Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 13:14:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Merge 974783e879 into f9ae0347c6

Browse source
This commit is contained in:
Motalleb Fallahnezhad 2026-05-16 14:26:55 +03:30 committed by GitHub
commit eebec014c1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
config/config.go
View file

@ -10,6 +10,7 @@ import (
"path/filepath"
"runtime"
"strings"
"sync"
)
//go:embed version
@ -57,6 +58,13 @@ func IsDebug() bool {
return os.Getenv("XUI_DEBUG") == "true"
}
// AllowPrivateIPs returns true if user bypasses security checks via the ALLOW_PRIVATES environment variable.
var AllowPrivateIPs = sync.OnceValue(allowPrivateIPs)
func allowPrivateIPs() bool {
return os.Getenv("ALLOW_PRIVATE_IPS") == "true"
}
// GetBinFolderPath returns the path to the binary folder, defaulting to "bin" if not set via XUI_BIN_FOLDER.
func GetBinFolderPath() string {
binFolderPath := os.Getenv("XUI_BIN_FOLDER")

3
web/controller/xray_setting.go
View file

@ -3,6 +3,7 @@ package controller
import (
"encoding/json"
"github.com/mhsanaei/3x-ui/v3/config"
"github.com/mhsanaei/3x-ui/v3/util/common"
"github.com/mhsanaei/3x-ui/v3/web/service"
@ -213,7 +214,7 @@ func (a *XraySettingController) testOutbound(c *gin.Context) {
// Load the test URL from server settings to prevent SSRF via user-controlled URLs
testURL, _ := a.SettingService.GetXrayOutboundTestUrl()
testURL, err := service.SanitizePublicHTTPURL(testURL, false)
testURL, err := service.SanitizePublicHTTPURL(testURL, config.AllowPrivateIPs())
if err != nil {
jsonMsg(c, I18nWeb(c, "somethingWentWrong"), err)
return

3
web/job/xray_traffic_job.go
View file

@ -3,6 +3,7 @@ package job
import (
"encoding/json"
"github.com/mhsanaei/3x-ui/v3/config"
"github.com/mhsanaei/3x-ui/v3/logger"
"github.com/mhsanaei/3x-ui/v3/web/service"
"github.com/mhsanaei/3x-ui/v3/web/websocket"
@ -137,7 +138,7 @@ func (j *XrayTrafficJob) informTrafficToExternalAPI(inboundTraffics []*xray.Traf
logger.Warning("get ExternalTrafficInformURI failed:", err)
return
}
informURL, err = service.SanitizePublicHTTPURL(informURL, false)
informURL, err = service.SanitizePublicHTTPURL(informURL, config.AllowPrivateIPs())
if err != nil {
logger.Warning("ExternalTrafficInformURI blocked:", err)
return

2
web/service/tgbot.go
View file

@ -341,7 +341,7 @@ func (t *Tgbot) NewBot(token string, proxyUrl string, apiServerUrl string) (*tel
// Validate API server URL if provided
if apiServerUrl != "" {
safeURL, err := SanitizePublicHTTPURL(apiServerUrl, false)
safeURL, err := SanitizePublicHTTPURL(apiServerUrl, config.AllowPrivateIPs())
if err != nil {
logger.Warningf("Invalid or blocked API server URL, using default: %v", err)
apiServerUrl = ""