f

2026-04-25 11:59:10 +08:00
parent e246271a24
commit ba463ae38d
33 changed files with 1600 additions and 112 deletions
--- a/internal/shared/middleware/daily_rate_limit.go
+++ b/internal/shared/middleware/daily_rate_limit.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"math"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -403,9 +404,24 @@ func (m *DailyRateLimitMiddleware) checkReferer(c *gin.Context) error {

 	// 检查允许的Referer
 	if len(m.limitConfig.AllowedReferers) > 0 {
+		parsedReferer, err := url.Parse(referer)
+		if err != nil || parsedReferer.Scheme == "" || parsedReferer.Host == "" {
+			return fmt.Errorf("Referer格式无效")
+		}
+		refererOrigin := parsedReferer.Scheme + "://" + parsedReferer.Host
+
 		allowed := false
 		for _, allowedRef := range m.limitConfig.AllowedReferers {
-			if strings.Contains(referer, allowedRef) {
+			allowedRef = strings.TrimSpace(allowedRef)
+			if allowedRef == "" {
+				continue
+			}
+			parsedAllowed, parseErr := url.Parse(allowedRef)
+			if parseErr != nil || parsedAllowed.Scheme == "" || parsedAllowed.Host == "" {
+				continue
+			}
+			allowedOrigin := parsedAllowed.Scheme + "://" + parsedAllowed.Host
+			if refererOrigin == allowedOrigin {
 				allowed = true
 				break
 			}