Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 13:14:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge 974783e879 into f9ae0347c6

Browse source
This commit is contained in:
Motalleb Fallahnezhad 2026-05-16 14:26:55 +03:30 committed by GitHub
commit eebec014c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
config/config.go
View file

@ -10,6 +10,7 @@ import (
"path/filepath" "path/filepath"
"runtime" "runtime"
"strings" "strings"
"sync"
) )
//go:embed version //go:embed version
@ -57,6 +58,13 @@ func IsDebug() bool {
return os.Getenv("XUI_DEBUG") == "true" return os.Getenv("XUI_DEBUG") == "true"
} }
// AllowPrivateIPs returns true if user bypasses security checks via the ALLOW_PRIVATES environment variable.
var AllowPrivateIPs = sync.OnceValue(allowPrivateIPs)
func allowPrivateIPs() bool {
return os.Getenv("ALLOW_PRIVATE_IPS") == "true"
}
// GetBinFolderPath returns the path to the binary folder, defaulting to "bin" if not set via XUI_BIN_FOLDER. // GetBinFolderPath returns the path to the binary folder, defaulting to "bin" if not set via XUI_BIN_FOLDER.
func GetBinFolderPath() string { func GetBinFolderPath() string {
binFolderPath := os.Getenv("XUI_BIN_FOLDER") binFolderPath := os.Getenv("XUI_BIN_FOLDER")

3
web/controller/xray_setting.go
View file

@ -3,6 +3,7 @@ package controller
import ( import (
"encoding/json" "encoding/json"
"github.com/mhsanaei/3x-ui/v3/config"
"github.com/mhsanaei/3x-ui/v3/util/common" "github.com/mhsanaei/3x-ui/v3/util/common"
"github.com/mhsanaei/3x-ui/v3/web/service" "github.com/mhsanaei/3x-ui/v3/web/service"
@ -213,7 +214,7 @@ func (a *XraySettingController) testOutbound(c *gin.Context) {
// Load the test URL from server settings to prevent SSRF via user-controlled URLs // Load the test URL from server settings to prevent SSRF via user-controlled URLs
testURL, _ := a.SettingService.GetXrayOutboundTestUrl() testURL, _ := a.SettingService.GetXrayOutboundTestUrl()
testURL, err := service.SanitizePublicHTTPURL(testURL, false) testURL, err := service.SanitizePublicHTTPURL(testURL, config.AllowPrivateIPs())
if err != nil { if err != nil {
jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err) jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err)
return return

3
web/job/xray_traffic_job.go
View file

@ -3,6 +3,7 @@ package job
import ( import (
"encoding/json" "encoding/json"
"github.com/mhsanaei/3x-ui/v3/config"
"github.com/mhsanaei/3x-ui/v3/logger" "github.com/mhsanaei/3x-ui/v3/logger"
"github.com/mhsanaei/3x-ui/v3/web/service" "github.com/mhsanaei/3x-ui/v3/web/service"
"github.com/mhsanaei/3x-ui/v3/web/websocket" "github.com/mhsanaei/3x-ui/v3/web/websocket"
@ -137,7 +138,7 @@ func (j *XrayTrafficJob) informTrafficToExternalAPI(inboundTraffics []*xray.Traf
logger.Warning("get ExternalTrafficInformURI failed:", err) logger.Warning("get ExternalTrafficInformURI failed:", err)
return return
} }
informURL, err = service.SanitizePublicHTTPURL(informURL, false) informURL, err = service.SanitizePublicHTTPURL(informURL, config.AllowPrivateIPs())
if err != nil { if err != nil {
logger.Warning("ExternalTrafficInformURI blocked:", err) logger.Warning("ExternalTrafficInformURI blocked:", err)
return return

2
web/service/tgbot.go
View file

@ -341,7 +341,7 @@ func (t *Tgbot) NewBot(token string, proxyUrl string, apiServerUrl string) (*tel
// Validate API server URL if provided // Validate API server URL if provided
if apiServerUrl != "" { if apiServerUrl != "" {
safeURL, err := SanitizePublicHTTPURL(apiServerUrl, false) safeURL, err := SanitizePublicHTTPURL(apiServerUrl, config.AllowPrivateIPs())
if err != nil { if err != nil {
logger.Warningf("Invalid or blocked API server URL, using default: %v", err) logger.Warningf("Invalid or blocked API server URL, using default: %v", err)
apiServerUrl = "" apiServerUrl = ""