2gW94/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2025-12-18 05:04:40 +03:00
Code Issues Actions Packages Projects Releases Wiki Activity

security fix: Uncontrolled data used in path expression

Browse Source
This commit is contained in:
mhsanaei
2025-09-21 18:13:28 +02:00
parent 806ecbd7c5
commit 55f1d72af5
2 changed files with 55 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
web/controller/server.go
View File

@@ -138,6 +138,14 @@ func (a *ServerController) installXray(c *gin.Context) {
// updateGeofile updates the specified geo file for Xray.
func (a *ServerController) updateGeofile(c *gin.Context) {
fileName := c.Param("fileName")
// Validate the filename for security (prevent path traversal attacks)
if fileName != "" && !a.serverService.IsValidGeofileName(fileName) {
jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"),
fmt.Errorf("invalid filename: contains unsafe characters or path traversal patterns"))
return
}
err := a.serverService.UpdateGeofile(fileName)
jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"), err)
}