peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/models
History
Exact
Mathieu Fenniak 32b8d732b8 2026-05-12 security patches (#12493) 
- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493
2026-05-12 04:54:25 +02:00
..
actions feat: make it possible to remove workflow runs (#12478) 2026-05-11 16:02:36 +02:00
activities fix(activitypub): only return public activities on request (#12382) 2026-05-09 05:02:57 +02:00
admin feat: cache derived keys for faster keying (#10114) 2025-11-16 14:29:14 +01:00
asymkey chore: make use of go1.26 features (#12369) 2026-05-01 22:51:48 +02:00
auth 2026-05-12 security patches (#12493) 2026-05-12 04:54:25 +02:00
avatars feat(perf): remove unused size url parameter for local avatars (#10932) 2026-01-20 04:59:15 +01:00
db fix: make package cleanup work again (#12446) 2026-05-07 18:10:02 +02:00
dbfs chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
fixtures fix(activitypub): only return public activities on request (#12382) 2026-05-09 05:02:57 +02:00
forgefed chore(federation): re-enable nilnil lint (#11253) 2026-04-13 22:05:29 +02:00
forgejo/semver chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
forgejo_migrations feat: add name & description columns to authorized integration DB table (#12413) 2026-05-05 02:58:47 +02:00
forgejo_migrations_legacy fix: normalize secrets consistently, display accurate help (#11052) 2026-02-09 17:02:18 +01:00
git chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
gitea_migrations feat: expose immutable identifiers in Forgejo Actions JWTs (#12355) 2026-05-03 15:46:58 +02:00
issues fix: Prevent unremovable review requests after submitting pending reviews (#12302) 2026-05-08 05:52:59 +02:00
moderation feat: render a link to poster profile next to the ID within shadow copy details (#10194) 2025-12-09 15:19:10 +01:00
organization fix: paginate team members list (#12447) 2026-05-08 01:52:46 +02:00
packages fix: duplicate key violates unique constraint in concurrent debian package uploads (#11776) 2026-03-26 21:50:25 +01:00
perm chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
project feat(build): Support go "fmt" format strings as masked usage patterns (#12013) 2026-05-01 02:46:01 +02:00
pull chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
quota chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
repo feat: expose immutable identifiers in Forgejo Actions JWTs (#12355) 2026-05-03 15:46:58 +02:00
secret fix: secret name-prefix regex (#12213) 2026-04-21 19:55:16 +02:00
shared/types chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
system feat(build): Support go "fmt" format strings as masked usage patterns (#12013) 2026-05-01 02:46:01 +02:00
unit chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
unittest feat: replace repo based server-side hooks with centralised hooks (#10397) 2026-04-27 22:34:46 +02:00
user chore: make use of go1.26 features (#12369) 2026-05-01 22:51:48 +02:00
webhook chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
error.go fix: don't allow credentials in migrate/push mirror URL 2025-08-30 08:07:23 +02:00
main_test.go chore: move all test blank imports in a single package (#10662) 2026-01-02 05:32:32 +01:00
org.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
org_team.go chore: split AddRepository and AddTeamMember to return the inserted value (#11342) 2026-03-11 03:40:32 +01:00
org_team_test.go chore: split AddRepository and AddTeamMember to return the inserted value (#11342) 2026-03-11 03:40:32 +01:00
org_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo.go fix: cleanup data before migration retry (#12370) 2026-05-05 12:41:42 +02:00
repo_test.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo_transfer.go chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00
repo_transfer_test.go chore: fix typos throughout the codebase (#10753) 2026-01-26 22:57:33 +01:00