diff --git a/lib/version/version.go b/lib/version/version.go index aa5cdd3..5cef3f1 100644 --- a/lib/version/version.go +++ b/lib/version/version.go @@ -1,6 +1,6 @@ package version -const VERSION = "0.22.0" +const VERSION = "0.22.1" // Compulsory minimum version, Minimum downward compatibility to this version func GetVersion() string { diff --git a/server/proxy/http.go b/server/proxy/http.go index b7743ab..ce78228 100644 --- a/server/proxy/http.go +++ b/server/proxy/http.go @@ -249,7 +249,7 @@ func (s *httpServer) httpHandle(c *conn.Conn, r *http.Request) { reqCh <- r } end: - if isConn { + if !readReq { s.writeConnFail(c.Conn) } c.Close() diff --git a/web/controllers/base.go b/web/controllers/base.go index 5308d35..cbfa1cc 100755 --- a/web/controllers/base.go +++ b/web/controllers/base.go @@ -6,6 +6,7 @@ import ( "github.com/cnlh/nps/lib/file" "github.com/cnlh/nps/server" "github.com/cnlh/nps/vender/github.com/astaxie/beego" + "html" "math" "strconv" "strings" @@ -26,7 +27,7 @@ func (s *BaseController) Prepare() { // web api verify // param 1 is md5(authKey+Current timestamp) // param 2 is timestamp (It's limited to 20 seconds.) - md5Key := s.GetString("auth_key") + md5Key := s.getEscapeString("auth_key") timestamp := s.GetIntNoErr("timestamp") configKey := beego.AppConfig.String("auth_key") timeNowUnix := time.Now().Unix() @@ -85,6 +86,11 @@ func (s *BaseController) error() { s.TplName = "public/error.html" } +//getEscapeString +func (s *BaseController) getEscapeString(key string) string { + return html.EscapeString(s.GetString(key)) +} + //去掉没有err返回值的int func (s *BaseController) GetIntNoErr(key string, def ...int) int { strv := s.Ctx.Input.Query(key) diff --git a/web/controllers/client.go b/web/controllers/client.go index b54823d..78d2d07 100644 --- a/web/controllers/client.go +++ b/web/controllers/client.go @@ -27,7 +27,7 @@ func (s *ClientController) List() { } else { clientId = clientIdSession.(int) } - list, cnt := server.GetClientList(start, length, s.GetString("search"), s.GetString("sort"), s.GetString("order"), clientId) + list, cnt := server.GetClientList(start, length, s.getEscapeString("search"), s.getEscapeString("sort"), s.getEscapeString("order"), clientId) s.AjaxTable(list, cnt, cnt) } @@ -39,21 +39,21 @@ func (s *ClientController) Add() { s.display() } else { t := &file.Client{ - VerifyKey: s.GetString("vkey"), + VerifyKey: s.getEscapeString("vkey"), Id: int(file.GetDb().JsonDb.GetClientId()), Status: true, - Remark: s.GetString("remark"), + Remark: s.getEscapeString("remark"), Cnf: &file.Config{ - U: s.GetString("u"), - P: s.GetString("p"), - Compress: common.GetBoolByStr(s.GetString("compress")), + U: s.getEscapeString("u"), + P: s.getEscapeString("p"), + Compress: common.GetBoolByStr(s.getEscapeString("compress")), Crypt: s.GetBoolNoErr("crypt"), }, ConfigConnAllow: s.GetBoolNoErr("config_conn_allow"), RateLimit: s.GetIntNoErr("rate_limit"), MaxConn: s.GetIntNoErr("max_conn"), - WebUserName: s.GetString("web_username"), - WebPassword: s.GetString("web_password"), + WebUserName: s.getEscapeString("web_username"), + WebPassword: s.getEscapeString("web_password"), MaxTunnelNum: s.GetIntNoErr("max_tunnel"), Flow: &file.Flow{ ExportFlow: 0, @@ -102,33 +102,33 @@ func (s *ClientController) Edit() { if c, err := file.GetDb().GetClient(id); err != nil { s.error() } else { - if s.GetString("web_username") != "" { - if s.GetString("web_username") == beego.AppConfig.String("web_username") || !file.GetDb().VerifyUserName(s.GetString("web_username"), c.Id) { + if s.getEscapeString("web_username") != "" { + if s.getEscapeString("web_username") == beego.AppConfig.String("web_username") || !file.GetDb().VerifyUserName(s.getEscapeString("web_username"), c.Id) { s.AjaxErr("web login username duplicate, please reset") return } } if s.GetSession("isAdmin").(bool) { - if !file.GetDb().VerifyVkey(s.GetString("vkey"), c.Id) { + if !file.GetDb().VerifyVkey(s.getEscapeString("vkey"), c.Id) { s.AjaxErr("Vkey duplicate, please reset") return } - c.VerifyKey = s.GetString("vkey") + c.VerifyKey = s.getEscapeString("vkey") c.Flow.FlowLimit = int64(s.GetIntNoErr("flow_limit")) c.RateLimit = s.GetIntNoErr("rate_limit") c.MaxConn = s.GetIntNoErr("max_conn") c.MaxTunnelNum = s.GetIntNoErr("max_tunnel") } - c.Remark = s.GetString("remark") - c.Cnf.U = s.GetString("u") - c.Cnf.P = s.GetString("p") - c.Cnf.Compress = common.GetBoolByStr(s.GetString("compress")) + c.Remark = s.getEscapeString("remark") + c.Cnf.U = s.getEscapeString("u") + c.Cnf.P = s.getEscapeString("p") + c.Cnf.Compress = common.GetBoolByStr(s.getEscapeString("compress")) c.Cnf.Crypt = s.GetBoolNoErr("crypt") b, err := beego.AppConfig.Bool("allow_user_change_username") if s.GetSession("isAdmin").(bool) || (err == nil && b) { - c.WebUserName = s.GetString("web_username") + c.WebUserName = s.getEscapeString("web_username") } - c.WebPassword = s.GetString("web_password") + c.WebPassword = s.getEscapeString("web_password") c.ConfigConnAllow = s.GetBoolNoErr("config_conn_allow") if c.Rate != nil { c.Rate.Stop() diff --git a/web/controllers/index.go b/web/controllers/index.go index 3feae78..5ecdb15 100755 --- a/web/controllers/index.go +++ b/web/controllers/index.go @@ -68,7 +68,7 @@ func (s *IndexController) Host() { func (s *IndexController) All() { s.Data["menu"] = "client" - clientId := s.GetString("client_id") + clientId := s.getEscapeString("client_id") s.Data["client_id"] = clientId s.SetInfo("client id:" + clientId) s.display("index/list") @@ -76,30 +76,30 @@ func (s *IndexController) All() { func (s *IndexController) GetTunnel() { start, length := s.GetAjaxParams() - taskType := s.GetString("type") + taskType := s.getEscapeString("type") clientId := s.GetIntNoErr("client_id") - list, cnt := server.GetTunnel(start, length, taskType, clientId, s.GetString("search")) + list, cnt := server.GetTunnel(start, length, taskType, clientId, s.getEscapeString("search")) s.AjaxTable(list, cnt, cnt) } func (s *IndexController) Add() { if s.Ctx.Request.Method == "GET" { - s.Data["type"] = s.GetString("type") - s.Data["client_id"] = s.GetString("client_id") + s.Data["type"] = s.getEscapeString("type") + s.Data["client_id"] = s.getEscapeString("client_id") s.SetInfo("add tunnel") s.display() } else { t := &file.Tunnel{ Port: s.GetIntNoErr("port"), - ServerIp: s.GetString("server_ip"), - Mode: s.GetString("type"), - Target: &file.Target{TargetStr: s.GetString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")}, + ServerIp: s.getEscapeString("server_ip"), + Mode: s.getEscapeString("type"), + Target: &file.Target{TargetStr: s.getEscapeString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")}, Id: int(file.GetDb().JsonDb.GetTaskId()), Status: true, - Remark: s.GetString("remark"), - Password: s.GetString("password"), - LocalPath: s.GetString("local_path"), - StripPre: s.GetString("strip_pre"), + Remark: s.getEscapeString("remark"), + Password: s.getEscapeString("password"), + LocalPath: s.getEscapeString("local_path"), + StripPre: s.getEscapeString("strip_pre"), Flow: &file.Flow{}, } if !tool.TestServerPort(t.Port, t.Mode) { @@ -161,14 +161,14 @@ func (s *IndexController) Edit() { } t.Port = s.GetIntNoErr("port") } - t.ServerIp = s.GetString("server_ip") - t.Mode = s.GetString("type") - t.Target = &file.Target{TargetStr: s.GetString("target")} - t.Password = s.GetString("password") + t.ServerIp = s.getEscapeString("server_ip") + t.Mode = s.getEscapeString("type") + t.Target = &file.Target{TargetStr: s.getEscapeString("target")} + t.Password = s.getEscapeString("password") t.Id = id - t.LocalPath = s.GetString("local_path") - t.StripPre = s.GetString("strip_pre") - t.Remark = s.GetString("remark") + t.LocalPath = s.getEscapeString("local_path") + t.StripPre = s.getEscapeString("strip_pre") + t.Remark = s.getEscapeString("remark") t.Target.LocalProxy = s.GetBoolNoErr("local_proxy") file.GetDb().UpdateTask(t) server.StopServer(t.Id) @@ -204,14 +204,14 @@ func (s *IndexController) Start() { func (s *IndexController) HostList() { if s.Ctx.Request.Method == "GET" { - s.Data["client_id"] = s.GetString("client_id") + s.Data["client_id"] = s.getEscapeString("client_id") s.Data["menu"] = "host" s.SetInfo("host list") s.display("index/hlist") } else { start, length := s.GetAjaxParams() clientId := s.GetIntNoErr("client_id") - list, cnt := file.GetDb().GetHost(start, length, clientId, s.GetString("search")) + list, cnt := file.GetDb().GetHost(start, length, clientId, s.getEscapeString("search")) s.AjaxTable(list, cnt, cnt) } } @@ -240,23 +240,23 @@ func (s *IndexController) DelHost() { func (s *IndexController) AddHost() { if s.Ctx.Request.Method == "GET" { - s.Data["client_id"] = s.GetString("client_id") + s.Data["client_id"] = s.getEscapeString("client_id") s.Data["menu"] = "host" s.SetInfo("add host") s.display("index/hadd") } else { h := &file.Host{ Id: int(file.GetDb().JsonDb.GetHostId()), - Host: s.GetString("host"), - Target: &file.Target{TargetStr: s.GetString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")}, - HeaderChange: s.GetString("header"), - HostChange: s.GetString("hostchange"), - Remark: s.GetString("remark"), - Location: s.GetString("location"), + Host: s.getEscapeString("host"), + Target: &file.Target{TargetStr: s.getEscapeString("target"), LocalProxy: s.GetBoolNoErr("local_proxy")}, + HeaderChange: s.getEscapeString("header"), + HostChange: s.getEscapeString("hostchange"), + Remark: s.getEscapeString("remark"), + Location: s.getEscapeString("location"), Flow: &file.Flow{}, - Scheme: s.GetString("scheme"), - KeyFilePath: s.GetString("key_file_path"), - CertFilePath: s.GetString("cert_file_path"), + Scheme: s.getEscapeString("scheme"), + KeyFilePath: s.getEscapeString("key_file_path"), + CertFilePath: s.getEscapeString("cert_file_path"), } var err error if h.Client, err = file.GetDb().GetClient(s.GetIntNoErr("client_id")); err != nil { @@ -284,11 +284,11 @@ func (s *IndexController) EditHost() { if h, err := file.GetDb().GetHostById(id); err != nil { s.error() } else { - if h.Host != s.GetString("host") { + if h.Host != s.getEscapeString("host") { tmpHost := new(file.Host) - tmpHost.Host = s.GetString("host") - tmpHost.Location = s.GetString("location") - tmpHost.Scheme = s.GetString("scheme") + tmpHost.Host = s.getEscapeString("host") + tmpHost.Location = s.getEscapeString("location") + tmpHost.Scheme = s.getEscapeString("scheme") if file.GetDb().IsHostExist(tmpHost) { s.AjaxErr("host has exist") return @@ -299,15 +299,15 @@ func (s *IndexController) EditHost() { } else { h.Client = client } - h.Host = s.GetString("host") - h.Target = &file.Target{TargetStr: s.GetString("target")} - h.HeaderChange = s.GetString("header") - h.HostChange = s.GetString("hostchange") - h.Remark = s.GetString("remark") - h.Location = s.GetString("location") - h.Scheme = s.GetString("scheme") - h.KeyFilePath = s.GetString("key_file_path") - h.CertFilePath = s.GetString("cert_file_path") + h.Host = s.getEscapeString("host") + h.Target = &file.Target{TargetStr: s.getEscapeString("target")} + h.HeaderChange = s.getEscapeString("header") + h.HostChange = s.getEscapeString("hostchange") + h.Remark = s.getEscapeString("remark") + h.Location = s.getEscapeString("location") + h.Scheme = s.getEscapeString("scheme") + h.KeyFilePath = s.getEscapeString("key_file_path") + h.CertFilePath = s.getEscapeString("cert_file_path") h.Target.LocalProxy = s.GetBoolNoErr("local_proxy") file.GetDb().JsonDb.StoreHostToJsonFile() }