Fix Gin Web Framework does not properly sanitize filename, Optimize p…

…anel (#54)
sing-web · May 15, 2023 · cbb8216 · cbb8216
1 parent 32bb852
commit cbb8216
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 10 deletions.
diff --git a/config/version b/config/version
@@ -1 +1 @@
-v0.3.3.9
+v0.3.3.10
diff --git a/web/assets/js/model/xray.js b/web/assets/js/model/xray.js
@@ -55,17 +55,11 @@ const TLS_VERSION_OPTION = {
 };
 
 const TLS_CIPHER_OPTION = {
-    RSA_AES_128_CBC: "TLS_RSA_WITH_AES_128_CBC_SHA",
-    RSA_AES_256_CBC: "TLS_RSA_WITH_AES_256_CBC_SHA",
-    RSA_AES_128_GCM: "TLS_RSA_WITH_AES_128_GCM_SHA256",
-    RSA_AES_256_GCM: "TLS_RSA_WITH_AES_256_GCM_SHA384",
     AES_128_GCM: "TLS_AES_128_GCM_SHA256",
     AES_256_GCM: "TLS_AES_256_GCM_SHA384",
     CHACHA20_POLY1305: "TLS_CHACHA20_POLY1305_SHA256",
     ECDHE_ECDSA_AES_128_CBC: "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
     ECDHE_ECDSA_AES_256_CBC: "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-    ECDHE_RSA_AES_128_CBC: "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-    ECDHE_RSA_AES_256_CBC: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
     ECDHE_ECDSA_AES_128_GCM: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
     ECDHE_ECDSA_AES_256_GCM: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
     ECDHE_RSA_AES_128_GCM: "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
@@ -660,44 +654,55 @@ class RealityStreamSettings extends XrayCommonClass {
 }
 
 class SockoptStreamSettings extends XrayCommonClass {
-    constructor(tcpFastOpen = false,
+    constructor(tcpMaxSeg = 1440,
+        tcpFastOpen = false,
         domainStrategy = DOMAIN_STRATEGY.AsIs,
         tcpcongestion = '',
         acceptProxyProtocol = false,
         tcpKeepAliveIdle = 0,
         tcpKeepAliveInterval = 0,
+        tcpUserTimeout = 10000,
         _interface = "",
     ) {
         super();
+        this.tcpMaxSeg = tcpMaxSeg;
         this.tcpFastOpen = tcpFastOpen;
         this.domainStrategy = domainStrategy;
         this.tcpcongestion = tcpcongestion;
         this.acceptProxyProtocol = acceptProxyProtocol;
         this.tcpKeepAliveIdle = tcpKeepAliveIdle;
         this.tcpKeepAliveInterval = tcpKeepAliveInterval;
+        this.tcpUserTimeout = tcpUserTimeout;
+        this.tcpcongestion = tcpcongestion;
         this.interface = _interface instanceof Array ? this.interface : _interface;
     }
 
     static fromJson(json = {}) {
         return new SockoptStreamSettings(
+            json.tcpMaxSeg,
             json.tcpFastOpen,
             json.domainStrategy,
             json.tcpcongestion,
             json.acceptProxyProtocol,
             json.tcpKeepAliveIdle,
             json.tcpKeepAliveInterval,
+            json.tcpUserTimeout,
+            json.tcpcongestion,
             json.interface,
         );
     }
 
     toJson() {
         return {
+            tcpMaxSeg: this.tcpMaxSeg,
             tcpFastOpen: this.tcpFastOpen,
             domainStrategy: this.domainStrategy,
             tcpcongestion: this.tcpcongestion,
             acceptProxyProtocol: this.acceptProxyProtocol,
             tcpKeepAliveIdle: this.tcpKeepAliveIdle,
             tcpKeepAliveInterval: this.tcpKeepAliveInterval,
+            tcpUserTimeout: this.tcpUserTimeout,
+            tcpcongestion: this.tcpcongestion,
             interface: this.interface,
         };
     }

diff --git a/web/controller/server.go b/web/controller/server.go
@@ -1,13 +1,18 @@
 package controller
 
 import (
+	"fmt"
+	"net/http"
+	"regexp"
 	"time"
 	"x-ui/web/global"
 	"x-ui/web/service"
 
 	"github.com/gin-gonic/gin"
 )
 
+var filenameRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-.]+$`)
+
 type ServerController struct {
 	BaseController
 
@@ -192,14 +197,27 @@ func (a *ServerController) getDatabase(c *gin.Context) {
 		jsonMsg(c, "get Database", err)
 		return
 	}
+
+	filename := "x-ui.db"
+
+	if !isValidFilename(filename) {
+		c.AbortWithError(http.StatusBadRequest, fmt.Errorf("Invalid filename"))
+		return
+	}
+
 	// Set the headers for the response
 	c.Header("Content-Type", "application/octet-stream")
-	c.Header("Content-Disposition", "attachment; filename=x-ui.db")
+	c.Header("Content-Disposition", "attachment; filename"+filename)
 
 	// Write the file contents to the response
 	c.Writer.Write(db)
 }
 
+func isValidFilename(filename string) bool {
+    // Validate that the filename only contains allowed characters
+    return filenameRegex.MatchString(filename)
+}
+
 func (a *ServerController) getConfigJson(c *gin.Context) {
 	configJson, err := a.serverService.GetConfigJson()
 	if err != nil {

diff --git a/web/html/xui/form/stream_sockopt.html b/web/html/xui/form/stream_sockopt.html
@@ -15,7 +15,11 @@
     <transition name="list" appear>
         <a-card hoverable style="margin-bottom: 20px;" :class="siderDrawer.isDarkTheme ? darkClass : ''">
             </a-form-item>
-            <a-form-item label="tcpFastOpen">
+            <a-form-item label="TCP 数据包最大传输单元">
+                <a-input v-model.number="inbound.stream.sockopt.tcpMaxSeg" style="width: 65px;">
+                </a-input>
+            </a-form-item>
+            <a-form-item label="TCP Fast Open">
                 <a-switch v-model="inbound.stream.sockopt.tcpFastOpen">
                     <!-- <a-select-option :value="false">false</a-select-option>
             <a-select-option :value="true">true</a-select-option> -->
@@ -40,6 +44,10 @@
                 <a-input v-model.number="inbound.stream.sockopt.tcpKeepAliveIdle" style="width: 165px;">
                 </a-input>
             </a-form-item>
+            <a-form-item label="TCP UserTimeout">
+                <a-input v-model.number="inbound.stream.sockopt.tcpUserTimeout" style="width: 165px;">
+                </a-input>
+            </a-form-item>
             <a-form-item label="TCP 拥塞控制算法">
                 <a-select v-model="inbound.stream.sockopt.tcpcongestion" style="width:200px">
                     <a-select-option value="">系统默认</a-select-option>