Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/MHSanaei/3x-ui.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/web/controller
diff options
context:
space:
mode:
authormhsanaei <ho3ein.sanaei@gmail.com>2025-09-21 19:13:28 +0300
committermhsanaei <ho3ein.sanaei@gmail.com>2025-09-21 19:51:54 +0300
commit55f1d72af51b3b282c9cb83db12dd58e7688ff22 (patch)
tree78762a51a63d6870c2758bf64b8b523d7485c9d0 /web/controller
parent806ecbd7c59b178b54a0567ad1f21e3819c4cd09 (diff)
security fix: Uncontrolled data used in path expression
Diffstat (limited to 'web/controller')
-rw-r--r--web/controller/server.go8
1 files changed, 8 insertions, 0 deletions
diff --git a/web/controller/server.go b/web/controller/server.go
index 60d165c5..292ef338 100644
--- a/web/controller/server.go
+++ b/web/controller/server.go
@@ -138,6 +138,14 @@ func (a *ServerController) installXray(c *gin.Context) {
// updateGeofile updates the specified geo file for Xray.
func (a *ServerController) updateGeofile(c *gin.Context) {
fileName := c.Param("fileName")
+
+ // Validate the filename for security (prevent path traversal attacks)
+ if fileName != "" && !a.serverService.IsValidGeofileName(fileName) {
+ jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"),
+ fmt.Errorf("invalid filename: contains unsafe characters or path traversal patterns"))
+ return
+ }
+
err := a.serverService.UpdateGeofile(fileName)
jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"), err)
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-25 02:18:22 +0300