From fedf7db8a4920dd283ccc59362cc9bbb1efef3c5 Mon Sep 17 00:00:00 2001
From: Mikhail Solovev <mike@solovjov.net>
Date: Thu, 16 Apr 2026 21:56:16 +0300
Subject: [PATCH 1/2] Quote table and column identifiers using SQLAlchemy
 dialect preparer when adding missing columns to avoid SQL injection and
 syntax errors. (#1237)

---
 src/modules/DashboardConfig.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/modules/DashboardConfig.py b/src/modules/DashboardConfig.py
index 3ae7ab3f..c027d0cc 100644
--- a/src/modules/DashboardConfig.py
+++ b/src/modules/DashboardConfig.py
@@ -146,7 +146,10 @@ class DashboardConfig:
                         if col_name not in existing_columns:
                             type_str = col_type().compile(dialect=self.engine.dialect)
                             current_app.logger.info(f"Adding missing column '{col_name}' to table '{table_name}'")
-                            conn.execute(db.text(f'ALTER TABLE "{table_name}" ADD COLUMN "{col_name}" {type_str}'))
+                            preparer = self.engine.dialect.identifier_preparer
+                            quoted_table = preparer.quote_identifier(table_name)
+                            quoted_column = preparer.quote_identifier(col_name)
+                            conn.execute(db.text(f"ALTER TABLE {quoted_table} ADD COLUMN {quoted_column} {type_str}"))
 
     def getConnectionString(self, database) -> str or None:
         sqlitePath = os.path.join(DashboardConfig.ConfigurationPath, "db")

From 6ec8d2f201199f536f8dc80cdb4aed6ff0472897 Mon Sep 17 00:00:00 2001
From: sgtdeagle <46221457+sgtdeagle@users.noreply.github.com>
Date: Thu, 7 May 2026 14:27:31 +0000
Subject: [PATCH 2/2] change email attachmentname to peerName if not empty

---
 src/dashboard.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/dashboard.py b/src/dashboard.py
index e4d4eefb..93d69c93 100644
--- a/src/dashboard.py
+++ b/src/dashboard.py
@@ -1511,7 +1511,8 @@ def API_Email_Send():
                     subject = Template(data.get('Subject', '')).render(peer=p.toJson(), configurationFile=download)
                     if data.get('IncludeAttachment', False):
                         u = str(uuid4())
-                        attachmentName = f'{u}.conf'
+                        peerName = p.toJson().get('name', '').strip()
+                        attachmentName = f'{peerName if peerName else u}.conf'
                         with open(os.path.join('./attachments', attachmentName,), 'w+') as f:
                             f.write(download['file'])