peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/services/context
History
Mathieu Fenniak 32b8d732b8 2026-05-12 security patches (#12493) 
- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/12493): <!--number 12493 --><!--line 0 --><!--description MjAyNi0wNS0xMiBzZWN1cml0eSBwYXRjaGVz-->2026-05-12 security patches<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12493
2026-05-12 04:54:25 +02:00
..
upload chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
access_log.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
api.go refactor: change authentication to return structured data (#12202) 2026-04-22 21:00:26 +02:00
api_org.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
api_test.go feat: remove admin-level permissions from repo-specific & public-only access tokens (#11468) 2026-03-04 16:17:41 +01:00
base.go fix: omit Content-Length on 307 redirects when serving direct manifest for containers (#8037) 2025-06-09 08:43:41 +02:00
base_test.go branding!: make cookies brand independent (#10645) 2026-03-19 04:34:27 +01:00
captcha.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
context.go refactor: change authentication to return structured data (#12202) 2026-04-22 21:00:26 +02:00
context_cookie.go branding!: make cookies brand independent (#10645) 2026-03-19 04:34:27 +01:00
context_model.go chore: add modernizer linter (#11936) 2026-04-02 03:29:37 +02:00
context_request.go fix: return bad request on malformed packages upload input (#10954) 2026-02-13 18:04:19 +01:00
context_response.go chore: handle error types consistently (#9873) 2026-03-06 00:48:06 +01:00
context_test.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
org.go fix(web): org projects assignment in issue view (#7999) 2026-05-02 01:29:40 +02:00
package.go feat: Global 2FA enforcement (#8753) 2025-08-15 10:56:45 +02:00
pagination.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
permission.go 2026-05-12 security patches (#12493) 2026-05-12 04:54:25 +02:00
private.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
quota.go Update module github.com/golangci/golangci-lint/cmd/golangci-lint to v2 (forgejo) (#7367) 2025-03-28 22:22:21 +00:00
repo.go 2026-05-12 security patches (#12493) 2026-05-12 04:54:25 +02:00
repository.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
response.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
user.go fix: do visibility check for user redirect lookup 2025-08-30 09:37:25 +02:00
utils.go Move context from modules to services (#29440) 2024-03-06 12:10:43 +08:00