mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-09-17 05:02:56 +02:00
6ae943758f
https://codeberg.org/forgejo/forgejo/milestone/22489 Co-authored-by: 0ko <0ko@noreply.codeberg.org> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9104 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org> Co-committed-by: forgejo-release-manager <contact-forgejo-release-manager@forgejo.org>
73 lines
18 KiB
Markdown
73 lines
18 KiB
Markdown
## Detailed comments on security bug fixes
|
|
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9074) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9083)): <!--number 9083 --><!--line 0 --><!--description Zml4OiBlbWFpbCBjb21tZW50cyBhcmUgcmVtb3ZlZCBmcm9tIGVtYWlsIGFkZHJlc3Nlcw==-->fix: email comments are removed from email addresses<!--description-->
|
|
When registering with an email account including a comment (e.g. `me@example.com (a comment here)`), the comment is removed from the email address. It was possible to include an email address in the comment to bypass the block list. For instance if registering with `me@evilcorp.com (me@example.com)` the mail would incorrectly be verified against the block list using the comment instead of `@evilcorp.com`. This is a regression introduced in Forgejo v12.
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9071) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9082)): <!--number 9082 --><!--line 0 --><!--description Zml4OiB2YWxpZGF0ZSBDU1JGIG9uIG5vbi1zYWZlIG1ldGhvZHM=-->fix: validate CSRF on non-safe methods<!--description-->
|
|
All PUT/DELETE routes in the web UI are validated to prevent a [cross site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Although all POST routes are validated with a CSRF token, some of the PUT/DELETE routes were missing this validation.
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9067) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9068)): <!--number 9068 --><!--line 0 --><!--description Zml4OiB1c2UgY3JlZGVudGlhbHMgaGVscGVycyBmb3IgZ2l0IGNsb25lcw==-->fix: use credential helpers for git clones<!--description-->
|
|
When performing a `git clone` that requires credentials, they are temporarily stored in files and used with [Git credential](https://git-scm.com/docs/gitcredentials/2.50.0#_requesting_credentials). They were previously included in the URL that were readable by a user with shell access to the host running the Forgejo instance when, for instance, they ask for the list of process (`ps`).
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9073) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9097)): <!--number 9097 --><!--line 0 --><!--description Zml4OiBjb25zaXN0ZW50bHkgZW5mb3JjZSAyRkEgb24gT3BlbklEIDIuMA==-->fix: consistently enforce 2FA on OpenID 2.0<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9076) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9087)): <!--number 9087 --><!--line 0 --><!--description Zml4OiBkZWxldGUgb2xkIGF1dGggdG9rZW4gdXBvbiByZXBsYWNpbmcgcHJpbWFyeSBlbWFpbA==-->fix: delete old auth token upon replacing primary email<!--description-->
|
|
When the primary email is changed before it is validated, the URL sent for validation purposes must be invalidated. It was previously possible use to delay use of the URL to validate the primary email and modify the primary email in the meantime. It allowed to validate the newer primary email using the older primary email, effectively bypassing validation.
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9070) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9080)): <!--number 9080 --><!--line 0 --><!--description Zml4OiByZXF1aXJlIHBhc3N3b3JkIGxvZ2luIGZvciBjcmVhdGlvbiBvZiBuZXcgdG9rZW4=-->fix: require password login for creation of new token<!--description-->
|
|
Obtaining a [personal access token via the API](https://forgejo.org/docs/latest/user/api-usage/#generating-and-listing-api-tokens) is no longer possible if the password used for basic authentication is an API token or an [OAuth2 token](https://forgejo.org/docs/latest/user/api-usage/#oauth2-provider): it has to be the user password. Such privilege escalation was only possible for tokens with write permissions to the user.
|
|
This requirement is already enforced when API calls are made with an authorization header [as described in the documentation](https://forgejo.org/docs/latest/user/api-usage/#authentication), but it was not enforced with basic authentication. As a consequence it was possible for an API token with `write:user` permissions or an OAuth2 token to obtain a new token with a wider or identical scope.
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9075) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9085)): <!--number 9085 --><!--line 0 --><!--description Zml4OiBlbnN1cmUgR2V0VXNlckJ5RW1haWwgb25seSBjb25zaWRlcnMgdmFsaWRhdGVkIGVtYWlscw==-->fix: ensure GetUserByEmail only considers validated emails<!--description-->
|
|
Only validated emails can be used to:
|
|
|
|
- assert if a signature can be trusted or,
|
|
- to assign comments, issues to an existing user during a migration
|
|
|
|
The emails that were not yet validated could previously used as if they were validated, incorrectly showing commits as trusted or assigning comments, issues to the user associated with this email during migrations.
|
|
|
|
Existing migrations are not modified when they were incorrectly assigned to an email that is not validated. The trust status of all commit signatures will now show differently depending on the validation status of an email.
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9064) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9078)): <!--number 9078 --><!--line 0 --><!--description Zml4OiBkb24ndCBhbGxvdyBjcmVkZW50aWFscyBpbiBtaWdyYXRlL3B1c2ggbWlycm9yIFVSTA==-->fix: don't allow credentials in migrate/push mirror URL<!--description-->
|
|
It is no longer possible to specify the user and password when providing a URL for migrating a repository, the fields dedicated to that purpose on the form must be used instead. This is to prevent that those credentials are displayed in the repository settings that are visible by the repository admins, in the case where the migration is a mirror.
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9072) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9091)): <!--number 9091 --><!--line 0 --><!--description Zml4OiBvbmx5IHJlZGlyZWN0IHRvIGEgbmV3IG93bmVyIChvcmdhbml6YXRpb24gb3IgdXNlcikgaWYgdGhlIHVzZXIgaGFzIHBlcm1pc3Npb25zIHRvIHZpZXcgdGhlIG5ldyBvd25lcg==-->fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner<!--description-->
|
|
|
|
<!--start release-notes-assistant-->
|
|
|
|
## Release notes
|
|
<!--URL:https://codeberg.org/forgejo/forgejo-->
|
|
- Security bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9074) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9083)): <!--number 9083 --><!--line 0 --><!--description Zml4OiBlbWFpbCBjb21tZW50cyBhcmUgcmVtb3ZlZCBmcm9tIGVtYWlsIGFkZHJlc3Nlcw==-->fix: email comments are removed from email addresses<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9071) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9082)): <!--number 9082 --><!--line 0 --><!--description Zml4OiB2YWxpZGF0ZSBDU1JGIG9uIG5vbi1zYWZlIG1ldGhvZHM=-->fix: validate CSRF on non-safe methods<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9067) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9068)): <!--number 9068 --><!--line 0 --><!--description Zml4OiB1c2UgY3JlZGVudGlhbHMgaGVscGVycyBmb3IgZ2l0IGNsb25lcw==-->fix: use credential helpers for git clones<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9073) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9097)): <!--number 9097 --><!--line 0 --><!--description Zml4OiBjb25zaXN0ZW50bHkgZW5mb3JjZSAyRkEgb24gT3BlbklEIDIuMA==-->fix: consistently enforce 2FA on OpenID 2.0<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9076) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9087)): <!--number 9087 --><!--line 0 --><!--description Zml4OiBkZWxldGUgb2xkIGF1dGggdG9rZW4gdXBvbiByZXBsYWNpbmcgcHJpbWFyeSBlbWFpbA==-->fix: delete old auth token upon replacing primary email<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9070) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9080)): <!--number 9080 --><!--line 0 --><!--description Zml4OiByZXF1aXJlIHBhc3N3b3JkIGxvZ2luIGZvciBjcmVhdGlvbiBvZiBuZXcgdG9rZW4=-->fix: require password login for creation of new token<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9075) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9085)): <!--number 9085 --><!--line 0 --><!--description Zml4OiBlbnN1cmUgR2V0VXNlckJ5RW1haWwgb25seSBjb25zaWRlcnMgdmFsaWRhdGVkIGVtYWlscw==-->fix: ensure GetUserByEmail only considers validated emails<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9064) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9078)): <!--number 9078 --><!--line 0 --><!--description Zml4OiBkb24ndCBhbGxvdyBjcmVkZW50aWFscyBpbiBtaWdyYXRlL3B1c2ggbWlycm9yIFVSTA==-->fix: don't allow credentials in migrate/push mirror URL<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9072) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9091)): <!--number 9091 --><!--line 0 --><!--description Zml4OiBvbmx5IHJlZGlyZWN0IHRvIGEgbmV3IG93bmVyIChvcmdhbml6YXRpb24gb3IgdXNlcikgaWYgdGhlIHVzZXIgaGFzIHBlcm1pc3Npb25zIHRvIHZpZXcgdGhlIG5ldyBvd25lcg==-->fix: only redirect to a new owner (organization or user) if the user has permissions to view the new owner<!--description-->
|
|
- User Interface bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8830) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8841)): <!--number 8841 --><!--line 0 --><!--description Zml4OiB3cmFwIGl0ZW1zIGluIGdpdGlnbm9yZSBkcm9wZG93bg==-->fix: wrap items in gitignore dropdown<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8818) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8852)): <!--number 8852 --><!--line 0 --><!--description Zml4KHVpKTogbW92ZSBmaWxlIHJlbmFtZSBub3RpY2UgdG8gYmVmb3JlIHBhZ2luYXRpb24=-->fix(ui): move file rename notice to before pagination<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8681) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8683)): <!--number 8683 --><!--line 0 --><!--description Zml4OiBzaG93IG1lcmdlYm94IHdoZW4gb25seSBtYW51YWwgbWVyZ2UgaXMgYWxsb3dlZA==-->fix: show mergebox when only manual merge is allowed<!--description-->
|
|
- Localization
|
|
- Updates from Codeberg Translate: [#8995](https://codeberg.org/forgejo/forgejo/pulls/8995) (backport of [#8535](https://codeberg.org/forgejo/forgejo/pulls/8535), [#8673](https://codeberg.org/forgejo/forgejo/pulls/8673), [#8744](https://codeberg.org/forgejo/forgejo/pulls/8744), [#8826](https://codeberg.org/forgejo/forgejo/pulls/8826), [#8891](https://codeberg.org/forgejo/forgejo/pulls/8891))
|
|
- Bug fixes
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8942) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8944)): <!--number 8944 --><!--line 0 --><!--description YSBjb3JydXB0ZWQgRm9yZ2VqbyBBY3Rpb25zIHNjaGVkdWxlZCB3b3JrZmxvdyBpcyBkaXNhYmxlZA==-->a corrupted Forgejo Actions scheduled workflow is disabled<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9003) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9025)): <!--number 9025 --><!--line 0 --><!--description Zml4OiBBY3Rpb25zIHdvcmtmbG93cyB0cmlnZ2VyZWQgYnkgY29tbWVudHMgb3IgbGFiZWxzIHRvIHB1bGwgcmVxdWVzdHMgbWF5IGFjY2VzcyBzZWNyZXRz-->fix: Actions workflows triggered by comments or labels to pull requests may access secrets<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/9000) ([backported](https://codeberg.org/forgejo/forgejo/pulls/9006)): <!--number 9006 --><!--line 0 --><!--description Zml4KGNvZGUtc2VhcmNoKTogZml4IGJyb2tlbiBwYWdpbmF0aW9uLg==-->fix(code-search): fix broken pagination.<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8756) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8758)): <!--number 8758 --><!--line 0 --><!--description Zml4OiBjb3JyZWN0bHkgZ2V0IHN0YXRzIGZvciBBUEkgY29tbWl0cw==-->fix: correctly get stats for API commits<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8864) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8883)): <!--number 8883 --><!--line 0 --><!--description WzEyLjAvZm9yZ2Vqb10gZml4OiBkZS1kdXBsaWNhdGUgRm9yZ2VqbyBBY3Rpb25zIGpvYiBuYW1lcyB3aGVuIG5lZWRlZA==-->[12.0/forgejo] fix: de-duplicate Forgejo Actions job names when needed<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8821) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8860)): <!--number 8860 --><!--line 0 --><!--description Zml4OiBtYWtlIHNzaCBrZXkgdmVyaWZpY2F0aW9uIGNvbW1hbmQgbW9yZSByb2J1c3Q=-->fix: make ssh key verification command more robust<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8794) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8800)): <!--number 8800 --><!--line 0 --><!--description Zml4OiB0cmltIHRyYWlsaW5nIHNsYXNoIGluIFdlYkZpbmdlciBPSURDIGlzc3VlciBsaW5r-->fix: trim trailing slash in WebFinger OIDC issuer link<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8802) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8805)): <!--number 8805 --><!--line 0 --><!--description Zml4OiBjb3JyZWN0IHJlbGVhc2UgbGluayBpbiBmZWVk-->fix: correct release link in feed<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8773) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8790)): <!--number 8790 --><!--line 0 --><!--description Zml4OiBhZGQgLmZvcmdlam8vQ09ERU9XTkVSUyBzdXBwb3J0ICgjODc0Nik=-->fix: add .forgejo/CODEOWNERS support (#8746)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8715) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8719)): <!--number 8719 --><!--line 0 --><!--description Zml4OiBhbGxvdyBhZG1pbnMgdG8gYWx3YXlzIHJlbmFtZSB1c2Vycw==-->fix: allow admins to always rename users<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8678) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8682)): <!--number 8682 --><!--line 0 --><!--description Zml4OiBzdG9yZSBjb2RlIGNoYWxsZW5nZSBjb3JyZWN0bHkgaW4gc2Vzc2lvbg==-->fix: store code challenge correctly in session<!--description-->
|
|
- Included for completeness but not user-facing (chores, etc.)
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8842) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8862)): <!--number 8862 --><!--line 0 --><!--description Zml4OiBwcmV2ZW50IHB1bGwgcmVxdWVzdHMgZnJvbSBiZWluZyBtZXJnZWQgbXVsdGlwbGUgdGltZXM=-->fix: prevent pull requests from being merged multiple times<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8874) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8876)): <!--number 8876 --><!--line 0 --><!--description Zml4OiByZWRpcmVjdCBmcm9tIC97dXNlcm5hbWV9L3tyZXBvbmFtZX0vcHVsbHMve2luZGV4fSB0byBpc3N1ZSBpZiBpbmRleCBpcyBhIGlzc3Vl-->fix: redirect from /{username}/{reponame}/pulls/{index} to issue if index is a issue<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8897) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8914)): <!--number 8914 --><!--line 0 --><!--description Zml4OiBtaW5pbyBpbml0aWFsaXphdGlvbiBjYW4gZnJlZXplIGluZGVmaW5pdGVseSBpZiBtaXNjb25maWd1cmVk-->fix: minio initialization can freeze indefinitely if misconfigured<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8771) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8899)): <!--number 8899 --><!--line 0 --><!--description Zml4OiBtaWdyYXRlIG5ldyBHaXRodWIgcmVsZWFzZSBhc3NldHM=-->fix: migrate new Github release assets<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8882) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8887)): <!--number 8887 --><!--line 0 --><!--description Zml4OiBjb21wYXJlIHdlZWsgYXMgbnVtYmVycyBhbmQgbm90IGFzIHN0cmluZ3M=-->fix: compare week as numbers and not as strings<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8812): <!--number 8812 --><!--line 0 --><!--description VXBkYXRlIGRlcGVuZGVuY3kgZ28gdG8gdjEuMjQuNiAodjEyLjAvZm9yZ2Vqbyk=-->Update dependency go to v1.24.6 (v12.0/forgejo)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8846): <!--number 8846 --><!--line 0 --><!--description VXBkYXRlIGh0dHBzOi8vZGF0YS5mb3JnZWpvLm9yZy9mb3JnZWpvL2Zvcmdlam8tYnVpbGQtcHVibGlzaCBhY3Rpb24gdG8gdjUuNC4xICh2MTIuMC9mb3JnZWpvKQ==-->Update https://data.forgejo.org/forgejo/forgejo-build-publish action to v5.4.1 (v12.0/forgejo)<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8847) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8849)): <!--number 8849 --><!--line 0 --><!--description Zml4KHRlc3QpOiBUZXN0QWN0aW9uc0FydGlmYWN0T3ZlcndyaXRlIG5lZWRzIG9yZGVyZWQgcXVlcnkgZm9yIHBnc3Fs-->fix(test): TestActionsArtifactOverwrite needs ordered query for pgsql<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8727) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8730)): <!--number 8730 --><!--line 0 --><!--description Y2hvcmUoY2kpOiBzZW5kIG1haWwgd2hlbiBkYWlseSBpbnRlZ3JhdGlvbiB0ZXN0cyBmYWls-->chore(ci): send mail when daily integration tests fail<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8671) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8733)): <!--number 8733 --><!--line 0 --><!--description Zml4OiBhbGxvdyBkb3VibGUgZGlnaXQgZXBvY2ggZm9yIERlYmlhbiBwYWNrYWdlcw==-->fix: allow double digit epoch for Debian packages<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8690) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8696)): <!--number 8696 --><!--line 0 --><!--description Zml4OiByZXR1cm4gZXJyb3Igd2hlbiB1c2VyIGlzIG5vdCByZXBvIHdyaXRlcg==-->fix: return error when user is not repo writer<!--description-->
|
|
- [PR](https://codeberg.org/forgejo/forgejo/pulls/8666) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8670)): <!--number 8670 --><!--line 0 --><!--description Zml4OiBxdWVyeSB0b2tlbiBhdXRoIHZlcnNpb24gbWlzbWF0Y2g=-->fix: query token auth version mismatch<!--description-->
|
|
<!--end release-notes-assistant-->
|