public/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-04-06 21:57:51 +09:00
Code Issues Packages Projects Releases Wiki Activity
20,504 Commits 21 Branches 246 Tags
d7070b851389e97fc5ba104f2efe4ec6a2293264
Commit Graph

14 Commits

Author SHA1 Message Date
Lunny Xiao
723ce3579f Fix forwarded proto handling for public URL detection (#36810) 
Normalize `X-Forwarded-Proto` related headers to accept only `http`/`https`

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2026-03-06 00:31:52 +08:00
Zettat123
5b8c8e724f Add never option to PUBLIC_URL_DETECTION configuration (#36785) 
Follow up #34250

Docs: https://gitea.com/gitea/docs/pulls/353

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2026-03-01 18:33:47 +00:00
Lunny Xiao
3db3c058b3 Prevent redirect bypasses via backslash-encoded paths (#36660) 
This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.

Visiting below URL to reproduce the problem.

http://localhost:3000/user/login?redirect_to=/a/../\example.com

http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2026-02-22 22:15:03 +00:00
wxiaoguang
9705adb27f Make public URL generation configurable (#34250) 
Follow up #32564

Co-authored-by: Jannis Pohl <838818+jannispl@users.noreply.github.com>
Co-authored-by: Denys Konovalov <kontakt@denyskon.de>
 2025-04-22 06:49:37 +08:00
Jannis Pohl
d1a3bd6814 Make ROOT_URL support using request Host header (#32564) 
Resolve #32554

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2025-04-20 11:43:48 +00:00
sommerf-lf
7cdde20c73 Email option to embed images as base64 instead of link (#32061) 
ref: #15081
ref: #14037

Documentation: https://gitea.com/gitea/docs/pulls/69

# Example
Content:

![image](https://github.com/user-attachments/assets/e73ebfbe-e329-40f6-9c4a-f73832bbb181)
Result in Email:

![image](https://github.com/user-attachments/assets/55b7019f-e17a-46c3-a374-3b4769d5c2d6)
Result with source code:
(first image is external image, 2nd is now embedded)

![image](https://github.com/user-attachments/assets/8e2804a1-580f-4a69-adcb-cc5d16f7da81)

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2025-03-05 16:29:29 +00:00
TheFox0x7
cc1fdc84ca Use test context in tests and new loop system in benchmarks (#33648) 
Replace all contexts in tests with go1.24 t.Context()

---------

Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
 2025-02-20 09:57:40 +00:00
wxiaoguang
3b10fd9b34 Only use Host header from reverse proxy (#32060) 
X-Forwarded-Host has many problems: non-standard, not well-defined
(X-Forwarded-Port or not), conflicts with Host header, it already caused
problems like #31907. So do not use X-Forwarded-Host, just use Host
header directly.

Official document also only uses `Host` header and never mentioned
others.
 2024-09-20 14:57:55 +00:00
wxiaoguang
84cbb6c4d2 Fix duplicate sub-path for avatars (#31365) 
Fix #31361, and add tests

And this PR introduces an undocumented & debug-purpose-only config
option: `USE_SUB_URL_PATH`. It does nothing for end users, it only helps
the development of sub-path related problems.

And also fix #31366

Co-authored-by: @ExplodingDragon
 2024-06-15 11:43:57 +08:00
wxiaoguang
339bc8bc8f Improve reverse proxy documents and clarify the AppURL guessing behavior (#31003) 
Fix #31002

1. Mention Make sure `Host` and `X-Fowarded-Proto` headers are correctly passed to Gitea
2. Clarify the basic requirements and move the "general configuration" to the top
3. Add a comment for the "container registry"
4. Use 1.21 behavior if the reverse proxy is not correctly configured

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
 2024-05-19 14:56:08 +00:00
wxiaoguang
67c1a07285 Refactor AppURL usage (#30885) 
Fix #30883
Fix #29591

---------

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
 2024-05-07 08:26:13 +00:00
wxiaoguang
ca4107dc96 Refactor external URL detection (#29973) 
Follow #29960, `IsExternalURL` is not needed anymore. 
Add some tests for `RedirectToCurrentSite`
 2024-03-22 04:32:40 +08:00
wxiaoguang
01500957c2 Refactor URL detection (#29960) 
"Redirect" functions should only redirect if the target is for current Gitea site.
 2024-03-21 12:02:34 +00:00
wxiaoguang
b71cb7acdc Use fetch to send requests to create issues/comments (#25258) 
Follow #23290

Network error won't make content lost. And this is a much better
approach than "loading-button".

The UI is not perfect and there are still some TODOs, they can be done
in following PRs, not a must in this PR's scope.

<details>


![image](https://github.com/go-gitea/gitea/assets/2114189/c94ba958-aa46-4747-8ddf-6584deeed25c)

</details>
 2023-06-16 06:32:43 +00:00