Releases
v1.2.2
v1.2.2 - Security Fixes
Latest
Compare
Sorry, something went wrong.
No results found
Security Fixes
Critical
IDOR Vulnerabilities - Fixed in diary and budget routes
Added shared access_control.py utility
Now checks trip owner OR accepted participant
Path Traversal - Fixed in photo deletion
Validates filename and resolves path within upload directory
CSRF Middleware Bug - Fixed undefined variable
High Priority
Password Reset Token Reuse - Tokens now invalidated after use
New password_changed_at field tracks when password was changed
Tokens issued before password change are rejected
Rate Limiting
Photo upload: 60/min → 15/min (prevents storage DoS)
Audio transcription: New 10/hour limit (prevents API cost abuse)
Files Changed
backend/middleware/security.py
backend/models/user.py
backend/routes/budget.py
backend/routes/diary.py
backend/routes/password_reset.py
backend/utils/access_control.py (new)
backend/utils/rate_limits.py
You can’t perform that action at this time.