mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-06-06 13:14:11 +00:00
5ffd896a7c
Adds SanitizeHTTPURL / SanitizePublicHTTPURL to reject private-range and loopback targets before any outbound HTTP request (node probe, xray download, outbound test, external traffic inform, tgbot API server, panel updater). Forwarded headers (X-Real-IP, X-Forwarded-For, X-Forwarded-Host) are now only trusted when the direct connection arrives from a CIDR in TrustedProxyCIDRs. CSP policy is tightened with a per-request nonce. HTTP server gains read/write/idle timeouts. Panel updater downloads the script to a temp file instead of piping curl into shell. Xray archive download adds a size cap and response-code check. backuptotgbot is changed from GET to POST. |
||
|---|---|---|
| .. | ||
| api.go | ||
| base.go | ||
| custom_geo.go | ||
| dist.go | ||
| inbound.go | ||
| index.go | ||
| login_limiter.go | ||
| login_limiter_test.go | ||
| node.go | ||
| server.go | ||
| setting.go | ||
| util.go | ||
| util_test.go | ||
| websocket.go | ||
| xray_setting.go | ||
| xui.go | ||