From 55f1d72af51b3b282c9cb83db12dd58e7688ff22 Mon Sep 17 00:00:00 2001
From: mhsanaei <ho3ein.sanaei@gmail.com>
Date: Sun, 21 Sep 2025 18:13:28 +0200
Subject: security fix: Uncontrolled data used in path expression

---
 web/controller/server.go | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'web/controller/server.go')

diff --git a/web/controller/server.go b/web/controller/server.go
index 60d165c5..292ef338 100644
--- a/web/controller/server.go
+++ b/web/controller/server.go
@@ -138,6 +138,14 @@ func (a *ServerController) installXray(c *gin.Context) {
 // updateGeofile updates the specified geo file for Xray.
 func (a *ServerController) updateGeofile(c *gin.Context) {
 	fileName := c.Param("fileName")
+
+	// Validate the filename for security (prevent path traversal attacks)
+	if fileName != "" && !a.serverService.IsValidGeofileName(fileName) {
+		jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"),
+			fmt.Errorf("invalid filename: contains unsafe characters or path traversal patterns"))
+		return
+	}
+
 	err := a.serverService.UpdateGeofile(fileName)
 	jsonMsg(c, I18nWeb(c, "pages.index.geofileUpdatePopover"), err)
 }
-- 
cgit v1.2.3