Skip to content

Release 2.3#282

Merged
dogukanoksuz merged 13 commits into
masterfrom
2.3-dev
Jul 10, 2026
Merged

Release 2.3#282
dogukanoksuz merged 13 commits into
masterfrom
2.3-dev

Conversation

@dogukanoksuz

Copy link
Copy Markdown
Member

No description provided.

…olicy and timing normalization

- throttle: /setup_mfa, /change_password, /reset_password (5/dk), /oidc/callback (30/dk)
- StrongPassword rule (10-32 karakter, 1 büyük/küçük/rakam/özel) tüm şifre rotalarında
- ProfileController validation sırası düzeltildi (validate -> Hash::make)
- Settings/UserController::delete null check (404)
- Settings/UserController::update roles.* Rule::exists validation
- setup_mfa ve forceChangePassword kullanıcı-yok branch'inde dummy Hash::check ile timing attack engeli
- KubernetesController: add_server Liman izni olmayanlara 403 (local cluster kullanımı korunuyor)
- Settings/ExtensionController: extractTo öncesi zip entry'lerde path traversal denetimi (Zip Slip)
- Helpers::isIpSafeForFetch: link-local (169.254.0.0/16, fe80::/10) engeli, retrieveCertificate chokepoint
- Server/UserController: addSudoers/deleteSudoers admin-only, kritik gruplara user ekleme admin-only, audit log, \x20 workaround kaldırıldı (regex validation)
- cache key sha1() ile hash'lendi (sabit uzunluk, binary-safe, injection-proof)
- query nullable|string|min:1|max:64 validation
- boş query için direkt boş JSON, cache key hesaplama yok
@dogukanoksuz dogukanoksuz merged commit 4215736 into master Jul 10, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant