Fix ssrf lookback edge case (#4205)

Author: ildyria

.trivyignore

@@ -10,4 +10,7 @@ CVE-2026-25793
 CVE-2025-45769
 
 # True positive but local attack vector, we will be waiting for frankenphp to update their image.
-CVE-2026-0861
+CVE-2026-0861
+
+# Unfortunately Frankenphp is
+CVE-2026-33186

Dockerfile

@@ -56,7 +56,7 @@ RUN npm run build
 # ============================================================================
 # Stage 3: Production FrankenPHP Image
 # ============================================================================
-FROM dunglas/frankenphp:php8.5-trixie@sha256:7315062106fd2ee885d884072e3335f59e25a3abc34de0a03e102604ab73b4d0
+FROM dunglas/frankenphp:php8.5-trixie@sha256:93dcc4f16e01f0bc8e9d752bb19559cba4a23c14c9fd7ab825538fb432cd91ed
 
 ARG USER=appuser
 

app/Rules/PhotoUrlRule.php

@@ -86,7 +86,7 @@ public function validate(string $attribute, mixed $value, \Closure $fail): void
 		if (
 			$this->config_manager->getValueAsBool('import_via_url_forbidden_local_ip') &&
 			filter_var($host, FILTER_VALIDATE_IP) !== false &&
-			filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE) === false
+			filter_var($host, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) === false
 		) {
 			$fail($attribute . ' must not be a private IP address.');
 
@@ -95,7 +95,7 @@ public function validate(string $attribute, mixed $value, \Closure $fail): void
 
 		if (
 			$this->config_manager->getValueAsBool('import_via_url_forbidden_localhost') &&
-			$host === 'localhost'
+			in_array(strtolower($host), ['localhost', '127.0.0.1', '::1'], true)
 		) {
 			$fail($attribute . ' must not be localhost.');
 

database/migrations/2026_03_20_175331_bump_version070501.php

@@ -0,0 +1,52 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\Artisan;
+use Illuminate\Support\Facades\DB;
+use Symfony\Component\Console\Output\ConsoleOutput;
+use Symfony\Component\Console\Output\ConsoleSectionOutput;
+
+return new class() extends Migration {
+	private ConsoleOutput $output;
+	private ConsoleSectionOutput $msg_section;
+
+	public function __construct()
+	{
+		$this->output = new ConsoleOutput();
+		$this->msg_section = $this->output->section();
+	}
+
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070501']);
+		try {
+			Artisan::call('cache:clear');
+		} catch (\Throwable $e) {
+			$this->msg_section->writeln('<error>Warning:</error> Failed to clear cache for version 7.5.1');
+
+			return;
+		}
+		$this->msg_section->writeln('<info>Info:</info> Cleared cache for version 7.5.1');
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down(): void
+	{
+		DB::table('configs')->where('key', 'version')->update(['value' => '070500']);
+	}
+};

version.md

@@ -1 +1 @@
-7.5.0
+7.5.1