bd59fa4df3
https://codeberg.org/forgejo/forgejo/milestone/22043 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9105 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org> Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
13 KiB
Detailed comments on security bug fixes
-
PR (backported): fix: validate CSRF on non-safe methods All PUT/DELETE routes in the web UI are validated to prevent a cross site request forgery. Although all POST routes are validated with a CSRF token, some of the PUT/DELETE routes were missing this validation.
-
PR (backported): fix: use credential helpers for git clones When performing a
git clonethat requires credentials, they are temporarily stored in files and used with Git credential. They were previously included in the URL that were readable by a user with shell access to the host running the Forgejo instance when, for instance, they ask for the list of process (ps). -
PR (backported): fix: consistently enforce 2FA on OpenID 2.0
-
PR (backported): fix: delete old auth token upon replacing primary email When the primary email is changed before it is validated, the URL sent for validation purposes must be invalidated. It was previously possible use to delay use of the URL to validate the primary email and modify the primary email in the meantime. It allowed to validate the newer primary email using the older primary email, effectively bypassing validation.
-
PR (backported): fix: require password login for creation of new token Obtaining a personal access token via the API is no longer possible if the password used for basic authentication is an API token or an OAuth2 token: it has to be the user password. Such privilege escalation was only possible for tokens with write permissions to the user. This requirement is already enforced when API calls are made with an authorization header as described in the documentation, but it was not enforced with basic authentication. As a consequence it was possible for an API token with
write:userpermissions or an OAuth2 token to obtain a new token with a wider or identical scope. -
PR (backported): fix: ensure GetUserByEmail only considers validated emails Only validated emails can be used to:
- assert if a signature can be trusted or,
- to assign comments, issues to an existing user during a migration
The emails that were not yet validated could previously used as if they were validated, incorrectly showing commits as trusted or assigning comments, issues to the user associated with this email during migrations.
Existing migrations are not modified when they were incorrectly assigned to an email that is not validated. The trust status of all commit signatures will now show differently depending on the validation status of an email.
-
PR (backported): fix: don't allow credentials in migrate/push mirror URL It is no longer possible to specify the user and password when providing a URL for migrating a repository, the fields dedicated to that purpose on the form must be used instead. This is to prevent that those credentials are displayed in the repository settings that are visible by the repository admins, in the case where the migration is a mirror.
-
PR (backported): fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner
Release notes
- Security bug fixes
- PR (backported): fix: validate CSRF on non-safe methods
- PR (backported): fix: use credential helpers for git clones
- PR (backported): fix: consistently enforce 2FA on OpenID 2.0
- PR (backported): fix: delete old auth token upon replacing primary email
- PR (backported): fix: require password login for creation of new token
- PR (backported): fix: ensure GetUserByEmail only considers validated emails
- PR (backported): fix: don't allow credentials in migrate/push mirror URL
- PR (backported): fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner
- Bug fixes
- PR (backported): fix(code-search): fix broken pagination.
- PR (backported): fix: store code challenge correctly in session
- PR (backported): fix: de-duplicate Forgejo Actions job names when needed
- PR (backported): fix: load OldMilestone based on OldMilestoneID, not MilestoneID
- Included for completeness but not user-facing (chores, etc.)
- PR: storage test: reader should not be closed on save
- PR (backported): fix(test): TestActionsArtifactOverwrite needs ordered query for pgsql
- PR: Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.4.1 (v11.0/forgejo)
- PR: Update dependency go to v1.24.6 (v11.0/forgejo)
- PR: Update module github.com/go-chi/chi/v5 to v5.2.2 (v11.0/forgejo)
- PR: Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.3.5 (v11.0/forgejo)
- PR (backported): Revert "fix(ci): pull stylus from github:stylus/stylus#0.57.0 (#8625)"
- PR (backported): fix(ci): pull stylus from github:stylus/stylus#0.57.0
- PR (backported): chore: disable E2E test for webkit
- PR (backported): fix(packages): skip another stack frame from logging
- PR (backported): chore: use eventually for mysql collation test
- PR (backported): fix(code-search): HighlightSearchResultCode should count the number of bytes and not the number of runes
- PR (backported): chore: disable mismatched root URL e2e test for safari