From 7df07b86b9fe897c744cc3bf4048716ec68952a5 Mon Sep 17 00:00:00 2001 From: InfinityPacer <160988576+InfinityPacer@users.noreply.github.com> Date: Mon, 10 Feb 2025 02:19:08 +0800 Subject: [PATCH 1/2] feat(security): add cmvideo image for http with port --- app/core/config.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/core/config.py b/app/core/config.py index a4acf5c1..dd1d23fe 100644 --- a/app/core/config.py +++ b/app/core/config.py @@ -243,7 +243,8 @@ class ConfigModel(BaseModel): "hdslb.com", "cmvideo.cn", "ykimg.com", - "qpic.cn"] + "qpic.cn", + "http://wapx.cmvideo.cn:8080"] ) # 允许的图片文件后缀格式 SECURITY_IMAGE_SUFFIXES: List[str] = Field( From e48c8ee6529304ccd315afe24624b505363eb448 Mon Sep 17 00:00:00 2001 From: InfinityPacer <160988576+InfinityPacer@users.noreply.github.com> Date: Mon, 10 Feb 2025 02:22:53 +0800 Subject: [PATCH 2/2] Revert "fix is_safe_url" This reverts commit 5e2ad34864cf5e0105a4443e3a99d2fa5fe98d27. --- app/utils/security.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/utils/security.py b/app/utils/security.py index c002adce..f7367915 100644 --- a/app/utils/security.py +++ b/app/utils/security.py @@ -65,7 +65,6 @@ class SecurityUtils: netloc = parsed_url.netloc.lower() if not netloc: return False - netloc_no_port = netloc.split(":")[0] # 检查每个允许的域名 allowed_domains = {d.lower() for d in allowed_domains} @@ -79,7 +78,7 @@ class SecurityUtils: return True else: # 非严格模式下,允许子域名匹配 - if netloc_no_port == allowed_netloc or netloc_no_port.endswith('.' + allowed_netloc): + if netloc == allowed_netloc or netloc.endswith('.' + allowed_netloc): return True return False