oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity
Files
e75d3e35840a3055f383672943b3f1cc24014856
sub2api/backend/internal
History
yangjianbo e75d3e3584 fix(security): 修复密码重置链接 Host Header 注入漏洞 (P0-07) 
ForgotPassword 原来从 c.Request.Host 构建重置链接基础 URL,攻击者
可伪造 Host 头将重置链接指向恶意域名窃取 token。

修复方案:
- ServerConfig 新增 frontend_url 配置项
- auth_handler 改为从配置读取前端 URL,未配置时拒绝请求
- Validate() 校验 frontend_url 必须为绝对 HTTP(S) URL
- 新增 TestValidateServerFrontendURL 单元测试
- config.example.yaml 添加配置说明

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 17:15:26 +08:00
..
config
fix(security): 修复密码重置链接 Host Header 注入漏洞 (P0-07)
2026-02-07 17:15:26 +08:00
domain
merge upstream main
2026-02-03 15:36:17 +08:00
handler
fix(security): 修复密码重置链接 Host Header 注入漏洞 (P0-07)
2026-02-07 17:15:26 +08:00
integration
refactor(antigravity): 简化模型映射逻辑,支持前缀匹配
2026-01-01 01:43:20 +08:00
middleware
merge upstream main
2026-02-02 22:13:50 +08:00
model
feat: 新增全局错误透传规则功能
2026-02-05 21:52:54 +08:00
pkg
chore: 前端增加opus4.6模型映射
2026-02-06 08:50:45 +08:00
repository
fix: 修复了 codex 更新用量窗口异常的 bug
2026-02-06 01:06:22 +08:00
server
fix(middleware): 管理员JWT增加TokenVersion校验
2026-02-07 16:34:57 +08:00
service
perf(service): 优化 model 替换函数,用 gjson/sjson 替代全量 JSON 序列化
2026-02-07 17:09:55 +08:00
setup
merge upstream main
2026-02-02 22:13:50 +08:00
util
merge upstream main
2026-02-02 22:13:50 +08:00
web
feat(安全): 实现 CSP nonce 支持解决内联脚本安全问题
2026-01-16 17:05:49 +08:00