Description

First of all, Thanks to my friend Haxatron for his excellent report

I read the fix commit, and I found out that the code only Checked the IP addresses and didn’t check the domain names that refer to a private IP address

Steps to reproduce

first, set up a local server at 127.0.0.2:8000 and put a media file on it named 1.mp4.

second, use the following URL to import A video with URL upload when you want to publish a video:

http://a.domain.pointing.to.127.0.0.2:8000/1.mp4

Impact

You can see that the local server files can be enumerated, and even if there is any media file with a guessable name, it can be leaked through the URL download procedure.