Commit Graph

20051 Commits

Author SHA1 Message Date
Lunny Xiao 3c46a3deb3 Fix bug when pushing mirror with wiki (#36795) (#36807)
Fix #36736
Backport #36795

Co-authored-by: ChristopherHX <christopher.homberger@web.de>
2026-03-06 16:26:34 +01:00
Giteabot 5552eff6e7 Fix artifacts v4 backend upload problems (#36805) (#36834)
Backport #36805 by @ChristopherHX

* Use base64.RawURLEncoding to avoid equal sign
  * using the nodejs package they seem to get lost
* Support uploads with unspecified length
* Support uploads with a single named blockid
  * without requiring a blockmap

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-06 14:22:53 +01:00
Lunny Xiao f44f7bf2d3 upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36840)
Backport #36837

---------

Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
2026-03-06 12:55:33 +01:00
Giteabot 0f55eff0e7 Fix CRAN package version validation to allow more than 4 version components (#36813) (#36821)
Backport #36813

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com>
2026-03-04 09:29:22 +08:00
Giteabot b3bc79262d Add validation constraints for repository creation fields (#36671) (#36757)
Backport #36671 by @lunny

Adds validation constraints to repository creation inputs, enforcing
max-length limits for labels/license/readme and enum validation for
trust model and object format. Updates both the API option struct and
the web form struct to keep validation consistent.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-02-25 20:43:00 +00:00
Lunny Xiao d1bd84f8cf Fix force push time-line commit comments of pull request (#36653) (#36717)
Backport #36653 

Fix #36647
Fix #25827
Fix #25870

Signed-off-by: silverwind <me@silverwind.io>
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-02-25 11:54:30 -08:00
Giteabot 19e36e8a70 Fix SVG height calculation in diff viewer (#36748) (#36750)
Backport #36748 by POPSuL

Fixes #36742

Co-authored-by: Viktor Suprun <popsul1993@gmail.com>
2026-02-26 00:46:35 +08:00
Giteabot 00566cc953 Fix track time list permission check (#36662) (#36744)
Backport #36662 by @lunny

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-25 07:57:47 -08:00
Giteabot 579615936c Fix path resolving (#36734) (#36746)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-25 12:11:53 +08:00
Giteabot 2aee44cdd9 Prevent redirect bypasses via backslash-encoded paths (#36660) (#36716)
Backport #36660 by @lunny

This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.

Visiting below URL to reproduce the problem.

http://localhost:3000/user/login?redirect_to=/a/../\example.com

http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-23 01:59:59 +01:00
Giteabot e7fca90a78 Fix get release draft permission check (#36659) (#36715)
Backport #36659 by @lunny

Draft release and it's attachments need a write permission to access.

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-02-22 22:09:07 +00:00
Lunny Xiao 3422318545 Fix push time bug (#36693) (#36713)
When display or search branch's pushed time, we should use
`updated_unix` rather than `commit_time`.

Fix #36633
Backport #36693

Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
2026-02-22 22:27:40 +01:00
Giteabot 996cc12bf7 Add migration http transport for push/sync mirror lfs (#36665) (#36691)
Backport #36665 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-02-22 08:56:14 +00:00
Giteabot 99bc281856 Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (#36688) (#36692) 2026-02-21 11:13:15 -05:00
Giteabot 8051056075 Fix track time issue id (#36664) (#36689)
Backport #36664 by @lunny

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-02-21 00:26:56 +00:00
Lunny Xiao 0b2f7575e7 Upgrade gogit to 5.16.5 (#36687)
Backport #36680
2026-02-20 15:02:38 -08:00
Giteabot 216cf96cd4 Fix bug the protected branch rule name is conflicted with renamed branch name (#36650) (#36661)
Backport #36650 by @lunny

Fix #36464

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-02-17 21:57:43 +00:00
Lunny Xiao e927a86586 Fix a bug user could change another user's primary email (#36586) (#36607)
backport #36586
2026-02-14 14:06:59 +02:00
Giteabot 76b7306daa Fix bug when do LFS GC (#36500) (#36608)
Backport #36500 by @lunny

Fix #36448

Removed unnecessary parameters from the LFS GC process and switched to
an ORDER BY id ASC strategy with a last-ID cursor to avoid missing or
duplicating meta object IDs.

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-02-13 04:30:42 +00:00
Tyrone Yeh 8e412ababf Fix focus lost bugs in the Monaco editor (#36609)
…t focus (#36585)

Currently, pressing the space key in the Monaco editor scrolls the page
instead of inserting a space
if the editor is focused. This PR stops the space key event from
propagating to parent elements,
which prevents unwanted page scrolling while still allowing Monaco to
handle space input normally.

Changes:
 - disable Monaco editContext

No changes to default editor behavior are needed; Monaco automatically
inserts the space character.

Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
2026-02-13 05:00:17 +01:00
Tyrone Yeh 4f1408cdcf fix(diff): reprocess htmx content after loading more files (#36568) (#36577) 2026-02-10 13:10:32 +08:00
Giteabot 5973437abb Add wrap to runner label list (#36565) (#36574)
Backport #36565 by @silverwind

Before: Label list forces runner table to become scrollable if there is
a large number of labels:

<img width="820" height="115" alt="Screenshot 2026-02-09 at 09 21 32"
src="https://github.com/user-attachments/assets/919a3b12-c8f6-48c4-bd42-d7e267faf107"
/>

After: Wrapped:

<img width="821" height="128" alt="Screenshot 2026-02-09 at 09 20 31"
src="https://github.com/user-attachments/assets/9f6d490c-1035-44be-97a7-20a1632dbe5e"
/>

Co-authored-by: silverwind <me@silverwind.io>
2026-02-10 04:47:12 +00:00
Giteabot 90843398ed fix: add dnf5 command for Fedora in RPM package instructions (#36527) (#36572)
Backport #36527 by @yshyuk

## Summary
Add support for Fedora 41+ which uses dnf5 with different command syntax
for adding repositories.

## Changes
- Added new locale key `packages.rpm.distros.fedora` for Fedora (dnf5)
- Added dnf5 command in RPM package template: `dnf config-manager
addrepo --from-repofile=<URL>`
- Kept existing dnf4 command (`--add-repo`) for RHEL/Rocky Linux
compatibility

## Background
Fedora 41+ uses dnf5 which has different syntax:
- **dnf4 (RHEL/Rocky):** `dnf config-manager --add-repo <URL>`
- **dnf5 (Fedora 41+):** `dnf config-manager addrepo
--from-repofile=<URL>`

Closes #35330

Co-authored-by: yshyuk <43194469+yshyuk@users.noreply.github.com>
2026-02-10 02:16:39 +01:00
Giteabot 9b3a9527ec Fix assignee sidebar links and empty placeholder (#36559) (#36563)
Backport #36559 by tyroneyeh

Co-authored-by: Tyrone Yeh <siryeh@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-09 03:31:38 +00:00
Giteabot 7477f85e47 Fix issues filter dropdown showing empty label scope section (#36535) (#36544)
Backport #36535 by tyroneyeh
2026-02-08 15:59:16 +00:00
wxiaoguang 4098032aa8 Fix various mermaid bugs (#36547) (#36552)
Backport #36547
2026-02-08 19:24:35 +08:00
Giteabot dcce96c08d [SECURITY] fix: Adjust the toolchain version (#36537) (#36542)
Backport #36537 by @ZPascal

# Summary:

- Adjust the toolchain version to fix the security issues


```log
Vulnerability #1: GO-2026-4337
    Unexpected session resumption in crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4337
  Standard library
    Found in: crypto/tls@go1.25.6
    Fixed in: crypto/tls@go1.25.7
    Example traces found:
```

Signed-off-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
2026-02-06 23:00:52 +08:00
Giteabot 885f2b89d6 fix(packages/container): data race when uploading container blobs concurrently (#36524) (#36526)
Backport #36524 by @noeljackson

Fix data race when uploading container blobs concurrently

Co-authored-by: Noel Jackson <n@noeljackson.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-04 09:32:26 -08:00
Giteabot 57ce10c0ca Allow scroll propagation outside code editor (#36502) (#36510)
Backport #36502 by @lunny

Fix #28479

When scrolling inside the editor and the editor has already reached the
end of its scroll area, the browser does not continue scrolling. This is
inconvenient because users must move the cursor out of the editor to
scroll the page further.

This PR enables automatic switching between the editor’s scroll and the
browser’s scroll, allowing seamless continuous scrolling.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-02-01 09:33:23 -08:00
Sebastian Ertz 25785041e7 Correct spacing between username and bot label (#36473) (#36484)
Backport #36473

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-30 05:47:46 +00:00
Giteabot ff3d11034d [SECURITY] Toolchain Update to Go 1.25.6 (#36480) (#36487)
Backport #36480 by @ZPascal

## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.

## Changes

### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`

This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.

## Security Improvements

While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:

### Current Security Measures
```log
Vulnerability #1: GO-2026-4342                                                                                                                                                                                                      
    Excessive CPU consumption when building archive index in archive/zip
  More info: https://pkg.go.dev/vuln/GO-2026-4342
  Standard library
    Found in: archive/zip@go1.25.5
    Fixed in: archive/zip@go1.25.6
    Example traces found:
      #1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open                                                                                                                                

Vulnerability #2: GO-2026-4341
    Memory exhaustion in query parameter parsing in net/url
  More info: https://pkg.go.dev/vuln/GO-2026-4341
  Standard library
    Found in: net/url@go1.25.5
    Fixed in: net/url@go1.25.6
    Example traces found:
      #1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery                                                                                                                                            
      #2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query

Vulnerability #3: GO-2026-4340
    Handshake messages may be processed at the incorrect encryption level in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2026-4340
  Standard library
    Found in: crypto/tls@go1.25.5
    Fixed in: crypto/tls@go1.25.6
    Example traces found:
      #1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake                                                                                                     
      #2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
      #3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
      #4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
      #5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
      #6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
      #7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```

Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
2026-01-29 21:18:21 -08:00
Giteabot 750649c1ef Fix oauth2 s256 (#36462) (#36477)
Backport #36462 by @lunny

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-28 12:37:39 -08:00
Lunny Xiao eb95bbc1fd Add missing changelog for v1.25.4 (#36433) 2026-01-23 06:35:34 +01:00
Lunny Xiao 369830bada Release notes for 1.25.4 (#36385)
---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Thomas Beutlich <115483027+thbeu@users.noreply.github.com>
v1.25.4
2026-01-22 00:57:25 +00:00
Tyrone Yeh d7d6533311 Fix markdown newline handling during IME composition (gitea#36421) (#36424)
Backport of #36421
2026-01-21 16:56:39 -08:00
Giteabot c326369f47 Allow foreachref parse max tokens from 4*64KB to 4MB (#36414) (#36429)
Backport #36414 by @lunny

Fix #36408

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lauris BH <lauris@nix.lv>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-21 16:23:00 -08:00
Lunny Xiao 4cdb8a7f96 Fix missing repository id when migrating release attachments (#36389) (#36413)
This PR fixes missed repo_id on the migration of attachments to Gitea.
It also provides a doctor check to fix the dirty data on the database.

Backport #36389
2026-01-20 23:36:45 +02:00
wxiaoguang 38125a8d1d Fix git http service handling (#36396)
Partially backport #36391
2026-01-18 01:42:35 +08:00
Giteabot 175a425825 Fix bug on notification read (#36339) (#36387)
Backport #36339 by @lunny

When a user has been revoked permission to access a repository, the
related notification could still be visited. But the repository's
information should not be leaked any more.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-16 09:58:56 +02:00
Lunny Xiao 6132f639e7 Fix bug when compare in the pull request (#36363) (#36372)
The pull request comparison should not use `direct compare`.

Backport #36363
2026-01-15 01:58:42 +00:00
Giteabot dfe4055b92 Release attachments must belong to the intended repo (#36347) (#36375)
Backport #36347 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-15 02:30:18 +01:00
Giteabot 5fe9703586 Fix permission check on org project operations (#36318) (#36373)
Backport #36318 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-14 14:22:27 -08:00
Giteabot 53d67dae28 clean watches when make a repository private and check permission when send release emails (#36319) (#36370)
Backport #36319 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-14 19:28:02 +01:00
Giteabot ef6ab681f7 Fix incorrect text content detection (#36364) (#36369)
Backport #36364 by wxiaoguang

Fix #36325

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-15 00:45:38 +08:00
Giteabot 812a3cffb3 Add more check for stopwatch read or list (#36340) (#36368)
Backport #36340 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-14 16:04:02 +00:00
Giteabot 669b22100b Fix openid setting check (#36346) (#36361)
Backport #36346 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-13 16:47:00 +02:00
Giteabot a0c77673ff fill missing has_code in repository api (#36338) (#36359)
Backport #36338 by @TheFox0x7

fixes: https://github.com/go-gitea/gitea/issues/36332

Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-13 10:31:18 +00:00
Giteabot d96b68cbf5 Fix notifications pagination query parameters (#36351) (#36358)
Backport #36351 by @wxiaoguang

Fix #36350

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-13 04:37:20 +00:00
Giteabot f8ec5b3e43 Fix cancel auto merge bug (#36341) (#36356)
Backport #36341 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-01-12 18:55:41 -08:00
Lunny Xiao 11891c2dac Fix delete attachment check (#36320) (#36355)
Backport #36320
2026-01-12 13:48:07 -08:00