First of all, Thanks to my friend Haxatron for his excellent report
I read the fix commit, and I found out that the code only Checked the IP addresses and didn’t check the domain names that refer to a private IP address
first, set up a local server at 127.0.0.2:8000
and put a media file on it named 1.mp4
.
second, use the following URL to import A video with URL upload when you want to publish a video:
http://a.domain.pointing.to.127.0.0.2:8000/1.mp4
You can see that the local server files can be enumerated, and even if there is any media file with a guessable name, it can be leaked through the URL download procedure.