|
|
@@ -1,6 +1,9 @@
|
|
|
package controller
|
|
|
|
|
|
import (
|
|
|
+ "fmt"
|
|
|
+ "net/http"
|
|
|
+ "regexp"
|
|
|
"time"
|
|
|
"x-ui/web/global"
|
|
|
"x-ui/web/service"
|
|
|
@@ -8,6 +11,8 @@ import (
|
|
|
"github.com/gin-gonic/gin"
|
|
|
)
|
|
|
|
|
|
+var filenameRegex = regexp.MustCompile(`^[a-zA-Z0-9_\-.]+$`)
|
|
|
+
|
|
|
type ServerController struct {
|
|
|
BaseController
|
|
|
|
|
|
@@ -136,14 +141,27 @@ func (a *ServerController) getDb(c *gin.Context) {
|
|
|
jsonMsg(c, "get Database", err)
|
|
|
return
|
|
|
}
|
|
|
+
|
|
|
+ filename := "x-ui.db"
|
|
|
+
|
|
|
+ if !isValidFilename(filename) {
|
|
|
+ c.AbortWithError(http.StatusBadRequest, fmt.Errorf("invalid filename"))
|
|
|
+ return
|
|
|
+ }
|
|
|
+
|
|
|
// Set the headers for the response
|
|
|
c.Header("Content-Type", "application/octet-stream")
|
|
|
- c.Header("Content-Disposition", "attachment; filename=x-ui.db")
|
|
|
+ c.Header("Content-Disposition", "attachment; filename="+filename)
|
|
|
|
|
|
// Write the file contents to the response
|
|
|
c.Writer.Write(db)
|
|
|
}
|
|
|
|
|
|
+func isValidFilename(filename string) bool {
|
|
|
+ // Validate that the filename only contains allowed characters
|
|
|
+ return filenameRegex.MatchString(filename)
|
|
|
+}
|
|
|
+
|
|
|
func (a *ServerController) importDB(c *gin.Context) {
|
|
|
// Get the file from the request body
|
|
|
file, _, err := c.Request.FormFile("db")
|
MHSanaei