From 1365ff3e1acdbb28abafda91196fc16d52fd8a0d Mon Sep 17 00:00:00 2001
From: tzmax <71716824+tzmax@users.noreply.github.com>
Date: Tue, 7 Nov 2023 23:51:48 +0800
Subject: [PATCH] fix: use localhost to avoid config leak attacks

---
 GCDWebServer         |  2 +-
 V2RayX/AppDelegate.h |  1 +
 V2RayX/AppDelegate.m | 21 ++++++++++++++++++---
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/GCDWebServer b/GCDWebServer
index 7e4dd53..c6d118f 160000
--- a/GCDWebServer
+++ b/GCDWebServer
@@ -1 +1 @@
-Subproject commit 7e4dd53c9837019be15688c6f46525d241494920
+Subproject commit c6d118f4ecc1d9c2c6130fe8522b50889e78524b
diff --git a/V2RayX/AppDelegate.h b/V2RayX/AppDelegate.h
index d6e47fe..164396c 100644
--- a/V2RayX/AppDelegate.h
+++ b/V2RayX/AppDelegate.h
@@ -45,6 +45,7 @@ int runCommandLine(NSString* launchPath, NSArray* arguments);
 }
 
 @property NSString* logDirPath;
+@property NSString* webServerUuidString;
 
 @property BOOL proxyState;
 @property ProxyMode proxyMode;
diff --git a/V2RayX/AppDelegate.m b/V2RayX/AppDelegate.m
index 9b34403..0f58785 100644
--- a/V2RayX/AppDelegate.m
+++ b/V2RayX/AppDelegate.m
@@ -128,9 +128,20 @@ - (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
         return [GCDWebServerDataResponse responseWithData:[weakSelf pacData] contentType:@"application/x-ns-proxy-autoconfig"];
     }];
     [webServer addHandlerForMethod:@"GET" path:@"/config.json" requestClass:[GCDWebServerRequest class] processBlock:^GCDWebServerResponse * _Nullable(__kindof GCDWebServerRequest * _Nonnull request) {
-        return [GCDWebServerDataResponse responseWithData:[weakSelf v2rayJSONconfig] contentType:@"application/json"];
+        // check uuid
+        NSString *uuid = request.query[@"u"];
+        if(uuid != NULL) {
+            uuid = [uuid uppercaseString];
+            if([uuid isEqualToString:weakSelf.webServerUuidString]) {
+                return [GCDWebServerDataResponse responseWithData:[weakSelf v2rayJSONconfig] contentType:@"application/json"];
+            }
+        }
+        return [GCDWebServerResponse responseWithStatusCode:404];
     }];
-    [webServer startWithPort:webServerPort bonjourName:nil];
+
+    // only bind localhost
+    NSDictionary *options = @{ @"Port": @webServerPort, @"BindToLocalhost": @YES };
+    [webServer startWithOptions:options  error:nil];
     
     
     [self checkUpgrade:self];
@@ -1110,7 +1121,11 @@ - (IBAction)copyExportCmd:(id)sender {
 }
 
 - (IBAction)viewConfigJson:(NSMenuItem *)sender {
-    [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:[NSString stringWithFormat:@"http://127.0.0.1:%d/config.json", webServerPort]]];
+    if(_webServerUuidString == nil) {
+        NSUUID *uuid = [NSUUID UUID];
+        _webServerUuidString = [uuid UUIDString];
+    }
+    [[NSWorkspace sharedWorkspace] openURL:[NSURL URLWithString:[NSString stringWithFormat:@"http://127.0.0.1:%d/config.json?u=%@", webServerPort, _webServerUuidString]]];
 }