0
Fork 0
mirror of https://codeberg.org/forgejo/forgejo.git synced 2024-12-26 17:34:11 -05:00
Beyond coding. We forge.
Find a file
Archer 1b088fade6
Prevent automatic OAuth grants for public clients (#30790)
This commit forces the resource owner (user) to always approve OAuth 2.0
authorization requests if the client is public (e.g. native
applications).

As detailed in [RFC 6749 Section 10.2](https://www.rfc-editor.org/rfc/rfc6749.html#section-10.2),

> The authorization server SHOULD NOT process repeated authorization
requests automatically (without active resource owner interaction)
without authenticating the client or relying on other measures to ensure
that the repeated request comes from the original client and not an
impersonator.

With the implementation prior to this patch, attackers with access to
the redirect URI (e.g., the loopback interface for
`git-credential-oauth`) can get access to the user account without any
user interaction if they can redirect the user to the
`/login/oauth/authorize` endpoint somehow (e.g., with `xdg-open` on
Linux).

Fixes #25061.

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit 5c542ca94caa3587329167cfe9e949357ca15cf1)
2024-05-05 12:15:40 +01:00
.devcontainer
.forgejo Update ghcr.io/visualon/renovate Docker tag to v37.330.1 2024-05-01 06:02:32 +00:00
.gitea
assets chore(licenses): github.com/minio/sha256-simd is no longer in use 2024-04-27 10:43:27 +02:00
build s/Gitea/Forgejo in various log messages and comments 2024-04-21 21:26:15 +05:00
cmd Enable more revive linter rules (#30608) 2024-04-28 15:39:00 +02:00
contrib
custom/conf Don't have redis-cluster as possible cache/session adapter in docs (#30794) 2024-05-05 12:15:40 +01:00
docker fix(Dockerfile.rootless): revert to default path for app.ini 2024-04-26 21:30:10 +02:00
models Get repo assignees and reviewers should ignore deactivated users (#30770) (#30782) 2024-05-05 08:53:27 +01:00
modules Remove external API calls in TestPassword (#30716) 2024-05-05 12:15:40 +01:00
options Add support for npm bundleDependencies (#30751) 2024-05-05 08:24:01 +01:00
public
release-notes/8.0.0 Fix inconsistent required field (#3583) 2024-05-01 18:29:42 +00:00
releases/images
routers Prevent automatic OAuth grants for public clients (#30790) 2024-05-05 12:15:40 +01:00
services Add API endpoints for getting action jobs status (#26673) 2024-05-05 12:15:40 +01:00
templates Catch and handle unallowed file type errors in issue attachment API (#30791) 2024-05-05 12:15:40 +01:00
tests Catch and handle unallowed file type errors in issue attachment API (#30791) 2024-05-05 12:15:40 +01:00
tools
web_src Add hover outline to heatmap squares (#30828) 2024-05-05 12:15:40 +01:00
.air.toml Kill all gitea processes before air build (#30477) 2024-04-21 11:38:58 +02:00
.changelog.yml
.deadcode-out [DEADCODE] update 2024-04-21 16:40:43 +02:00
.dockerignore Add /public/assets/img/webpack to ignore files again (#30451) 2024-04-15 20:01:36 +02:00
.editorconfig
.eslintrc.yaml add built js files to eslint ignore (#30737) 2024-05-05 08:22:50 +01:00
.gitattributes Add interface{} to any replacement to make fmt, exclude *.pb.go (#30461) 2024-04-15 20:01:36 +02:00
.gitignore Add /public/assets/img/webpack to ignore files again (#30451) 2024-04-15 20:01:36 +02:00
.gitmodules cleanup(tests): remove manual testing submodule 2024-04-21 10:13:51 +02:00
.gitpod.yml
.golangci.yml Enable more revive linter rules (#30608) 2024-04-28 15:39:00 +02:00
.ignore Add /options/license and /options/gitignore to .ignore (#30219) 2024-04-07 15:40:31 +02:00
.markdownlint.yaml
.npmrc
.spectral.yaml
.yamllint.yaml
BSDmakefile
build.go
CODEOWNERS I feel responsible … (Codeowners) 2024-04-27 02:22:05 +02:00
CONTRIBUTING.md docs: contributing: avoid information duplication (#3454) 2024-04-25 19:10:43 +00:00
DCO
Dockerfile fix(release): add missing ARG RELEASE_VERSION 2024-04-17 17:16:53 +02:00
Dockerfile.rootless fix(Dockerfile.rootless): revert to default path for app.ini 2024-04-26 21:30:10 +02:00
go.mod Remove external API calls in TestPassword (#30716) 2024-05-05 12:15:40 +01:00
go.sum Remove external API calls in TestPassword (#30716) 2024-05-05 12:15:40 +01:00
LICENSE
main.go
Makefile Fix cross-compilation errors when CGO_CFLAGS/CGO_LDFLAGS is set (#30749) 2024-05-05 08:23:25 +01:00
package-lock.json Merge pull request 'Update dependency vue to v3.4.26' (#3439) from renovate/vue-monorepo into forgejo 2024-05-01 08:08:52 +00:00
package.json Merge pull request 'Update dependency vue to v3.4.26' (#3439) from renovate/vue-monorepo into forgejo 2024-05-01 08:08:52 +00:00
playwright.config.js
poetry.lock
poetry.toml
pyproject.toml
README.md
RELEASE-NOTES.md [skip ci] docs(release-notes): 7.0.2 2024-05-01 14:22:18 +02:00
renovate.json chore(renovate): vue patch releases can be automerged 2024-05-01 09:32:01 +02:00
stylelint.config.js Ignore fomantic folder in linters (#30200) 2024-04-07 15:40:31 +02:00
tailwind.config.js
updates.config.js
vitest.config.js
webpack.config.js

Welcome to Forgejo

Hi there! Tired of big platforms playing monopoly? Providing Git hosting for your project, friends, company or community? Forgejo (/for'd͡ʒe.jo/ inspired by forĝejo the Esperanto word for forge) has you covered with its intuitive interface, light and easy hosting and a lot of builtin functionality.

Forgejo was created in 2022 because we think that the project should be owned by an independent community. If you second that, then Forgejo is for you! Our promise: Independent Free/Libre Software forever!

What does Forgejo offer?

If you like any of the following, Forgejo is literally meant for you:

  • Lightweight: Forgejo can easily be hosted on nearly every machine. Running on a Raspberry? Small cloud instance? No problem!
  • Project management: Besides Git hosting, Forgejo offers issues, pull requests, wikis, kanban boards and much more to coordinate with your team.
  • Publishing: Have something to share? Use releases to host your software for download, or use the package registry to publish it for docker, npm and many other package managers.
  • Customizable: Want to change your look? Change some settings? There are many config switches to make Forgejo work exactly like you want.
  • Powerful: Organizations & team permissions, CI integration, Code Search, LDAP, OAuth and much more. If you have advanced needs, Forgejo has you covered.
  • Privacy: From update checker to default settings: Forgejo is built to be privacy first for you and your crew.
  • Federation: (WIP) We are actively working to connect software forges with each other through ActivityPub, and create a collaborative network of personal instances.

Learn more

Dive into the documentation, subscribe to releases and blog post on our website, find us on the Fediverse or hop into our Matrix room if you have any questions or want to get involved.

Get involved

If you are interested in making Forgejo better, either by reporting a bug or by changing the governance, please take a look at the contribution guide.