Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-06-06 05:04:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
3x-ui/web/middleware
History
farhadh 5ffd896a7c
fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 
Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range
and loopback targets before any outbound HTTP request (node probe,
xray download, outbound test, external traffic inform, tgbot API
server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For,
X-Forwarded-Host) are now only trusted when the direct connection
arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with
a per-request nonce. HTTP server gains read/write/idle timeouts. Panel
updater downloads the script to a temp file instead of piping curl into
shell. Xray archive download adds a size cap and response-code check.
backuptotgbot is changed from GET to POST.
2026-05-11 21:16:23 +02:00
..
domainValidator.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
redirect.go docs: add comments for all functions 2025-09-20 09:35:50 +02:00
security.go fix(security): SSRF prevention, trusted-proxy header gating, CSP nonce, HTTP timeouts 2026-05-11 21:16:23 +02:00
security_test.go v3 2026-05-10 02:13:42 +02:00