mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-05-13 06:20:24 +00:00
7 lines
935 B
Markdown
7 lines
935 B
Markdown
- fix: PKCE challenges to Forgejo's OAuth identity provider were not validated when using the `S256` algorithm
|
|
- fix: Forgejo supports using an OAuth Bearer token with HTTP basic authentication, rather than Bearer token authentication, but did not properly apply the limited scopes of the OAuth grant
|
|
- fix: missing permission checks in attachment-related web endpoints allowed modifying attachments that a user did not own
|
|
- fix: email notifications for new releases could be sent to users that no longer access to the repository, or to inactive users
|
|
- fix: missing permission checks in user/org-owned projects would allow modifications of the open/closed state to be made to projects via insecure direct object references
|
|
- fix: missing permission checks in a web endpoint allowed cancellation of the automerge of a PR
|
|
- fix: prevent additional path-traversals in post-login redirect parameters that allowed for arbitrary redirects
|