GitHub/gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-05-28 21:30:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: don't follow redirects on webhook delivery (#8263)

Browse Source
This commit is contained in:
ᴊᴏᴇ ᴄʜᴇɴ
2026-05-18 21:08:46 -04:00
committed by GitHub
parent 0089c4c8e5
commit 199cf4fd5b
3 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+1
View File
@@ -8,6 +8,7 @@ All notable changes to Gogs are documented in this file.
- _Security:_ Denial of service in repository and wiki file listing pages via crafted file names. [#8116](https://github.com/gogs/gogs/pull/8116) - [GHSA-3qq3-668m-v9mj](https://github.com/gogs/gogs/security/advisories/GHSA-3qq3-668m-v9mj)
- _Security:_ Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in `[auth] TRUSTED_PROXY_IPS`. [#8264](https://github.com/gogs/gogs/pull/8264) - [GHSA-w6j9-vw59-27wv](https://github.com/gogs/gogs/security/advisories/GHSA-w6j9-vw59-27wv)
- _Security:_ Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. [#8263](https://github.com/gogs/gogs/pull/8263) - [GHSA-c4v7-xg93-qf8g](https://github.com/gogs/gogs/security/advisories/GHSA-c4v7-xg93-qf8g)
### Removed