mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-12 01:32:17 +00:00
Backport #38323 by @bircni Three independent security hardening fixes, each with a regression test: - **Locale DoS:** the `Locale` middleware passed the raw `Accept-Language` header to `ParseAcceptLanguage`, whose guard only counts `-` while the scanner aliases `_` to `-` — a large `_`-separated header on an unauthenticated request burned CPU. The header is now length-bounded before parsing. - **Public-only token scope:** `GET /teams/{id}/repos`, `.../repos/{org}/{repo}`, `/teams/{id}/activities/feeds`, and `/users/{username}/orgs/{org}/permissions` still returned private repo/activity/permission data to a public-only token. They now filter via `TokenCanAccessRepo` / `ApplyPublicOnly` and reject non-public org permissions. - **Push-option visibility:** `repo.private` / `repo.template` push options were applied to any existing repo, letting an owner/admin silently flip visibility bypassing audit, webhooks, and notifications. They are now honored only on push-to-create. Co-authored-by: bircni <bircni@icloud.com>