From 65a0987d00cfaa6f9b77270525312c192f5390de Mon Sep 17 00:00:00 2001
From: Sajjad Fatehi <sajjadfatehy@gmail.com>
Date: Thu, 8 May 2025 00:58:07 +0330
Subject: [PATCH 1/2] Refactor access control in config.php instead of range ip
 and add webhook secret token generation in wizwiz.sh

---
 config.php | 22 ++++++----------------
 wizwiz.sh  |  5 ++++-
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/config.php b/config.php
index 8938d8a8..a35f09e6 100644
--- a/config.php
+++ b/config.php
@@ -110,23 +110,13 @@ function alert($txt, $type = false, $callid = null){
     ]);
 }
 
-$range = [
-        '149.154.160.0/22',
-        '149.154.164.0/22',
-        '91.108.4.0/22',
-        '91.108.56.0/22',
-        '91.108.8.0/22',
-        '95.161.64.0/20',
-    ];
 function check($return = false){
-    global $range;
-    foreach ($range as $rg) {
-        if (ip_in_range($_SERVER['REMOTE_ADDR'], $rg)) {
-            return true;
-        }
-    }
-    if ($return == true) {
-        return false;
+    global $botSecret;
+
+    $secretToken = $_SERVER['HTTP_X_TELEGRAM_BOT_API_SECRET_TOKEN'] ?? '';
+
+    if ($secretToken == $botSecret) {
+        return true;
     }
 
     die('You do not have access');
diff --git a/wizwiz.sh b/wizwiz.sh
index 512b5248..8b87abc4 100644
--- a/wizwiz.sh
+++ b/wizwiz.sh
@@ -302,11 +302,14 @@ wait
         fi
         
         sleep 2
+
+        SECRET_TOKEN=$(tr -dc 'A-Za-z0-9_- ' < /dev/urandom | head -c 256)
         
         # print file
         echo -e "<?php" >> /var/www/html/wizwizxui-timebot/baseInfo.php
         echo -e "error_reporting(0);" >> /var/www/html/wizwizxui-timebot/baseInfo.php
         echo -e "${ASAS}botToken = '${YOUR_BOT_TOKEN}';" >> /var/www/html/wizwizxui-timebot/baseInfo.php
+        echo -e "${ASAS}botSecret = '${SECRET_TOKEN}';" >> /var/www/html/wizwizxui-timebot/baseInfo.php
         echo -e "${ASAS}dbUserName = '${dbuser}';" >> /var/www/html/wizwizxui-timebot/baseInfo.php
         echo -e "${ASAS}dbPassword = '${dbpass}';" >> /var/www/html/wizwizxui-timebot/baseInfo.php
         echo -e "${ASAS}dbName = '${dbname}';" >> /var/www/html/wizwizxui-timebot/baseInfo.php
@@ -316,7 +319,7 @@ wait
 
         sleep 1
 
-        curl -F "url=https://${YOUR_DOMAIN}/wizwizxui-timebot/bot.php" "https://api.telegram.org/bot${YOUR_BOT_TOKEN}/setWebhook"
+        curl -F "url=https://${YOUR_DOMAIN}/wizwizxui-timebot/bot.php" -F "secret_token=${SECRET_TOKEN}" "https://api.telegram.org/bot${YOUR_BOT_TOKEN}/setWebhook"
         MESSAGE="✅ The wizwiz bot has been successfully installed! @wizwizch"
         curl -s -X POST "https://api.telegram.org/bot${YOUR_BOT_TOKEN}/sendMessage" -d chat_id="${YOUR_CHAT_ID}" -d text="$MESSAGE"
         

From f0602ff91878bf947a1e3b25d5366e5ffaa0e12e Mon Sep 17 00:00:00 2001
From: Sajjad Fatehi <sajjadfatehy@gmail.com>
Date: Thu, 8 May 2025 01:04:11 +0330
Subject: [PATCH 2/2] Reduce length of SECRET_TOKEN to 128 characters for
 improved security in wizwiz.sh

---
 wizwiz.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wizwiz.sh b/wizwiz.sh
index 8b87abc4..31404c67 100644
--- a/wizwiz.sh
+++ b/wizwiz.sh
@@ -303,7 +303,7 @@ wait
         
         sleep 2
 
-        SECRET_TOKEN=$(tr -dc 'A-Za-z0-9_- ' < /dev/urandom | head -c 256)
+        SECRET_TOKEN=$(tr -dc 'A-Za-z0-9' < /dev/urandom | head -c 128)
         
         # print file
         echo -e "<?php" >> /var/www/html/wizwizxui-timebot/baseInfo.php