Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
XSS: Validate HTTP_X_FORWARDED_FOR header. #3439
Prior versions of osTicket blindly trusted http headers set by upstream proxies or agents. This pull request addresses possible remote XSS injection via X_FORWARDED_FOR header by introducing HTTP options to define a list of Trusted Proxies as well as address space of trusted Local Networks. CIDR notation (subnets) are supported.
HTTP Option: TRUSTED_PROXIES (default:
HTTP Option: LOCAL_NETWORKS (default: 127.0.0.0/24)
Validate Upstream IP Addresses