修复多项安全漏洞

安全修复清单: 1. 验证码改为图片方式返回，防止明文泄露 2. CORS配置从环境变量读取，不再使用通配符"*" 3. VIP API添加@admin_required装饰器，统一认证 4. 用户登录统一错误消息，防止用户枚举 5. IP限流不再信任X-Forwarded-For头，防止伪造绕过 6. 密码强度要求提升(8位+字母+数字) 7. 日志不��记录完整session/cookie内容，防止敏感信息泄露 8. XSS防护：日志输出和Bug反馈内容转义HTML 9. SQL注入防护：LIKE查询参数转义 10. 路径遍历防护：截图目录白名单验证 11. 验证码重放防护：验证前删除验证码 12. 数据库连接池健康检查 13. 正则DoS防护：限制数字匹配长度 14. Account类密码私有化，__repr__不暴露密码 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-11 17:53:48 +08:00
parent a4b7074634
commit 70cd95c366
10 changed files with 256 additions and 101 deletions
--- a/templates/login.html
+++ b/templates/login.html
@@ -185,7 +185,7 @@
                    <label for="captcha">验证码</label>
                    <div class="captcha-row">
                        <input type="text" id="captcha" name="captcha" placeholder="请输入验证码">
-                        <span id="captchaCode" class="captcha-code">----</span>
+                        <img id="captchaImage" src="" alt="验证码" style="height: 36px; border: 1px solid #ddd; border-radius: 4px; cursor: pointer;" onclick="refreshCaptcha()" title="点击刷新">
                        <button type="button" class="captcha-refresh" onclick="refreshCaptcha()">🔄</button>
                    </div>
                </div>
@@ -253,7 +253,7 @@
                else { errorDiv.textContent = data.error || '申请失败'; errorDiv.style.display = 'block'; }
            } catch (error) { errorDiv.textContent = '网络错误'; errorDiv.style.display = 'block'; }
        }
-        async function generateCaptcha() { try { const response = await fetch('/api/generate_captcha', { method: 'POST', headers: { 'Content-Type': 'application/json' } }); const data = await response.json(); if (data.session_id && data.captcha) { captchaSession = data.session_id; document.getElementById('captchaCode').textContent = data.captcha; } } catch (error) { console.error('生成验证码失败:', error); } }
+        async function generateCaptcha() { try { const response = await fetch('/api/generate_captcha', { method: 'POST', headers: { 'Content-Type': 'application/json' } }); const data = await response.json(); if (data.session_id && data.captcha_image) { captchaSession = data.session_id; document.getElementById('captchaImage').src = data.captcha_image; } } catch (error) { console.error('生成验证码失败:', error); } }
        async function refreshCaptcha() { await generateCaptcha(); document.getElementById('captcha').value = ''; }
        document.addEventListener('keydown', (e) => { if (e.key === 'Escape') closeForgotPassword(); });
    </script>