Security fixes are applied to the latest maintained release line.
| Version | Supported |
|---|---|
| 1.4.x | Yes |
| 1.3.x and earlier | No |
Use Security → Report a vulnerability in this repository. GitHub Private Vulnerability Reporting is enabled.
Do not publish complete proxy URIs, UUIDs, passwords, authentication data, subscription tokens, private source URLs, customer data, GeoLite2 databases, runtime storage contents or complete production logs in a public issue.
A useful report should include:
- affected project version;
- deployment mode;
- PHP version and web server;
- affected endpoint, module or processing stage;
- selected protocol;
- reproducible steps using synthetic data;
- expected security impact;
- any suggested mitigation.
Proxy List Processor may process or temporarily store:
- private subscription URLs and their query tokens;
- complete proxy configuration URIs;
- protocol credentials, UUIDs and keys;
- uploaded source files;
- generated Base64 and plain URI files;
- source metadata and processing history;
- anonymous session owner identifiers;
- rate-limit state;
- GeoLite2 database files;
- short application diagnostics.
Generated subscriptions, history records, logs, temporary files, lock files, cleanup stamps, rate-limit state and GeoLite2 data are excluded by .gitignore and must not be committed manually.
Runtime cleanup is opportunistic: it runs when the processing or history API is used. Long-idle installations should still be reviewed before backup, migration or publication.
- Use
publicmode for an internet-accessible installation. - Use
privatemode only when access topanel/is restricted externally; private mode does not provide authentication. - Keep the bundled Apache denial rules for
panel/storage/or configure the documented nginx equivalent. - Use HTTPS.
- Add only actual reverse-proxy IPs to
trusted_proxy_ips. - Do not weaken SSRF checks, rate limits, storage quotas or application limits without a documented reason.
- Grant write access only to the required storage and subscription directories.
- Treat locally installed PHP modules as trusted code with the same permissions as the application.
- Do not disable runtime cleanup without another retention procedure.
- Treat generated subscription URLs as bearer links.
Confirmed vulnerabilities will be fixed in the current supported release line and documented without exposing unnecessary exploit details.