The Gitea team reports:

check blocklist for emails when adding them to account

< 1.20.3

The Gitea team reports:

Update golang.org/x/crypto

< 1.21.3

The Gitea team reports:

Add write check for creating Commit status

Check for permission when fetching user controlled issues

< 1.16.9

Problem Description:

• The Wiki page did not sanitize author name
• the reviewer name on a "dismiss review" comment is also affected
• the migration page has some spots

< 1.21.6

Problem Description:

Even with RequireSignInView enabled, anonymous users can use docker pull to fetch public images.

< 1.21.5

The Gitea team reports:

Disallow javascript, vbscript and data (data uri images still work) url schemes even if all other schemes are allowed

< 1.20.1

The Gitea team reports:

Double check CloneURL is acceptable

Add more checks in migration code

< 1.17.2

The Gitea team reports:

Test if container blob is accessible before mounting.

Set type="password" on all auth_token fields

Seen when migrating from other hosting platforms.

Prevents exposing the token to screen capture/cameras/eyeballs.

Prevents the browser from saving the value in its autocomplete dictionary, which often is not secure.

< 1.20.0

The Gitea Team reports for release 1.15.5:

• Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
• Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)

< 1.15.5

The Gitea team reports:

Use git.HOME_PATH for Git HOME directory

Add write check for creating Commit status

Remove deprecated SSH ciphers from default

< 1.17.0

The Gitea team reports:

If redirect_to parameter has set value starting with \\example.com redirect will be created with header Location: /\\example.com that will redirect to example.com domain.

< 1.19.4

The Gitea team reports:

Fix missing check

Do some missing checks

By crafting an API request, attackers can access the contents of issues even though the logged-in user does not have access rights to these issues.

< 1.21.2

Youssef Rebahi-Gilbert reports:

When Gitea is built and configured for PAM authentication it skips checking authorization completely. Therefore expired accounts and accounts with expired passwords can still login.

< 1.16.4

The Gitea team reports:

Sanitize and Escape refs in git backend

Bump golang.org/x/text

Update bluemonday

< 1.17.3

Andrew Thornton reports:

When a location containing backslashes is presented, the existing protections against open redirect are bypassed, because browsers will convert adjacent forward and backslashes within the location to double forward slashes.

< 1.16.5

The Gitea team reports:

Prevent multiple To recipients: Change the mailer interface to prevent leaking of possible hidden email addresses when sending to multiple recipients.

< 1.18.3

The Gitea team reports:

This PR refactors and improves the password hashing code within gitea and makes it possible for server administrators to set the password hashing parameters.

In addition it takes the opportunity to adjust the settings for pbkdf2 in order to make the hashing a little stronger.

Add command to bulk set must-change-password

As part of administration sometimes it is appropriate to forcibly tell users to update their passwords.

This PR creates a new command gitea admin user must-change-password which will set the MustChangePassword flag on the provided users.

< 1.18.4

The Gitea team reports:

Escape git fetch remote in services/migrations/gitea_uploader.go

< 1.16.7

The Gitea team reports:

Remove ReverseProxy authentication from the API

Support Go Vulnerability Management

Forbid HTML string tooltips

< 1.18.0

The Gitea team reports:

Do not allow Ghost access to limited visible user/org

Fix package access for admins and inactive users

< 1.17.4

The Gitea team reports:

Fix API leaking Usermail if not logged in

The API should only return the real Mail of a User, if the caller is logged in. The check do to this don't work. This PR fixes this. This not really a security issue, but can lead to Spam.

< 1.20.3