What about sending to the full sizeimage if a size bigger than the image is requested? Also, as you're issuing a redirect, what are the risks if someone was able to upload a malicious file to the servers? (the thumbnailing process may guard against it)
Make it only deliver the original if explicitly asked for it. Then it would also be a replacement for Special:Filepath