Don't allow redirections to external websites.

See <https://cwe.mitre.org/data/definitions/601.html>.

README.md

@@ -12,7 +12,7 @@ specification for hosting profile images tied to email or OpenID addresses.
 * MD5 hashes
 * SHA256 hashes
 * Variable image size (`s` or `size`)
-* Default fallbacks (`d` or `default`): 404, URL, mp/mm, identicon, retro
+* Default fallbacks (`d` or `default`): 404, URL (only on the same server), mp/mm, identicon, retro
 
 The API is explained in greater detail at the
 [Libravar wiki](https://wiki.libravatar.org/api/).
@@ -24,6 +24,9 @@ The API is explained in greater detail at the
 * The default fallbacks monsterid, wavatar, robohash and pagan
   * Patches welcome
 * forcedefault
+* Fallback URLs for to external sites (due to [CWE-601](https://cwe.mitre.org/data/definitions/601.html))
+  * We have a server setting (`LIBRAVATARSERV_REDIRECT_*`) to redirect to
+    libravatar.org.
 
 ## Usage
 

src/libravatarserv.cpp

@@ -1,5 +1,5 @@
 /*  This file is part of libravatarserv.
- *  Copyright © 2018, 2019, 2020 tastytea <tastytea@tastytea.de>
+ *  Copyright © 2018, 2019, 2020, 2021 tastytea <tastytea@tastytea.de>
  *
  *  This program is free software: you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -15,10 +15,12 @@
  */
 
 #include "libravatarserv.hpp"
+
 #include "version.hpp"
 
 #include <Magick++/Geometry.h>
 #include <identiconpp.hpp>
+
 #include <iostream>
 
 using namespace libravatarserv;
@@ -81,7 +83,7 @@ int main()
         {
             cout << "Status: 404 Not Found\n\n";
         }
-        else if (avatar.fallback.substr(0, 4) == "http")
+        else if (avatar.fallback[0] == '/')
         {
             cout << "Status: 307 Temporary Redirect\n";
             cout << "Location: " << avatar.fallback << endl << endl;