forgejo

mirror of https://codeberg.org/forgejo/forgejo synced 2025-10-20 07:10:43 +02:00

History

forgejo-backport-action e1e3f6eefa [v11.0/forgejo] fix: validate CSRF on non-safe methods (#9081 ) Backport: https://codeberg.org/forgejo/forgejo/pulls/9071 All PUT/DELETE routes in the web UI are validated to prevent a [cross site request forgery](https://en.wikipedia.org/wiki/Cross-site_request_forgery). Although all POST routes are validated with a CSRF token, some of the PUT/DELETE routes were missing this validation. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Security bug fixes - [PR](https://codeberg.org/forgejo/forgejo/pulls/9071): <!--number 9071 --><!--line 0 --><!--description dmFsaWRhdGUgQ1NSRiBvbiBub24tc2FmZSBtZXRob2Rz-->validate CSRF on non-safe methods<!--description--> <!--end release-notes-assistant--> Co-authored-by: Gusted <postmaster@gusted.xyz> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9081 Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org> Co-committed-by: forgejo-backport-action <forgejo-backport-action@noreply.codeberg.org>		2025-08-30 18:58:18 +02:00
..
api	[v11.0/forgejo] fix: require password login for creation of new token (#9079 )	2025-08-30 18:54:10 +02:00
common	[v11.0/forgejo] chore: branding import path (#7354 )	2025-03-27 20:13:05 +00:00
install	[v11.0/forgejo] chore: branding import path (#7354 )	2025-03-27 20:13:05 +00:00
private	fix(sec): only degrade permission check for git push	2025-05-02 07:05:38 +02:00
utils
web	[v11.0/forgejo] fix: validate CSRF on non-safe methods (#9081 )	2025-08-30 18:58:18 +02:00
init.go	[v11.0/forgejo] chore: branding import path (#7354 )	2025-03-27 20:13:05 +00:00