From 6ed31170538c5ce04edca03bc7ee58eb17c7d549 Mon Sep 17 00:00:00 2001
From: Blake Stoddard <blake.m.stoddard@gmail.com>
Date: Fri, 13 Nov 2020 16:35:44 -0500
Subject: [PATCH] Disallow anything with svg in the content-type header

---
 imageproxy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/imageproxy.go b/imageproxy.go
index 3ba4f2d..9a5826f 100644
--- a/imageproxy.go
+++ b/imageproxy.go
@@ -239,7 +239,7 @@ func (p *Proxy) serveImage(w http.ResponseWriter, r *http.Request) {
 		resp.Body = ioutil.NopCloser(b)
 		contentType = peekContentType(b)
 	}
-	if resp.ContentLength != 0 && !contentTypeMatches(p.ContentTypes, contentType) {
+	if (resp.ContentLength != 0 && !contentTypeMatches(p.ContentTypes, contentType)) || strings.Contains(contentType, "svg") {
 		p.logf("content-type not allowed: %q", contentType)
 		http.Error(w, msgNotAllowed, http.StatusForbidden)
 		return