fix: block private image proxy targets

2026-06-04 23:19:43 +08:00 · 2026-05-24 07:18:51 +08:00
parent 0273adc61c
commit 0b7854a0af
4 changed files with 191 additions and 2 deletions
--- a/app/api/endpoints/system.py
+++ b/app/api/endpoints/system.py
@@ -360,7 +360,7 @@ async def fetch_image(
        allowed_domains = set(settings.SECURITY_IMAGE_DOMAINS)

    # 验证URL安全性
-    if not SecurityUtils.is_safe_url(url, allowed_domains):
+    if not SecurityUtils.is_safe_url(url, allowed_domains, block_private=True):
        logger.warn(f"Blocked unsafe image URL: {url}")
        return None