Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/MHSanaei/3x-ui.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormhsanaei <ho3ein.sanaei@gmail.com>2025-09-21 18:52:18 +0300
committermhsanaei <ho3ein.sanaei@gmail.com>2025-09-21 18:52:18 +0300
commite64e6327ef4cfda8f612c98882fe649c02918ac7 (patch)
treedbb1043dff65b1cac2a97ee10fa1198be41b82e8
parent9f024b9e6a5c5a8d7adbac36fa2f8e38a29455f0 (diff)
security fix: Uncontrolled data used in path expression
Diffstat
-rw-r--r--web/service/server.go14
1 files changed, 13 insertions, 1 deletions
diff --git a/web/service/server.go b/web/service/server.go
index 5fea423b..a268a13e 100644
--- a/web/service/server.go
+++ b/web/service/server.go
@@ -1008,7 +1008,19 @@ func (s *ServerService) UpdateGeofile(fileName string) error {
{"https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geoip.dat", "geoip_RU.dat"},
{"https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geosite.dat", "geosite_RU.dat"},
}
-
+ // Strict allowlist check to avoid writing uncontrolled files
+ if fileName != "" {
+ isAllowed := false
+ for _, file := range files {
+ if fileName == file.FileName {
+ isAllowed = true
+ break
+ }
+ }
+ if !isAllowed {
+ return common.NewErrorf("Invalid geofile name: %s", fileName)
+ }
+ }
downloadFile := func(url, destPath string) error {
resp, err := http.Get(url)
if err != nil {
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-24 23:53:47 +0300