added the Uzbek language я исправил потвердите (#3306)

* added the Uzbek language

* Potential fix for code scanning alert no. 1: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 2: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 3: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 13: Time-of-check time-of-use filesystem race condition

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 12: Time-of-check time-of-use filesystem race condition

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 4: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 11: Time-of-check time-of-use filesystem race condition

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 5: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 7: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 8: Unsafe jQuery plugin

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 14: DOM text reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 10: Time-of-check time-of-use filesystem race condition

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 15: Time-of-check time-of-use filesystem race condition

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 9: Call to `memset` may be deleted

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update bootstrap.js

* Update ci.yml

* Potential fix for code scanning alert no. 17: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 16: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Update ci.yml

* Update ci.yml

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

Author: FlutterGenerator

.github/workflows/ci.yml

@@ -1,4 +1,6 @@
 name: Ventoy CI
+permissions:
+  contents: read
 
 on:
   push:
@@ -12,26 +14,26 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: Run docker compose up
       run: docker compose up
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@v6
       with:
         name: ventoy-windows
         path: INSTALL/ventoy-*windows*
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@v6
       with:
         name: ventoy-linux
         path: INSTALL/ventoy-*linux*
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@v6
       with:
         name: ventoy-livecd
         path: INSTALL/ventoy-*livecd*
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@v6
       with:
         name: SHA256SUM
         path: INSTALL/sha256.txt
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@v6
       with:
         name: xxx-build-log
         path: DOC/build.log

.github/workflows/sync2gitee.yml

@@ -1,4 +1,6 @@
 name: Mirror GitHub to Gitee
+permissions:
+  contents: read
 
 on:
   # Triggers the workflow on push or pull request events but only for the main branch

LANGUAGES/languages.json

@@ -2728,6 +2728,71 @@
 
         "STRXXX":""
     },
+    {
+        "name":"Uzbek (Uzbek tili)",
+        "FontFamily":"Courier New",
+        "FontSize":16,
+        "Author":"Husen Djalolov, tojik_proof_93",
+        
+        "STR_ERROR":"Xato",
+        "STR_WARNING":"Diqqat",
+        "STR_INFO":"Ma'lumot",
+        "STR_INCORRECT_DIR":"Boshqa papkada ishga tushiring!",
+        "STR_INCORRECT_TREE_DIR":"Ilovani bu erda ishga tushirmang, o'rnatish paketini yuklab oling va uni boshqa joyda ishga tushiring.",
+        "STR_DEVICE":"Qurilma",
+        "STR_LOCAL_VER":"Paketdagi Ventoy",
+        "STR_DISK_VER":"Drayvdagi Ventoy",
+        "STR_STATUS":"Davlat-tayyor",
+        "STR_INSTALL":"O'rnatish",
+        "STR_UPDATE":"Yangilash",
+        "STR_UPDATE_TIP":"Yangilash xavfsiz, ISO tasvirlari o'zgarishsiz qoladi.#@Davom etasizmi?",
+        "STR_INSTALL_TIP":"Ushbu amal drayverni formatlaydi va undagi barcha ma'lumotlar o'chib ketadi.#@Davom etasizmi?",
+        "STR_INSTALL_TIP2":"Ushbu harakat drayverni formatlaydi, undagi barcha ma'lumotlar yo'q qilinadi.#@Siz haqiqatan ham davom etishni xohlaysizmi?",
+        "STR_INSTALL_SUCCESS":"Tabriklaymiz!#@Ventoy-ni qurilmaga o'rnatish muvaffaqiyatli amalga oshirildi.",
+        "STR_INSTALL_FAILED":"O'rnatish xatosi. USB drayverini qayta ulang va qaytadan urinib ko'ring. Log fayliga qarang.tafsilotlar bilan txt. Agar xato davom etsa, rasmiy veb-saytdagi «FAQ» ga qarang.",
+        "STR_UPDATE_SUCCESS":"Tabriklaymiz!#@Ventoy qurilmangizda muvaffaqiyatli yangilandi.",
+        "STR_UPDATE_FAILED":"Ventoy-ni yangilashda xato. USB drayverini qayta ulang va qaytadan urinib ko'ring. Log fayliga qarang.tafsilotlar bilan txt. Agar xato davom etsa, rasmiy veb-saytdagi «FAQ» ga qarang.",
+        "STR_WAIT_PROCESS":"Harakat boshlandi, kuting...",
+        "STR_MENU_OPTION":"Sozlamalar",
+        "STR_MENU_SECURE_BOOT":"Secure Boot-Ni Qo'llab-Quvvatlash",
+        "STR_MENU_PART_CFG":"Qo'shimcha bo'lim",
+        "STR_BTN_OK":"OK",
+        "STR_BTN_CANCEL":"Bekor qilish",
+        "STR_PRESERVE_SPACE":"Disk oxirida qo'shimcha bo'lim yarating",
+        "STR_SPACE_VAL_INVALID":"Bo'lim o'lchamining yaroqsiz qiymati",
+        "STR_MENU_CLEAR":"Ventoyni Olib Tashlang",
+        "STR_CLEAR_SUCCESS":"Ventoy qurilmadan muvaffaqiyatli olib tashlandi.",
+        "STR_CLEAR_FAILED":"Ventoyni olib tashlashda xato. USB drayverini qayta ulang va qaytadan urinib ko'ring. Log fayliga qarang.tafsilotlar bilan txt.",
+        "STR_MENU_PART_STYLE":"Bo'limlarni belgilash uslubi",
+        "STR_DISK_2TB_MBR_ERROR":"2 TB dan ortiq xotira uchun GPT ni tanlang",
+        "STR_SHOW_ALL_DEV":"Barcha qurilmalarni ko'rsatish",
+        "STR_PART_ALIGN_4KB":"4 KB klasterli bo'limlarni tekislang",
+        "STR_WEB_COMMUNICATION_ERR":"Aloqa xatosi:",
+        "STR_WEB_REMOTE_ABNORMAL":"Aloqa xatosi: masofaviy ulanish haqiqiy emas",
+        "STR_WEB_REQUEST_TIMEOUT":"Aloqa xatosi: so'rov vaqti tugadi",
+        "STR_WEB_SERVICE_UNAVAILABLE":"Aloqa xatosi: xizmat mavjud emas",
+        "STR_WEB_TOKEN_MISMATCH":"Xizmat holati yangilandi, keyinroq qayta urinib ko'ring.",
+        "STR_WEB_SERVICE_BUSY":"Xizmat band, keyinroq qayta urinib ko'ring.",
+        "STR_MENU_VTSI_CREATE":"Fayl yarating .vtsi",
+        "STR_VTSI_CREATE_TIP":"Ventoy-ni haydovchiga o'rnatish o'rniga faqat vtsi fayli yaratiladi.#@Davom etasizmi?",
+        "STR_VTSI_CREATE_SUCCESS":"Fayl .vtsi muvaffaqiyatli yaratildi.#@Ventoy-ni o'rnatishni yakunlash uchun uni Rufus ilovasi (v3.15+) yordamida diskka yozishingiz mumkin.",
+        "STR_VTSI_CREATE_FAILED":"Vtsi faylini yaratishda xato.",
+        "STR_MENU_PART_RESIZE":"Buzilmaydigan o'rnatish",
+        "STR_PART_RESIZE_TIP":"Ventoy buzilmaydigan o'rnatishni amalga oshirishga harakat qiladi.#@Davom etasizmi?",
+        "STR_PART_RESIZE_SUCCESS":"Tabriklaymiz!#@Ventoy-ni buzilmaydigan o'rnatish muvaffaqiyatli yakunlandi.",
+        "STR_PART_RESIZE_FAILED":"Buzilmaydigan o'rnatishni amalga oshirib bo'lmadi, log fayliga qarang.tafsilotlar bilan txt.",
+        "STR_PART_RESIZE_UNSUPPORTED":"Ventoy-ning buzilmaydigan o'rnatilishi ba'zi talablarga javob bermasligi sababli to'xtatildi. Log fayliga qarang.tafsilotlar bilan txt.",
+        "STR_INSTALL_YES_TIP1":"DIQQAT: Barcha ma'lumotlar yo'qoladi!",
+        "STR_INSTALL_YES_TIP2":"Yangilashni emas, balki yangi o'rnatishni amalga oshirishni xohlayotganingizni tasdiqlash uchun quyidagi matn maydoniga «HA» yozing.",
+        "STR_PART_VENTOY_FS":"Ventoy bo'limi uchun fayl tizimi",
+        "STR_PART_FS":"Turi:",
+        "STR_PART_CLUSTER":"Klaster hajmi:",
+        "STR_PART_CLUSTER_DEFAULT":"Standart tizim qiymati",
+        "STR_DONATE":"Xayriya qilish",
+        "STR_4KN_UNSUPPORTED":"Ventoy hozirda mahalliy 4K qurilmalarini qo'llab-quvvatlamaydi.",
+        
+        "STRXXX":""
+    },
     {
         "name":"Greek (Ελληνικά)",
         "FontFamily":"Courier New",

LinuxGUI/Ventoy2Disk/Lib/libhttp/include/civetweb.c

@@ -7963,28 +7963,32 @@ delete_file(struct mg_connection *conn, const char *path)
 	}
 
 	/* This is an existing file (not a directory).
-	 * Check if write permission is granted. */
-	if (access(path, W_OK) != 0) {
-		/* File is read only */
-		send_http_error(
-		    conn,
-		    403,
-		    "Error: Delete not possible\nDeleting %s is not allowed",
-		    path);
-		return;
-	}
-
-	/* Try to delete it. */
+	 * Try to delete it directly and handle errors. */
 	if (mg_remove(conn, path) == 0) {
 		/* Delete was successful: Return 204 without content. */
 		send_http_error(conn, 204, "%s", "");
 	} else {
-		/* Delete not successful (file locked). */
-		send_http_error(conn,
-		                423,
-		                "Error: Cannot delete file\nremove(%s): %s",
-		                path,
-		                strerror(ERRNO));
+		/* Check the reason for failure. */
+		if (ERRNO == EACCES || ERRNO == EPERM) {
+			send_http_error(
+			    conn,
+			    403,
+			    "Error: Delete not possible\nDeleting %s is not allowed",
+			    path);
+		} else if (ERRNO == EBUSY || ERRNO == EAGAIN) {
+			send_http_error(conn,
+			                423,
+			                "Error: Cannot delete file\nremove(%s): %s",
+			                path,
+			                strerror(ERRNO));
+		} else {
+			send_http_error(conn,
+			                500,
+			                "Error: Could not delete %s\nremove(%s): %s",
+			                path,
+			                path,
+			                strerror(ERRNO));
+		}
 	}
 }
 #endif /* !NO_FILES */

LinuxGUI/Ventoy2Disk/ventoy_gui.c

@@ -1,6 +1,8 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
+#include <fcntl.h>
+#include <unistd.h>
 #include <string.h>
 #include <stdarg.h>
 #include <unistd.h>
@@ -1192,26 +1194,34 @@ static int detect_gui_exe_path(int argc, char **argv, const char *curpath, char
     vlog("This is %s%d X environment.\n", guitype, ver);
     vlog("exe = %s\n", pathbuf);
 
-    if (access(pathbuf, F_OK) == -1)
+    int fd = open(pathbuf, O_RDONLY);
+    if (fd == -1)
     {
-        vlog("%s is not exist.\n", pathbuf);
+        vlog("%s does not exist or cannot be opened.\n", pathbuf);
         return 1;
     }
 
-    if (access(pathbuf, X_OK) == -1)
+    if (fstat(fd, &filestat) == 0)
     {
-        vlog("execute permission check fail, try chmod.\n", pathbuf);
-        if (stat(pathbuf, &filestat) == 0)
+        if ((filestat.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)
         {
+            vlog("execute permission check fail, try chmod.\n");
             mode = filestat.st_mode | S_IXUSR | S_IXGRP | S_IXOTH;
-            ret = chmod(pathbuf, mode);
+            ret = fchmod(fd, mode);
             vlog("old mode=%o new mode=%o ret=%d\n", filestat.st_mode, mode, ret);
         }
+        else
+        {
+            vlog("execute permission check success.\n");
+        }
     }
     else
     {
-        vlog("execute permission check success.\n");
+        vlog("fstat failed on %s\n", pathbuf);
+        close(fd);
+        return 1;
     }
+    close(fd);
 
     return 0;
 }

Plugson/src/Lib/libhttp/include/civetweb.c

@@ -7977,28 +7977,26 @@ delete_file(struct mg_connection *conn, const char *path)
 	}
 
 	/* This is an existing file (not a directory).
-	 * Check if write permission is granted. */
-	if (access(path, W_OK) != 0) {
-		/* File is read only */
-		send_http_error(
-		    conn,
-		    403,
-		    "Error: Delete not possible\nDeleting %s is not allowed",
-		    path);
-		return;
-	}
-
-	/* Try to delete it. */
+	 * Try to delete the file directly. */
 	if (mg_remove(conn, path) == 0) {
 		/* Delete was successful: Return 204 without content. */
 		send_http_error(conn, 204, "%s", "");
 	} else {
-		/* Delete not successful (file locked). */
-		send_http_error(conn,
-		                423,
-		                "Error: Cannot delete file\nremove(%s): %s",
-		                path,
-		                strerror(ERRNO));
+		/* Check if the error is a permission error. */
+		if (ERRNO == EACCES || ERRNO == EPERM) {
+			send_http_error(
+			    conn,
+			    403,
+			    "Error: Delete not possible\nDeleting %s is not allowed",
+			    path);
+		} else {
+			/* Delete not successful (file locked or other error). */
+			send_http_error(conn,
+			                423,
+			                "Error: Cannot delete file\nremove(%s): %s",
+			                path,
+			                strerror(ERRNO));
+		}
 	}
 }
 #endif /* !NO_FILES */

Plugson/www/static/bootstrap/js/bootstrap.js

@@ -109,11 +109,12 @@ if (typeof jQuery === 'undefined') {
       selector = selector && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
     }
 
-    var $parent = $(selector)
-
-    if (e) e.preventDefault()
-
-    if (!$parent.length) {
+    var $parent;
+    if (selector && selector.charAt(0) === '#' && /^[#A-Za-z0-9\-_:.]+$/.test(selector)) {
+      // Only allow ID selectors
+      var el = document.getElementById(selector.slice(1));
+      $parent = $(el);
+    } else {
       $parent = $this.closest('.alert')
     }
 
@@ -502,7 +503,14 @@ if (typeof jQuery === 'undefined') {
   var clickHandler = function (e) {
     var href
     var $this   = $(this)
-    var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+    var targetSelector = $this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, ''); // strip for ie7
+    // Only allow ID selectors (starting with # and containing valid characters)
+    var $target = null;
+    if (targetSelector && /^#[A-Za-z0-9\-_:.]+$/.test(targetSelector)) {
+      $target = $(document).find(targetSelector);
+    } else {
+      return;
+    }
     if (!$target.hasClass('carousel')) return
     var options = $.extend({}, $target.data(), $this.data())
     var slideIndex = $this.attr('data-slide-to')
@@ -691,7 +699,7 @@ if (typeof jQuery === 'undefined') {
     var target = $trigger.attr('data-target')
       || (href = $trigger.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '') // strip for ie7
 
-    return $(target)
+    return $(document).find(target)
   }
 
 
@@ -773,7 +781,9 @@ if (typeof jQuery === 'undefined') {
       selector = selector && /#[A-Za-z]/.test(selector) && selector.replace(/.*(?=#[^\s]*$)/, '') // strip for ie7
     }
 
-    var $parent = selector && $(selector)
+    // Only allow selector if it is a safe CSS selector (starts with # or . and does not contain '<')
+    var isSafeSelector = selector && (/^#[\w-]+$/.test(selector) || (/^\.[\w-]+$/.test(selector))) && selector.indexOf('<') === -1;
+    var $parent = isSafeSelector ? $(document).find(selector) : $this.parent();
 
     return $parent && $parent.length ? $parent : $this.parent()
   }
@@ -1230,7 +1240,8 @@ if (typeof jQuery === 'undefined') {
   $(document).on('click.bs.modal.data-api', '[data-toggle="modal"]', function (e) {
     var $this   = $(this)
     var href    = $this.attr('href')
-    var $target = $($this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, ''))) // strip for ie7
+    var selector = $this.attr('data-target') || (href && href.replace(/.*(?=#[^\s]+$)/, '')); // strip for ie7
+    var $target = $(document).find(selector);
     var option  = $target.data('bs.modal') ? 'toggle' : $.extend({ remote: !/#/.test(href) && href }, $target.data(), $this.data())
 
     if ($this.is('a')) e.preventDefault()
@@ -1299,7 +1310,13 @@ if (typeof jQuery === 'undefined') {
     this.type      = type
     this.$element  = $(element)
     this.options   = this.getOptions(options)
-    this.$viewport = this.options.viewport && $($.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport))
+    var viewportOption = $.isFunction(this.options.viewport) ? this.options.viewport.call(this, this.$element) : (this.options.viewport.selector || this.options.viewport);
+    if (typeof viewportOption === 'string') {
+      // Use find to ensure only CSS selectors are accepted, not HTML
+      this.$viewport = $(document).find(viewportOption);
+    } else {
+      this.$viewport = $(viewportOption);
+    }
     this.inState   = { click: false, hover: false, focus: false }
 
     if (this.$element[0] instanceof document.constructor && !this.options.selector) {
@@ -1554,7 +1571,7 @@ if (typeof jQuery === 'undefined') {
     var $tip  = this.tip()
     var title = this.getTitle()
 
-    $tip.find('.tooltip-inner')[this.options.html ? 'html' : 'text'](title)
+    $tip.find('.tooltip-inner').text(title)
     $tip.removeClass('fade in top bottom left right')
   }
 
@@ -2217,7 +2234,7 @@ if (typeof jQuery === 'undefined') {
   var Affix = function (element, options) {
     this.options = $.extend({}, Affix.DEFAULTS, options)
 
-    this.$target = $(this.options.target)
+    this.$target = $(document).find(this.options.target)
       .on('scroll.bs.affix.data-api', $.proxy(this.checkPosition, this))
       .on('click.bs.affix.data-api',  $.proxy(this.checkPositionWithEventLoop, this))
 

SQUASHFS/squashfs-tools-4.4/squashfs-tools/lzma_xz_wrapper.c

@@ -25,6 +25,19 @@
 #include <string.h>
 #include <lzma.h>
 
+#if defined(__STDC_LIB_EXT1__)
+/* Use memset_s if available */
+#define secure_memset(dest, value, len) memset_s((dest), (len), (value), (len))
+#else
+/* Fallback secure_memset implementation */
+static void secure_memset(void *v, int c, size_t n) {
+    volatile unsigned char *p = (volatile unsigned char *)v;
+    while (n--) {
+        *p++ = (unsigned char)c;
+    }
+}
+#endif
+
 #include "squashfs_fs.h"
 #include "compressor.h"
 
@@ -120,7 +133,7 @@ static int lzma_uncompress(void *dest, void *src, int size, int outsize,
 		goto failed;
 	}
 
-	memset(lzma_header + LZMA_PROPS_SIZE, 255, LZMA_UNCOMP_SIZE);
+	secure_memset(lzma_header + LZMA_PROPS_SIZE, 255, LZMA_UNCOMP_SIZE);
 
 	strm.next_out = dest;
 	strm.avail_out = outsize;