lists. So really, checking against the deny list is all that was
needed in that case.

This came up recently for me as I was trying to proxy images on a remote
host that redirects to Amazon S3. Even though the original URL was
signed, the redirect was being denied because s3-us-west-2.amazonaws.com
isn't on of my allowed host. But I don't want to allow all of S3, just
the signed URLs.
---
 imageproxy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/imageproxy.go b/imageproxy.go
index cb4724b..ce671db 100644
--- a/imageproxy.go
+++ b/imageproxy.go
@@ -197,7 +197,7 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 				}
 				return errTooManyRedirects
 			}
-			if hostMatches(p.DenyHosts, newreq.URL) || (len(p.AllowHosts) > 0 && !hostMatches(p.AllowHosts, newreq.URL)) {
+			if hostMatches(p.DenyHosts, newreq.URL) {
 				http.Error(w, msgNotAllowedInRedirect, http.StatusForbidden)
 				return errNotAllowed
 			}