peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-13 06:20:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
jojo/services
History
Exact
Mathieu Fenniak 9e51a55b63 [v11.0/forgejo] 2026-05-12 security patches (#12495) 
- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks
- fix: update Go toolchain to 1.25.10

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12495
2026-05-12 04:54:30 +02:00
..
actions [v11.0/forgejo] fix: don't duplicate commit status records on workflows with empty name (#10681) 2026-01-05 15:03:46 +01:00
agit [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
asymkey [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
attachment fix: check that attachments belong to correct resource 2026-03-06 11:20:50 -07:00
auth fix: consider scopes for OAuth2 token via basic login 2026-03-06 11:20:50 -07:00
automerge chore: add integration testing 2026-03-06 11:20:50 -07:00
context [v11.0/forgejo] 2026-05-12 security patches (#12495) 2026-05-12 04:54:30 +02:00
contexttest [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
convert fix: hide user profile anonymous options on public repo APIs 2026-01-06 10:44:07 -07:00
cron [v11.0/forgejo] fix: LFS GC is never running because of a bug in the parsing of the INI file (#9222) 2025-09-09 23:39:20 +02:00
doctor [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
externalaccount [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
f3 [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
federation [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
feed fix: load reviewer for pull review dismiss action notifier 2026-01-06 11:10:12 -07:00
forgejo [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
forms [v11.0/forgejo] fix: don't allow credentials in migrate/push mirror URL (#9065) 2025-08-30 18:53:14 +02:00
gitdiff [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
indexer [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
issue [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
lfs [v11.0/forgejo] 2026-05-12 security patches (#12495) 2026-05-12 04:54:30 +02:00
mailer chore: add unit test 2026-03-08 20:07:42 -06:00
markup [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
migrations [v11.0/forgejo] fix(migrations): transfer PR flow information (#7437) 2025-04-03 07:35:20 +00:00
mirror [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
notify [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
org [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
packages [v11.0/forgejo] fix: package cleaned rule fails if the keep count is too high (#9469) 2025-09-29 18:02:21 +02:00
pull [v11.0/forgejo] fix: verify PR author has write access to head to support allow maintainers edit (#12295) 2026-04-29 05:29:46 +02:00
redirect [v11.0/forgejo] fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner (#9089) 2025-08-30 18:52:43 +02:00
release [v11.0/forgejo] fix: don't trip deleting attachment with missing permission error (#11679) 2026-03-14 19:11:33 +01:00
remote [v11.0/forgejo] chore: tune down remote user promotion debug message shown as error (#7691) 2025-04-29 13:31:36 +00:00
repository [v11.0/forgejo] fix: prevent .forgejo/template from being out-of-repo content 2025-10-24 22:08:23 -06:00
secrets [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
shared/automerge [v11.0/forgejo] fix: do not ignore automerge while a PR is checking for conflicts (#8456) 2025-07-09 14:09:12 +02:00
task [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
uinotification [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
user [v11.0/forgejo] fix: delete old auth token upon replacing primary email (#9086) 2025-08-30 18:56:28 +02:00
webhook [v11.0/forgejo] chore: merge tests.AddFixtures and unittest.OverrideFixtures (#7649) 2025-04-25 09:59:30 +00:00
wiki [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00