Merge pull request #3876 from InfinityPacer/feature/security

2026-06-28 03:02:34 +08:00 · 2025-02-10 07:11:28 +08:00
parent 5e2ad34864 e48c8ee652
commit 4e69195a8d
2 changed files with 3 additions and 3 deletions
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -243,7 +243,8 @@ class ConfigModel(BaseModel):
                                 "hdslb.com",
                                 "cmvideo.cn",
                                 "ykimg.com",
-                                 "qpic.cn"]
+                                 "qpic.cn",
+                                 "http://wapx.cmvideo.cn:8080"]
    )
    # 允许的图片文件后缀格式
    SECURITY_IMAGE_SUFFIXES: List[str] = Field(
--- a/app/utils/security.py
+++ b/app/utils/security.py
@@ -65,7 +65,6 @@ class SecurityUtils:
            netloc = parsed_url.netloc.lower()
            if not netloc:
                return False
-            netloc_no_port = netloc.split(":")[0]

            # 检查每个允许的域名
            allowed_domains = {d.lower() for d in allowed_domains}
@@ -79,7 +78,7 @@ class SecurityUtils:
                        return True
                else:
                    # 非严格模式下，允许子域名匹配
-                    if netloc_no_port == allowed_netloc or netloc_no_port.endswith('.' + allowed_netloc):
+                    if netloc == allowed_netloc or netloc.endswith('.' + allowed_netloc):
                        return True

            return False