Commit graph

17137 commits

Author SHA1 Message Date
Earl Warren 84449e9288 Merge pull request '[BUG] prevent removing session cookie when redirect_uri query contains ://' (#2606) from oliverpool/forgejo:backport2590 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2606
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-03-08 15:07:50 +00:00
Earl Warren 4696f4cefd Merge pull request 'Fix /api/v1/{owner}/{repo}/issue_templates' (#2605) from gusted/forgejo-bp-2292 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2605
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-03-08 15:07:38 +00:00
oliverpool 3877a2332b implement fix 2024-03-07 22:43:38 +01:00
oliverpool 20bc8662b1 [BUG] prevent removing session cookie when redirect_uri query contains :// 2024-03-07 22:41:47 +01:00
Gergely Nagy 969d3f4410
Fix /api/v1/{owner}/{repo}/issue_templates
Backport of #2292

When issue templates were moved into services in
def4956122, the code was also refactored
and simplified. Unfortunately, that simplification broke the
`/api/v1/{owner}/{repo}/issue_templates` route, because it was
previously using a helper function that ignored invalid templates, and
after the refactor, the function it called *always* returned non-nil as
the second return value. This, in turn, results in the aforementioned
end point always returning an internal server error.

This change restores the previous behaviour of ignoring invalid files
returned by `issue.GetTemplatesFromDefaultBranch`, and adds a few test
cases to exercise the endpoint.

Other users of `GetTemplatesFromDefaultBranch` already ignore the second
return value, or handle it correctly, so no changes are necessary there.

Signed-off-by: Gergely Nagy <forgejo@gergo.csillger.hu>
(cherry picked from commit be8d16438a)
2024-03-07 21:50:27 +01:00
Earl Warren 6e877f02ab Merge pull request '[gitea] v1.21 cherry-pick' (#2566) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2566
2024-03-06 05:50:42 +00:00
Earl Warren 812458206f Merge pull request 'Revert "[CI] pin go v1.21.8 version"' (#2570) from earl-warren/forgejo:wip-v1.21-ci-go-action into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2570
2024-03-06 05:09:16 +00:00
Earl Warren ded6e7a4b2
[SEMVER] 6.0.7+0-gitea-1.21.7 2024-03-06 13:05:29 +08:00
Giteabot 91a2d3ecc4
Add missing space (#29393) (#29399)
Backport #29393 by @KN4CK3R

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 0f35cb5a2a9ad3b1d78f9547148b594adc4bdabf)
2024-03-06 12:20:42 +08:00
Giteabot 40c3a1d2ea
enforce maxlength in frontend (#29389) (#29396)
Backport #29389 by @zokkis

Set maxlength attribute in frontend

to long file-name

![image](https://github.com/go-gitea/gitea/assets/72873130/15111614-55ab-4583-acb2-15c25997601d)

![image](https://github.com/go-gitea/gitea/assets/72873130/4105ddd8-4973-4da8-b3ab-4cfae1b45554)
(same for branch-name and commit-summary)

Co-authored-by: Tim-Niclas Oelschläger <72873130+zokkis@users.noreply.github.com>
(cherry picked from commit 0b3d6c399c88e42e827f422dc4c8458f0d20c613)
2024-03-06 12:20:42 +08:00
Lunny Xiao 2c802fc8f0
Display friendly error message (#29105) (#29363)
Backport #29105

`ctx.Error` only displays the text but `ctx.ServerError` renders the
usual error page.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit a1c0b3a02e54e5fe879dabccb71fba9498b64051)
2024-03-06 12:20:42 +08:00
Giteabot a28d6686fa
Fix validity of the FROM email address not being checked (#29347) (#29360)
Backport #29347 by @carlosfelgueiras

Fixes #27188.
Introduces a check on the installation that tries to parse the FROM
address. If it fails, shows a new error message to the user.

Co-authored-by: Carlos Felgueiras <carlosfelgueiras@tecnico.ulisboa.pt>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 35db5a373babd9af157fd63eeb20d6da53320b73)
2024-03-06 12:20:42 +08:00
Lunny Xiao e4d3067138
Fix project counter in organization/individual profile (#28068) (#29361)
Fix #28052
Backport #28068
Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f299983-4b38-4d68-ac0e-4be3c62c0558)

![image](https://github.com/go-gitea/gitea/assets/18380374/f0e12afd-483b-4882-80e9-0261beb3fe0c)

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/47cccb7b-bb35-4a7d-9c5b-83133be0323a)

![image](https://github.com/go-gitea/gitea/assets/18380374/77825c0c-4bf2-4762-83a2-1a5a173cc22d)

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 5043ad54c7a0d1dc6bf5f1caf21b4646ec9344d3)
2024-03-06 12:20:42 +08:00
Giteabot 8e2c991b35
Fix tarball/zipball download bug (#29342) (#29352)
Backport #29342 by @Zettat123

Fix #29249

~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~

Apply #26430 to archive download URLs.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 829b807a91f9895e3f4b262f688a8d0d9a44caf6)
2024-03-06 12:20:42 +08:00
Giteabot 9da608abad
Don't show third-party JS errors in production builds (#29303) (#29333)
Backport #29303 by @silverwind

So we don't get issues like
https://github.com/go-gitea/gitea/issues/29080 and
https://github.com/go-gitea/gitea/issues/29273 any more. Only active in
[production
builds](https://webpack.js.org/guides/production/#specify-the-mode), in
non-production the errors will still show.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 6ca8cb590d510c98610031675e0a316f95efaf61)
2024-03-06 12:20:42 +08:00
Giteabot c4ac72e6a0
Only log error when tag sync fails (#29295) (#29327)
Backport #29295 by @lunny

Fix #28843

This PR will bypass the pushUpdateTag to database failure when
syncAllTags. An error log will be recorded.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit b78f5fc60f510a58d58535af77c5b424a8b5a660)
2024-03-06 12:20:42 +08:00
Lunny Xiao 790a27f38a
Fix SSPI user creation (#28948) (#29323)
Fixes #28945
Backport #28948

Setting the avatar is wrong and creating a random password is equal to
leave it empty.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 7ea2ffaf166780b7786291f7ff022e3f5b49e8c2)
2024-03-06 12:20:42 +08:00
Earl Warren b837bd81d0
Revert "[CI] pin go v1.21.8 version"
This reverts commit e3698d8662.
2024-03-06 12:18:06 +08:00
Earl Warren 2a2b51c5f7 Merge pull request '[CI] pin go v1.21.8 version' (#2568) from earl-warren/forgejo:wip-v1.21-ci-go-action into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2568
2024-03-06 04:17:23 +00:00
techknowlogick e7448699f6
bump protobuf module (#29617)
(cherry picked from commit 06039bf0b7ec4dffe74ae323b8bbbbedec69d0c8)

Conflicts:
	go.mod
	go.sum
	trivial context conflict
2024-03-06 11:53:02 +08:00
Earl Warren e3698d8662
[CI] pin go v1.21.8 version
Because setup-go fails to pick it up.

Refs: https://github.com/actions/setup-go/issues/462
(cherry picked from commit d7aaefcea9d38ca50a96f34ff42efe954bce4acd)

Conflicts:
	.forgejo/workflows/build-release.yml
	.forgejo/workflows/cascade-setup-end-to-end.yml
	.forgejo/workflows/e2e.yml
	.forgejo/workflows/testing.yml
	trivial context conflict
2024-03-06 11:53:02 +08:00
Gusted 9196f0d618 Merge pull request '[BUG] Ensure HasIssueContentHistory takes into account comment_id' (#2535) from gusted/forgejo-bp-2518 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2535
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
2024-03-01 15:19:38 +00:00
Gusted 8fb027fea5
[BUG] Ensure HasIssueContentHistory takes into account comment_id
- Backport of #2518
- The content history table contains the content history of issues and
comments. For issues they are saved with an comment id of zero.
- If you want to check if the issue has an content history, it should
take into account that SQL has `comment_id = 0`, as it otherwise could
return incorrect results when for example the issue already has an
comment that has an content history.
- Fix the code of `HasIssueContentHistory` to take this into account, it
relied on XORM to generate the SQL from the non-default values of the
struct, this wouldn't generate the `comment_id = 0` SQL as `0` is the
default value of an integer.
- Remove an unncessary log (it's not the responsibility of `models`
code to do logging).
- Adds unit test.
- Resolves #2513

(cherry picked from commit 331fa44956)
2024-03-01 15:48:42 +01:00
Gusted 5d5059f42c Merge pull request '[BUG] Correct changed files for codeowners' (#2519) from gusted/forgejo-bp-2507 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2519
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 23:18:08 +00:00
Gusted 9b70caf798
[BUG] Correct changed files for codeowners
- Backport of #2507
- The CODEOWNER feature relies on the changed files to determine which
reviewers should be added according to the `CODEOWNER` file.
- The current approach was to 'diff' between the base and head branch,
which seems logical but fail in practice when the pull request is out of
date with the base branch. Therefore it should instead diff between the
head branch and the merge base of the head and base branch, so only the
actual affected files by the pull requests are used, the same approach
is used by the diff of an unmerged pull request.
- Add integration testing (for the feature as well).
- Resolves #2458

(cherry picked from commit fb2795b5bb)
2024-02-28 20:13:20 +01:00
Earl Warren ab67eb7d8a Merge pull request '[BUG] Remember topic only in repo search' (#2508) from gusted/forgejo-bp-2489 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2508
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-28 10:20:12 +00:00
Gusted 9955e38fa2
[BUG] Remember topic only in repo search
- Backport of #2489
- If the user is searching repositories with an specific topic, adding
any other filter option, such as showing unrelevant repositories or
using another sort Forgejo should remember that 'topic only' was set.
- Adds integration test.
- Resolves #2461

(cherry picked from commit b4360d504c)
2024-02-27 23:37:26 +01:00
Gusted da9473cd4d Merge pull request '[BUG] Log FindRenamedBranch error' (#2468) from gusted/forgejo-fix-error into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2468
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-25 15:13:28 +00:00
Gusted 255b60931f
[BUG] Log FindRenamedBranch error
- Fix error string to add an `%v` verb to log the error correctly.
2024-02-25 15:40:18 +01:00
Earl Warren 031822b8fc Merge pull request '[SECURITY] Fix XSS vulnerabilities' (#2434) from earl-warren/forgejo:wip-v1.21-xss into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2434
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
2024-02-22 15:03:20 +00:00
Gusted d3de80b9cc
[SECURITY] Test XSS in dismissed review
It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.

(cherry picked from commit ca798e4cc2)
2024-02-22 15:35:04 +01:00
Gusted fe2df46d05
[SECURITY] Fix XSS in dismissed review
- It's possible for reviews to not be assiocated with users, when they
were migrated from another forge instance. In the migration code,
there's no sanitization check for author names, so they could contain
HTML tags and thus needs to be properely escaped.
- Pass `$reviewerName` trough `Escape`.
2024-02-22 15:04:36 +01:00
Gusted 92dae3a387
[SECURITY] Test XSS in wiki last commit information
On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. Verify it is sanitized.

(cherry picked from commit 565e331238)
2024-02-22 15:04:11 +01:00
Earl Warren 5048478147 Merge pull request '[gitea] v1.21 cherry-pick' (#2430) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2430
2024-02-22 13:00:38 +00:00
Zettat123 9a63c6f39a
Fix error display when merging PRs (#29288) (#29309)
Backport #29288
Partially fix #29071, regression of Modernize merge button #28140

Fix some missing `Redirect` -> `JSONRedirect`.

Thanks @yp05327 for the help in
https://github.com/go-gitea/gitea/issues/29071#issuecomment-1931261075

(cherry picked from commit dcb9c38568dc4e9502fc416de237cce0eac41cba)
2024-02-22 13:10:12 +01:00
Gusted d24c37e132
[SECURITY] Fix XSS in wiki last commit information
- On the wiki and revisions page, information is shown about the last
commit that modified that wiki page. This includes the time it was last
edited and by whom. That whole string is not being sanitized (passed
trough `Safe` in the templates), because the last edited bit is
formatted as an HTML element and thus shouldn't be sanitized. The
problem with this is that now `.Author.Name` is not being sanitized.
- This can be exploited, the names of authors and commiters on a Git
commit is user controlled, they can be any value and thus also include
HTML. It's not easy to actually exploit this, as you cannot use the
official git binary to do use, as they actually strip `<` and `>` from
user names (trivia: this behaviour was introduced in the initial commit
of Git). In the integration testing, go-git actually has to generate
this commit as they don't have such restrictions.
- Pass `.Author.Name` trough `Escape` in order to be sanitized.
2024-02-22 13:04:47 +01:00
jolheiser 33af169223
[SECURITY] review(kn4ck3r): more template escapes
Signed-off-by: jolheiser <john.olheiser@gmail.com>
2024-02-22 12:54:34 +01:00
yp05327 47e70bbf0e
Fix gitea-action user avatar broken on edited menu (#29190) (#29307)
Backport #29190

Fix #29178

(cherry picked from commit f80ea95eb538decad4d982ce96f640b18e430393)
2024-02-22 11:07:39 +01:00
wxiaoguang 3a061083d6
Fix missing link on outgoing new release notifications (#29079) (#29300)
Backport #29079

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit c4a86b20a4ecef749caed4e9e1381c1736cb0309)
2024-02-22 11:07:31 +01:00
wxiaoguang 8a2c4e9ff2
Fix debian InRelease Acquire-By-Hash newline (#29204) (#29299)
Backport #29204

Co-authored-by: Robin Schoonover <robin@cornhooves.org>
(cherry picked from commit f634982d237b38e0634c5997612f50230898247e)
2024-02-22 11:07:28 +01:00
wxiaoguang a1fb6a2346
Always write proc-receive hook for all git versions (#29287) (#29291)
Backport #29287

(cherry picked from commit 9379352db638aa99ee9f4a7d2755966f3d866541)
2024-02-22 11:07:23 +01:00
Zettat123 c49dd9de9b
Do not show delete button when time tracker is disabled (#29257) (#29279)
Backport #29257
Fix #29233

The delete button of time logs won't be shown when the time tracker is
disabled.

![image](https://github.com/go-gitea/gitea/assets/15528715/5cc4e0c9-d2f9-4b8f-a2f5-fe202b94c191)

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit e940443b276fa4f30633902f025fd2adad1b22de)
2024-02-22 11:07:20 +01:00
Earl Warren 2c567ea193 Merge pull request '[BUG] Initialize Git for hook regeneration' (#2421) from gusted/forgejo-bp-2416 into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2421
Reviewed-by: Earl Warren <earl-warren@noreply.codeberg.org>
2024-02-21 14:41:45 +00:00
Gusted 2fb2e832c5
[BUG] Initalize Git for hook regeneration
- Backport of #2416
- The hook regeneration code relies on `git.SupportProcReceive` being
set to determine if the `proc-receive` hook should be written, this
variable is set when the git module is initialized.
- Resolves #2414

(cherry picked from commit 815abad84c)
2024-02-21 14:43:43 +01:00
Earl Warren ceca25d374 Merge pull request '[gitea] v1.21 cherry-pick' (#2407) from earl-warren/forgejo:wip-v1.21-gitea-cherry-pick into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2407
Reviewed-by: oliverpool <oliverpool@noreply.codeberg.org>
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
2024-02-20 15:47:19 +00:00
Earl Warren 44906f85f7 Merge pull request '[SEMVER] 6.0.6+0-gitea-1.21.6' (#2409) from earl-warren/forgejo:wip-v1.21-semver into v1.21/forgejo
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/2409
2024-02-20 11:22:31 +00:00
Earl Warren 5e31d1f37f
[SEMVER] 6.0.6+0-gitea-1.21.6 2024-02-20 10:41:03 +01:00
6543 8377ecbfe1
Workaround to clean up old reviews on creating a new one (#28554) (#29264)
close  #28542
backport #28554

---
*Sponsored by Kithara Software GmbH*

(cherry picked from commit c01b266d8680a270b1e8067e757ed25be38eea24)
2024-02-20 09:39:02 +01:00
Jason Song 861d0b9689
Do not use lower tag names to find releases/tags (#29261) (#29262)
Backport #29261.

Fix #26090, see
https://github.com/go-gitea/gitea/issues/26090#issuecomment-1952013206

Since `TagName` stores the original tag name and `LowerTagName` stores
the lower tag name, it doesn't make sense to use lowercase tags as
`TagNames` in `FindReleasesOptions`.

5e72526da4/services/repository/push.go (L396-L397)

While the only other usage looks correct:

5e72526da4/routers/web/repo/repo.go (L416)
(cherry picked from commit f79530c50ee1c7833cae13e56531e5d1fd66f5ba)
2024-02-20 09:36:37 +01:00
Tim-Nicas Oelschläger a40762d929
Convert visibility to number (#29226) (#29244)
Backport #29226

Don't throw error while creating user (Fixes #29218)

---

The backport info from Giteabot
https://github.com/go-gitea/gitea/pull/29226#issuecomment-1951341322
needs to specify the version, because the default is v1.18

(cherry picked from commit 39735c43a8b6f7db3b3e3531ca9115a60335d524)
2024-02-20 09:36:28 +01:00