Welcome to mirror list, hosted at ThFree Co, Russian Federation.

github.com/MHSanaei/3x-ui.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/web/service
diff options
context:
space:
mode:
Diffstat (limited to 'web/service')
-rw-r--r--web/service/server.go14
1 files changed, 13 insertions, 1 deletions
diff --git a/web/service/server.go b/web/service/server.go
index 5fea423b..a268a13e 100644
--- a/web/service/server.go
+++ b/web/service/server.go
@@ -1008,7 +1008,19 @@ func (s *ServerService) UpdateGeofile(fileName string) error {
{"https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geoip.dat", "geoip_RU.dat"},
{"https://github.com/runetfreedom/russia-v2ray-rules-dat/releases/latest/download/geosite.dat", "geosite_RU.dat"},
}
-
+ // Strict allowlist check to avoid writing uncontrolled files
+ if fileName != "" {
+ isAllowed := false
+ for _, file := range files {
+ if fileName == file.FileName {
+ isAllowed = true
+ break
+ }
+ }
+ if !isAllowed {
+ return common.NewErrorf("Invalid geofile name: %s", fileName)
+ }
+ }
downloadFile := func(url, destPath string) error {
resp, err := http.Get(url)
if err != nil {
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-25 02:33:36 +0300