From f305d8f55caf4e6d137e4c529924ca0ea43e1f14 Mon Sep 17 00:00:00 2001
From: Akkia <AkkiaS7@Outlook.com>
Date: Wed, 13 Apr 2022 16:45:39 +0800
Subject: [PATCH] =?UTF-8?q?=E4=B8=BAcloudflareCookies=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E5=9F=BA=E6=9C=AC=E7=9A=84=E5=90=88=E6=B3=95=E6=80=A7=E9=AA=8C?=
 =?UTF-8?q?=E8=AF=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cmd/dashboard/controller/common_page.go | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/cmd/dashboard/controller/common_page.go b/cmd/dashboard/controller/common_page.go
index 09a0424..42010a5 100644
--- a/cmd/dashboard/controller/common_page.go
+++ b/cmd/dashboard/controller/common_page.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"regexp"
+	"strings"
 	"sync"
 	"time"
 
@@ -275,7 +277,22 @@ func (cp *commonPage) terminal(c *gin.Context) {
 			}, true)
 			return
 		}
-cloudflareCookies,  _ := c.Cookie("CF_Authorization")
+		cloudflareCookies, _ := c.Cookie("CF_Authorization")
+		// CloudflareCookies合法性验证
+		// 其应该包含.分隔的三组BASE64-URL编码
+		if cloudflareCookies != "" {
+			encodedCookies := strings.Split(cloudflareCookies, ".")
+			if len(encodedCookies) == 3 {
+				for i := 0; i < 3; i++ {
+					if valid, _ := regexp.MatchString("^[A-Za-z0-9-_]+$", encodedCookies[i]); !valid {
+						cloudflareCookies = ""
+						break
+					}
+				}
+			} else {
+				cloudflareCookies = ""
+			}
+		}
 		terminalData, _ := utils.Json.Marshal(&model.TerminalTask{
 			Host:    terminal.host,
 			UseSSL:  terminal.useSSL,