diff options
Diffstat (limited to 'web/controller/server.go')
| -rw-r--r-- | web/controller/server.go | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/web/controller/server.go b/web/controller/server.go index 60d165c5..292ef338 100644 --- a/web/controller/server.go +++ b/web/controller/server.go @@ -138,6 +138,14 @@ func (a *ServerController) installXray(c *gin.Context) { // updateGeofile updates the specified geo file for Xray. func (a *ServerController) updateGeofile(c *gin.Context) { fileName := c.Param("fileName") + + // Validate the filename for security (prevent path traversal attacks) + if fileName != "" && !a.serverService.IsValidGeofileName(fileName) { + jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"), + fmt.Errorf("invalid filename: contains unsafe characters or path traversal patterns")) + return + } + err := a.serverService.UpdateGeofile(fileName) jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"), err) } |