forgejo/routers
forgejo-backport-action e1e3f6eefa [v11.0/forgejo] fix: validate CSRF on non-safe methods (#9081)
**Backport:** https://codeberg.org/forgejo/forgejo/pulls/9071

All PUT/DELETE routes in the web UI are validated to prevent a [cross site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Although all POST routes are validated with a CSRF token, some of the PUT/DELETE routes were missing this validation.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- Security bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/9071): <!--number 9071 --><!--line 0 --><!--description dmFsaWRhdGUgQ1NSRiBvbiBub24tc2FmZSBtZXRob2Rz-->validate CSRF on non-safe methods<!--description-->
<!--end release-notes-assistant-->

Co-authored-by: Gusted <postmaster@gusted.xyz>
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9081
Reviewed-by: 0ko <0ko@noreply.codeberg.org>
Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>
2025-08-30 18:58:18 +02:00
..
api [v11.0/forgejo] fix: require password login for creation of new token (#9079) 2025-08-30 18:54:10 +02:00
common [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
install [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00
private fix(sec): only degrade permission check for git push 2025-05-02 07:05:38 +02:00
utils
web [v11.0/forgejo] fix: validate CSRF on non-safe methods (#9081) 2025-08-30 18:58:18 +02:00
init.go [v11.0/forgejo] chore: branding import path (#7354) 2025-03-27 20:13:05 +00:00