peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-13 14:30:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 7
jojo/routers/api
History
Exact
Mathieu Fenniak 32b8d732b8 2026-05-12 security patches (#12493) 
- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493
2026-05-12 04:54:25 +02:00
..
actions 2026-05-12 security patches (#12493) 2026-05-12 04:54:25 +02:00
forgejo/v1 fix: /api/forgejo/v1/version Content-Type error (#9897) 2025-11-05 17:35:50 +01:00
packages feat: support simple JSON API for PyPI package registry (#12095) 2026-04-30 16:58:28 +02:00
shared feat: authorized integrations DB models and authentication implementation (#12261) 2026-04-26 20:52:42 +02:00
v1 feat(api): add admin routes to manage user access tokens (#12323) 2026-05-11 16:55:22 +02:00