peezy-tech/jojo
2
0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2026-05-12 22:10:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jojo/routers/web
History
Exact
Mathieu Fenniak 97a0ab9833 [v15.0/forgejo] 2026-05-12 security patches (#12494) 
- fix: prevent git write to wiki repo from unauthorized user via git HTTP
- fix: prevent LFS authorization token from being used for read/write access after user's access is restricted from Forgejo
- fix: prevent scoped API access (OAuth tokens, Access tokens) from accessing resources beyond their permitted scope via non-API endpoints (e.g. /user/repo/raw/...)
- fix: implementing missing OAuth validation checks, improve protections against race conditions
- fix: prevent OAuth redirect URI spoofing via non-ascii case collision
- fix: strengthen Actions Artifact V4 signature algorithm against spoofing attacks

Co-authored-by: Derzsi Dániel <daniel@tohka.us>
Co-authored-by: jvoisin <julien.voisin@dustri.org>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12494
2026-05-12 04:54:28 +02:00
..
admin [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
auth [v15.0/forgejo] 2026-05-12 security patches (#12494) 2026-05-12 04:54:28 +02:00
demo chore(ui): change /devtest to /-/demo (#11019) 2026-01-26 13:12:25 +01:00
events chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
explore refactor: replace Value() from Option[T] with Get() & ValueOrZeroValue() (#11218) 2026-02-10 16:41:21 +01:00
feed fix: use an absolute URL for compare links in atom feed (#10933) 2026-02-01 10:00:21 +01:00
healthcheck chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
misc Move web app manifest to a own cache-able route and add a setting to set "display": "standalone"; Closes #2638 (#5384) 2026-01-09 17:49:29 +01:00
moderation feat!: Abusive content reporting (#6977) 2025-05-18 08:05:16 +00:00
org [v15.0/forgejo] fix: paginate team members list (#12461) 2026-05-08 02:43:47 +02:00
repo [v15.0/forgejo] 2026-05-12 security patches (#12494) 2026-05-12 04:54:28 +02:00
shared [v15.0/forgejo]: chore: add modernizer linter (#11949) 2026-04-02 16:54:46 +02:00
user [v15.0/forgejo] refactor: change authentication to return structured data (#12462) 2026-05-08 04:07:32 +02:00
base.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
githttp.go feat: replace cross origin protection (#9830) 2025-10-29 22:43:22 +01:00
goget.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
home.go feat: Global 2FA enforcement (#8753) 2025-08-15 10:56:45 +02:00
metrics.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
nodeinfo.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
swagger_json.go chore: branding import path (#7337) 2025-03-27 19:40:14 +00:00
web.go [v15.0/forgejo] refactor: clarify four different outputs that authentication methods provide (#12468) 2026-05-08 07:31:33 +02:00
webfinger.go fix: trim trailing slash in WebFinger OIDC issuer link (#8794) 2025-08-06 14:50:51 +02:00