You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix a regular-expression denial-of-service (ReDoS) in the ICS calendar parser (CodeQL #10). The parameter-list patterns matching DUE/DTSTART lines allowed catastrophic backtracking on a crafted line containing many ; separators without a closing colon, which could freeze the server while parsing a malicious subscribed or imported calendar. The inner character class is now restricted so the separator and parameter content no longer overlap.
Apply the API rate limiter to the admin-only /docs and /openapi.json endpoints (CodeQL #11, #12). Both routes live outside the rate-limited /api/ path and were previously unthrottled.
Fixed
Keep the time of day for tasks whose DUE value uses VALUE=DATE-TIME. A word boundary in the date-only detection also matched VALUE=DATE-TIME, so timed reminders imported via CalDAV/ICS were truncated to their date and lost their time.
