1.6.0-RC2 Changelog (#5275)

* Add CSRF checking to reqToken and place CSRF in the post for deadline creation

Fixes #5226, #5249

* /api/v1/admin/users routes should have reqToken middleware

CHANGELOG.md

@@ -4,6 +4,23 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
+## [1.6.0-rc2](https://github.com/go-gitea/gitea/releases/tag/v1.6.0-rc2) - 2018-11-04
+* SECURITY
+  * Add CSRF checking to reqToken and add reqToken to admin API routes (#5272) (#5250)
+* FEATURE
+  * Add comment replies (#5147) (#5104)
+* BUGFIXES
+  * Fix wrong api request url for instances running in subfolders (#5261) (#5247)
+  * Accept web-command cli flags if web-command is commited (#5245) (#5200)
+  * Reduce join star, repo_topic, topic tables on repo search, to resolve extra columns problem on MSSQL (#5136) (#5229)
+  * Fix data race on migrate repository (#5224) (#5230)
+  * Add secret to all webhook's payload where it has been missing (#5208) (#5199)
+  * Fix sqlite and MSSQL lock (#5210) (#5223) (#5214) (#5218) (#5176) (#5179)
+  * Fix race on updatesize (#5190) (#5215)
+  * Fix filtering issues by tags on main screen issues (#5219) (#3824)
+  * Fix SQL quoting (#5137) (#5117)
+  * Fix regex to support optional end line of old section in diff hunk (#5097) (#5096)
+
 ## [1.6.0-rc1](https://github.com/go-gitea/gitea/releases/tag/v1.6.0-rc1) - 2018-10-17
 * BREAKING
   * Respect email privacy option in user search via API (#4512)

Gopkg.lock

@@ -11,11 +11,11 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:5e7f14543006a44047fb1d0df16da08b2ebc2428f1fd53bd8af26a2b34928b11"
+  digest = "1:bf4f822f636b99ac7d4f8fa5210a7439bacaf8d1f15d5783956bdd5dd2069bdc"
   name = "code.gitea.io/sdk"
   packages = ["gitea"]
   pruneopts = "NUT"
-  revision = "021567c9c12fe289b8980c34e81e6684434dd082"
+  revision = "11c860c8e49a23be26e6d6c6a039a46ad2ae1d27"
 
 [[projects]]
   digest = "1:3fcef06a1a6561955c94af6c7757a6fa37605eb653f0d06ab960e5bb80092195"
@@ -342,14 +342,15 @@
   revision = "d8a0b8677191f4380287cfebd08e462217bac7ad"
 
 [[projects]]
-  digest = "1:b327ca585509a889130a8f51f43704a8fe03cb5cd281dbf1bc6405f5a7ea4702"
+  branch = "master"
+  digest = "1:8fea5718d84af17762195beb6fe92a0d6c1048452a1dbc464d227f12e0cff0cc"
   name = "github.com/go-macaron/session"
   packages = [
     ".",
     "redis",
   ]
   pruneopts = "NUT"
-  revision = "66031fcb37a0fff002a1f028eb0b3a815c78306b"
+  revision = "330e4e4d8beb7b00111ac34539561f46f94c4458"
 
 [[projects]]
   digest = "1:758d2371fcdee6d02565901b348729053c636055e67ef6e17aa466c7ff6cc57c"

integrations/api_admin_test.go

@@ -39,8 +39,8 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 		OwnerID:     keyOwner.ID,
 	})
 
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
-		keyOwner.Name, newPublicKey.ID)
+		keyOwner.Name, newPublicKey.ID, token)
 	session.MakeRequest(t, req, http.StatusNoContent)
 	models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})
 }
@@ -51,7 +51,7 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
 	session := loginUser(t, "user1")
 
 	token := getTokenForLoggedInUser(t, session)
-	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token="+token, models.NonexistentID)
+	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)
 	session.MakeRequest(t, req, http.StatusNotFound)
 }
 
@@ -73,8 +73,8 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
 
 	session = loginUser(t, normalUsername)
 	token = getTokenForLoggedInUser(t, session)
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
-		adminUsername, newPublicKey.ID)
+		adminUsername, newPublicKey.ID, token)
 	session.MakeRequest(t, req, http.StatusForbidden)
 }
 

integrations/git_test.go

@@ -143,7 +143,8 @@ func TestGit(t *testing.T) {
 
 			session := loginUser(t, "user1")
 			keyOwner := models.AssertExistsAndLoadBean(t, &models.User{Name: "user2"}).(*models.User)
-			urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys", keyOwner.Name)
+			token := getTokenForLoggedInUser(t, session)
+			urlStr := fmt.Sprintf("/api/v1/admin/users/%s/keys?token=%s", keyOwner.Name, token)
 
 			dataPubKey, err := ioutil.ReadFile(keyFile + ".pub")
 			assert.NoError(t, err)

main.go

@@ -48,7 +48,7 @@ arguments - which can alternatively be run by running the subcommand web.`
 		cmd.CmdAdmin,
 		cmd.CmdGenerate,
 	}
-	app.Flags = append(app.Flags, []cli.Flag{}...)
+	app.Flags = append(app.Flags, cmd.CmdWeb.Flags...)
 	app.Action = cmd.CmdWeb.Action
 	err := app.Run(os.Args)
 	if err != nil {

models/git_diff.go

@@ -273,7 +273,7 @@ func (diff *Diff) NumFiles() int {
 }
 
 // Example: @@ -1,8 +1,9 @@ => [..., 1, 8, 1, 9]
-var hunkRegex = regexp.MustCompile(`^@@ -([0-9]+),([0-9]+) \+([0-9]+)(,([0-9]+))? @@`)
+var hunkRegex = regexp.MustCompile(`^@@ -(?P<beginOld>[0-9]+)(,(?P<endOld>[0-9]+))? \+(?P<beginNew>[0-9]+)(,(?P<endNew>[0-9]+))? @@`)
 
 func isHeader(lof string) bool {
 	return strings.HasPrefix(lof, cmdDiffHead) || strings.HasPrefix(lof, "---") || strings.HasPrefix(lof, "+++")
@@ -311,21 +311,28 @@ func CutDiffAroundLine(originalDiff io.Reader, line int64, old bool, numbersOfLi
 			if len(hunk) > headerLines {
 				break
 			}
-			groups := hunkRegex.FindStringSubmatch(lof)
+			// A map with named groups of our regex to recognize them later more easily
+			submatches := hunkRegex.FindStringSubmatch(lof)
+			groups := make(map[string]string)
+			for i, name := range hunkRegex.SubexpNames() {
+				if i != 0 && name != "" {
+					groups[name] = submatches[i]
+				}
+			}
 			if old {
-				begin = com.StrTo(groups[1]).MustInt64()
+				begin = com.StrTo(groups["beginOld"]).MustInt64()
-				end = com.StrTo(groups[2]).MustInt64()
+				end = com.StrTo(groups["endOld"]).MustInt64()
 				// init otherLine with begin of opposite side
-				otherLine = com.StrTo(groups[3]).MustInt64()
+				otherLine = com.StrTo(groups["beginNew"]).MustInt64()
 			} else {
-				begin = com.StrTo(groups[3]).MustInt64()
+				begin = com.StrTo(groups["beginNew"]).MustInt64()
-				if groups[5] != "" {
+				if groups["endNew"] != "" {
-					end = com.StrTo(groups[5]).MustInt64()
+					end = com.StrTo(groups["endNew"]).MustInt64()
 				} else {
 					end = 0
 				}
 				// init otherLine with begin of opposite side
-				otherLine = com.StrTo(groups[1]).MustInt64()
+				otherLine = com.StrTo(groups["beginOld"]).MustInt64()
 			}
 			end += begin // end is for real only the number of lines in hunk
 			// lof is between begin and end

models/notification.go

@@ -123,10 +123,10 @@ func createOrUpdateIssueNotifications(e Engine, issue *Issue, notificationAuthor
 
 	for _, watch := range watches {
 		issue.Repo.Units = nil
-		if issue.IsPull && !issue.Repo.CheckUnitUser(watch.UserID, false, UnitTypePullRequests) {
+		if issue.IsPull && !issue.Repo.checkUnitUser(e, watch.UserID, false, UnitTypePullRequests) {
 			continue
 		}
-		if !issue.IsPull && !issue.Repo.CheckUnitUser(watch.UserID, false, UnitTypeIssues) {
+		if !issue.IsPull && !issue.Repo.checkUnitUser(e, watch.UserID, false, UnitTypeIssues) {
 			continue
 		}
 

models/org.go

@@ -460,21 +460,21 @@ func removeOrgUser(sess *xorm.Session, orgID, userID int64) error {
 		return nil
 	}
 
-	org, err := GetUserByID(orgID)
+	org, err := getUserByID(sess, orgID)
 	if err != nil {
 		return fmt.Errorf("GetUserByID [%d]: %v", orgID, err)
 	}
 
 	// Check if the user to delete is the last member in owner team.
-	if isOwner, err := IsOrganizationOwner(orgID, userID); err != nil {
+	if isOwner, err := isOrganizationOwner(sess, orgID, userID); err != nil {
 		return err
 	} else if isOwner {
-		t, err := org.GetOwnerTeam()
+		t, err := org.getOwnerTeam(sess)
 		if err != nil {
 			return err
 		}
 		if t.NumMembers == 1 {
-			if err := t.GetMembers(); err != nil {
+			if err := t.getMembers(sess); err != nil {
 				return err
 			}
 			if t.Members[0].ID == userID {
@@ -490,7 +490,7 @@ func removeOrgUser(sess *xorm.Session, orgID, userID int64) error {
 	}
 
 	// Delete all repository accesses and unwatch them.
-	env, err := org.AccessibleReposEnv(userID)
+	env, err := org.accessibleReposEnv(sess, userID)
 	if err != nil {
 		return fmt.Errorf("AccessibleReposEnv: %v", err)
 	}
@@ -618,16 +618,26 @@ type accessibleReposEnv struct {
 	org     *User
 	userID  int64
 	teamIDs []int64
+	e       Engine
 }
 
 // AccessibleReposEnv an AccessibleReposEnvironment for the repositories in `org`
 // that are accessible to the specified user.
 func (org *User) AccessibleReposEnv(userID int64) (AccessibleReposEnvironment, error) {
-	teamIDs, err := org.GetUserTeamIDs(userID)
+	return org.accessibleReposEnv(x, userID)
+}
+
+func (org *User) accessibleReposEnv(e Engine, userID int64) (AccessibleReposEnvironment, error) {
+	teamIDs, err := org.getUserTeamIDs(e, userID)
 	if err != nil {
 		return nil, err
 	}
-	return &accessibleReposEnv{org: org, userID: userID, teamIDs: teamIDs}, nil
+	return &accessibleReposEnv{
+		org:     org,
+		userID:  userID,
+		teamIDs: teamIDs,
+		e:       e,
+	}, nil
 }
 
 func (env *accessibleReposEnv) cond() builder.Cond {
@@ -642,7 +652,7 @@ func (env *accessibleReposEnv) cond() builder.Cond {
 }
 
 func (env *accessibleReposEnv) CountRepos() (int64, error) {
-	repoCount, err := x.
+	repoCount, err := env.e.
 		Join("INNER", "team_repo", "`team_repo`.repo_id=`repository`.id").
 		Where(env.cond()).
 		Distinct("`repository`.id").
@@ -659,7 +669,7 @@ func (env *accessibleReposEnv) RepoIDs(page, pageSize int) ([]int64, error) {
 	}
 
 	repoIDs := make([]int64, 0, pageSize)
-	return repoIDs, x.
+	return repoIDs, env.e.
 		Table("repository").
 		Join("INNER", "team_repo", "`team_repo`.repo_id=`repository`.id").
 		Where(env.cond()).
@@ -681,14 +691,14 @@ func (env *accessibleReposEnv) Repos(page, pageSize int) ([]*Repository, error)
 		return repos, nil
 	}
 
-	return repos, x.
+	return repos, env.e.
 		In("`repository`.id", repoIDs).
 		Find(&repos)
 }
 
 func (env *accessibleReposEnv) MirrorRepoIDs() ([]int64, error) {
 	repoIDs := make([]int64, 0, 10)
-	return repoIDs, x.
+	return repoIDs, env.e.
 		Table("repository").
 		Join("INNER", "team_repo", "`team_repo`.repo_id=`repository`.id AND `repository`.is_mirror=?", true).
 		Where(env.cond()).
@@ -709,7 +719,7 @@ func (env *accessibleReposEnv) MirrorRepos() ([]*Repository, error) {
 		return repos, nil
 	}
 
-	return repos, x.
+	return repos, env.e.
 		In("`repository`.id", repoIDs).
 		Find(&repos)
 }

models/org_team.go

@@ -215,7 +215,11 @@ func (t *Team) RemoveRepository(repoID int64) error {
 
 // UnitEnabled returns if the team has the given unit type enabled
 func (t *Team) UnitEnabled(tp UnitType) bool {
-	if err := t.getUnits(x); err != nil {
+	return t.unitEnabled(x, tp)
+}
+
+func (t *Team) unitEnabled(e Engine, tp UnitType) bool {
+	if err := t.getUnits(e); err != nil {
 		log.Warn("Error loading repository (ID: %d) units: %s", t.ID, err.Error())
 	}
 

models/repo.go

@@ -321,7 +321,11 @@ func (repo *Repository) getUnits(e Engine) (err error) {
 
 // CheckUnitUser check whether user could visit the unit of this repository
 func (repo *Repository) CheckUnitUser(userID int64, isAdmin bool, unitType UnitType) bool {
-	if err := repo.getUnitsByUserID(x, userID, isAdmin); err != nil {
+	return repo.checkUnitUser(x, userID, isAdmin, unitType)
+}
+
+func (repo *Repository) checkUnitUser(e Engine, userID int64, isAdmin bool, unitType UnitType) bool {
+	if err := repo.getUnitsByUserID(e, userID, isAdmin); err != nil {
 		return false
 	}
 
@@ -369,7 +373,7 @@ func (repo *Repository) getUnitsByUserID(e Engine, userID int64, isAdmin bool) (
 	var newRepoUnits = make([]*RepoUnit, 0, len(repo.Units))
 	for _, u := range repo.Units {
 		for _, team := range teams {
-			if team.UnitEnabled(u.Type) {
+			if team.unitEnabled(e, u.Type) {
 				newRepoUnits = append(newRepoUnits, u)
 				break
 			}
@@ -677,7 +681,7 @@ func (repo *Repository) IsOwnedBy(userID int64) bool {
 }
 
 func (repo *Repository) updateSize(e Engine) error {
-	repoInfoSize, err := git.GetRepoSize(repo.RepoPath())
+	repoInfoSize, err := git.GetRepoSize(repo.repoPath(e))
 	if err != nil {
 		return fmt.Errorf("UpdateSize: %v", err)
 	}
@@ -1031,7 +1035,6 @@ func MigrateRepository(doer, u *User, opts MigrateRepoOptions) (*Repository, err
 		if err = SyncReleasesWithTags(repo, gitRepo); err != nil {
 			log.Error(4, "Failed to synchronize tags to releases for repository: %v", err)
 		}
-		UpdateRepoIndexer(repo)
 	}
 
 	if err = repo.UpdateSize(); err != nil {
@@ -1049,10 +1052,16 @@ func MigrateRepository(doer, u *User, opts MigrateRepoOptions) (*Repository, err
 		}
 
 		repo.IsMirror = true
-		return repo, UpdateRepository(repo, false)
+		err = UpdateRepository(repo, false)
+	} else {
+		repo, err = CleanUpMigrateInfo(repo)
 	}
 
-	return CleanUpMigrateInfo(repo)
+	if err != nil && !repo.IsBare {
+		UpdateRepoIndexer(repo)
+	}
+
+	return repo, err
 }
 
 // cleanUpMigrateGitConfig removes mirror info which prevents "push --all".
@@ -1705,7 +1714,7 @@ func updateRepository(e Engine, repo *Repository, visibilityChanged bool) (err e
 		}
 
 		// Create/Remove git-daemon-export-ok for git-daemon...
-		daemonExportFile := path.Join(repo.RepoPath(), `git-daemon-export-ok`)
+		daemonExportFile := path.Join(repo.repoPath(e), `git-daemon-export-ok`)
 		if repo.IsPrivate && com.IsExist(daemonExportFile) {
 			if err = os.Remove(daemonExportFile); err != nil {
 				log.Error(4, "Failed to remove %s: %v", daemonExportFile, err)
@@ -2447,7 +2456,7 @@ func ForkRepository(doer, u *User, oldRepo *Repository, name, desc string) (_ *R
 	repoPath := RepoPath(u.Name, repo.Name)
 	_, stderr, err := process.GetManager().ExecTimeout(10*time.Minute,
 		fmt.Sprintf("ForkRepository(git clone): %s/%s", u.Name, repo.Name),
-		"git", "clone", "--bare", oldRepo.RepoPath(), repoPath)
+		"git", "clone", "--bare", oldRepo.repoPath(sess), repoPath)
 	if err != nil {
 		return nil, fmt.Errorf("git clone: %v", stderr)
 	}

models/repo_list.go

@@ -173,11 +173,9 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
 		cond = cond.And(builder.Eq{"is_private": false})
 	}
 
-	var starred bool
 	if opts.OwnerID > 0 {
 		if opts.Starred {
-			starred = true
+			cond = cond.And(builder.In("id", builder.Select("repo_id").From("star").Where(builder.Eq{"uid": opts.OwnerID})))
-			cond = builder.Eq{"star.uid": opts.OwnerID}
 		} else {
 			var accessCond = builder.NewCond()
 			if opts.Collaborate != util.OptionalBoolTrue {
@@ -204,12 +202,23 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
 	}
 
 	if opts.Keyword != "" {
-		var keywordCond = builder.NewCond()
+		// separate keyword
-		if opts.TopicOnly {
+		var subQueryCond = builder.NewCond()
-			keywordCond = keywordCond.Or(builder.Like{"topic.name", strings.ToLower(opts.Keyword)})
+		for _, v := range strings.Split(opts.Keyword, ",") {
-		} else {
+			subQueryCond = subQueryCond.Or(builder.Like{"topic.name", strings.ToLower(v)})
-			keywordCond = keywordCond.Or(builder.Like{"lower_name", strings.ToLower(opts.Keyword)})
+		}
-			keywordCond = keywordCond.Or(builder.Like{"topic.name", strings.ToLower(opts.Keyword)})
+		subQuery := builder.Select("repo_topic.repo_id").From("repo_topic").
+			Join("INNER", "topic", "topic.id = repo_topic.topic_id").
+			Where(subQueryCond).
+			GroupBy("repo_topic.repo_id")
+
+		var keywordCond = builder.In("id", subQuery)
+		if !opts.TopicOnly {
+			var likes = builder.NewCond()
+			for _, v := range strings.Split(opts.Keyword, ",") {
+				likes = likes.Or(builder.Like{"lower_name", strings.ToLower(v)})
+			}
+			keywordCond = keywordCond.Or(likes)
 		}
 		cond = cond.And(keywordCond)
 	}
@@ -229,15 +238,6 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
 	sess := x.NewSession()
 	defer sess.Close()
 
-	if starred {
-		sess.Join("INNER", "star", "star.repo_id = repository.id")
-	}
-
-	if opts.Keyword != "" {
-		sess.Join("LEFT", "repo_topic", "repo_topic.repo_id = repository.id")
-		sess.Join("LEFT", "topic", "repo_topic.topic_id = topic.id")
-	}
-
 	count, err := sess.
 		Where(cond).
 		Count(new(Repository))
@@ -246,27 +246,10 @@ func SearchRepositoryByName(opts *SearchRepoOptions) (RepositoryList, int64, err
 		return nil, 0, fmt.Errorf("Count: %v", err)
 	}
 
-	// Set again after reset by Count()
-	if starred {
-		sess.Join("INNER", "star", "star.repo_id = repository.id")
-	}
-
-	if opts.Keyword != "" {
-		sess.Join("LEFT", "repo_topic", "repo_topic.repo_id = repository.id")
-		sess.Join("LEFT", "topic", "repo_topic.topic_id = topic.id")
-	}
-
-	if opts.Keyword != "" {
-		sess.Select("repository.*")
-		sess.GroupBy("repository.id")
-		sess.OrderBy("repository." + opts.OrderBy.String())
-	} else {
-		sess.OrderBy(opts.OrderBy.String())
-	}
-
 	repos := make(RepositoryList, 0, opts.PageSize)
 	if err = sess.
 		Where(cond).
+		OrderBy(opts.OrderBy.String()).
 		Limit(opts.PageSize, (opts.Page-1)*opts.PageSize).
 		Find(&repos); err != nil {
 		return nil, 0, fmt.Errorf("Repo: %v", err)

models/repo_list_test.go

@@ -237,6 +237,9 @@ func TestSearchRepositoryByTopicName(t *testing.T) {
 		{name: "AllPublic/OnlySearchPublicRepositoriesFromTopic",
 			opts:  &SearchRepoOptions{OwnerID: 21, AllPublic: true, Keyword: "graphql", TopicOnly: true},
 			count: 1},
+		{name: "AllPublic/OnlySearchMultipleKeywordPublicRepositoriesFromTopic",
+			opts:  &SearchRepoOptions{OwnerID: 21, AllPublic: true, Keyword: "graphql,golang", TopicOnly: true},
+			count: 2},
 	}
 
 	for _, testCase := range testCases {

models/status.go

@@ -197,14 +197,15 @@ func newCommitStatus(sess *xorm.Session, opts NewCommitStatusOptions) error {
 		return fmt.Errorf("newCommitStatus[nil, %s]: no repository specified", opts.SHA)
 	}
 	opts.CommitStatus.RepoID = opts.Repo.ID
+	repoPath := opts.Repo.repoPath(sess)
 
 	if opts.Creator == nil {
-		return fmt.Errorf("newCommitStatus[%s, %s]: no user specified", opts.Repo.RepoPath(), opts.SHA)
+		return fmt.Errorf("newCommitStatus[%s, %s]: no user specified", repoPath, opts.SHA)
 	}
 
-	gitRepo, err := git.OpenRepository(opts.Repo.RepoPath())
+	gitRepo, err := git.OpenRepository(repoPath)
 	if err != nil {
-		return fmt.Errorf("OpenRepository[%s]: %v", opts.Repo.RepoPath(), err)
+		return fmt.Errorf("OpenRepository[%s]: %v", repoPath, err)
 	}
 	if _, err := gitRepo.GetCommit(opts.SHA); err != nil {
 		return fmt.Errorf("GetCommit[%s]: %v", opts.SHA, err)
@@ -219,19 +220,19 @@ func newCommitStatus(sess *xorm.Session, opts NewCommitStatusOptions) error {
 	has, err := sess.Desc("index").Limit(1).Get(lastCommitStatus)
 	if err != nil {
 		sess.Rollback()
-		return fmt.Errorf("newCommitStatus[%s, %s]: %v", opts.Repo.RepoPath(), opts.SHA, err)
+		return fmt.Errorf("newCommitStatus[%s, %s]: %v", repoPath, opts.SHA, err)
 	}
 	if has {
-		log.Debug("newCommitStatus[%s, %s]: found", opts.Repo.RepoPath(), opts.SHA)
+		log.Debug("newCommitStatus[%s, %s]: found", repoPath, opts.SHA)
 		nextIndex = lastCommitStatus.Index
 	}
 	opts.CommitStatus.Index = nextIndex + 1
-	log.Debug("newCommitStatus[%s, %s]: %d", opts.Repo.RepoPath(), opts.SHA, opts.CommitStatus.Index)
+	log.Debug("newCommitStatus[%s, %s]: %d", repoPath, opts.SHA, opts.CommitStatus.Index)
 
 	// Insert new CommitStatus
 	if _, err = sess.Insert(opts.CommitStatus); err != nil {
 		sess.Rollback()
-		return fmt.Errorf("newCommitStatus[%s, %s]: %v", opts.Repo.RepoPath(), opts.SHA, err)
+		return fmt.Errorf("newCommitStatus[%s, %s]: %v", repoPath, opts.SHA, err)
 	}
 
 	return nil

models/user_openid.go

@@ -93,7 +93,7 @@ func DeleteUserOpenID(openid *UserOpenID) (err error) {
 
 // ToggleUserOpenIDVisibility toggles visibility of an openid address of given user.
 func ToggleUserOpenIDVisibility(id int64) (err error) {
-	_, err = x.Exec("update user_open_id set show = not show where id = ?", id)
+	_, err = x.Exec("update `user_open_id` set `show` = not `show` where `id` = ?", id)
 	return err
 }
 

modules/auth/repo_form.go

@@ -377,6 +377,7 @@ type CodeCommentForm struct {
 	Line     int64
 	TreePath string `form:"path" binding:"Required"`
 	IsReview bool   `form:"is_review"`
+	Reply    int64  `form:"reply"`
 }
 
 // Validate validates the fields

modules/context/api.go

@@ -8,6 +8,8 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/go-macaron/csrf"
+
 	"code.gitea.io/git"
 	"code.gitea.io/gitea/models"
 	"code.gitea.io/gitea/modules/base"
@@ -97,6 +99,17 @@ func (ctx *APIContext) SetLinkHeader(total, pageSize int) {
 	}
 }
 
+// RequireCSRF requires a validated a CSRF token
+func (ctx *APIContext) RequireCSRF() {
+	headerToken := ctx.Req.Header.Get(ctx.csrf.GetHeaderName())
+	formValueToken := ctx.Req.FormValue(ctx.csrf.GetFormName())
+	if len(headerToken) > 0 || len(formValueToken) > 0 {
+		csrf.Validate(ctx.Context.Context, ctx.csrf)
+	} else {
+		ctx.Context.Error(401)
+	}
+}
+
 // APIContexter returns apicontext as macaron middleware
 func APIContexter() macaron.Handler {
 	return func(c *Context) {

public/js/index.js

@@ -2590,6 +2590,10 @@ function updateDeadline(deadlineString) {
         data: JSON.stringify({
             'due_date': realDeadline,
         }),
+        headers: {
+            'X-Csrf-Token': csrf,
+            'X-Remote': true,
+        },
         contentType: 'application/json',
         type: 'POST',
         success: function () {
@@ -2621,7 +2625,7 @@ function initIssueList() {
     $('.new-dependency-drop-list')
         .dropdown({
             apiSettings: {
-                url: '/api/v1/repos' + repolink + '/issues?q={query}',
+                url: suburl + '/api/v1/repos' + repolink + '/issues?q={query}',
                 onResponse: function(response) {
                     var filteredResponse = {'success': true, 'results': []};
                     // Parse the response from the api to work with our dropdown

routers/api/v1/api.go

@@ -174,11 +174,15 @@ func repoAssignment() macaron.Handler {
 
 // Contexter middleware already checks token for user sign in process.
 func reqToken() macaron.Handler {
-	return func(ctx *context.Context) {
+	return func(ctx *context.APIContext) {
-		if true != ctx.Data["IsApiToken"] {
+		if true == ctx.Data["IsApiToken"] {
-			ctx.Error(401)
 			return
 		}
+		if ctx.IsSigned {
+			ctx.RequireCSRF()
+			return
+		}
+		ctx.Context.Error(401)
 	}
 }
 
@@ -627,7 +631,7 @@ func RegisterRoutes(m *macaron.Macaron) {
 					m.Post("/repos", bind(api.CreateRepoOption{}), admin.CreateRepo)
 				})
 			})
-		}, reqAdmin())
+		}, reqToken(), reqAdmin())
 
 		m.Group("/topics", func() {
 			m.Get("/search", repo.TopicSearch)

routers/repo/pull_review.go

@@ -63,6 +63,9 @@ func CreateCodeComment(ctx *context.Context, form auth.CodeCommentForm) {
 			}
 		}
 	}
+	if review.ID == 0 {
+		review.ID = form.Reply
+	}
 	//FIXME check if line, commit and treepath exist
 	comment, err := models.CreateCodeComment(
 		ctx.User,
@@ -78,7 +81,7 @@ func CreateCodeComment(ctx *context.Context, form auth.CodeCommentForm) {
 		return
 	}
 	// Send no notification if comment is pending
-	if !form.IsReview {
+	if !form.IsReview || form.Reply != 0 {
 		notification.Service.NotifyIssue(issue, ctx.User.ID)
 	}
 

routers/user/home.go

@@ -253,6 +253,8 @@ func Issues(ctx *context.Context) {
 
 	opts.Page = page
 	opts.PageSize = setting.UI.IssuePagingNum
+	opts.Labels = ctx.Query("labels")
+
 	issues, err := models.Issues(opts)
 	if err != nil {
 		ctx.ServerError("Issues", err)

templates/repo/diff/box.tmpl

@@ -151,7 +151,7 @@
 																			{{ template "repo/diff/comments" dict "root" $ "comments" $line.Comments}}
 																			</ui>
 																		</div>
-																	{{template "repo/diff/comment_form_datahandler" dict "hidden" true "root" $ "comment" (index $line.Comments 0)}}
+																	{{template "repo/diff/comment_form_datahandler" dict "reply" (index $line.Comments 0).ReviewID "hidden" true "root" $ "comment" (index $line.Comments 0)}}
 																	</div>
 																{{end}}
 															</td>
@@ -164,7 +164,7 @@
 																			{{ template "repo/diff/comments" dict "root" $ "comments" $line.Comments}}
 																			</ui>
 																		</div>
-																		{{template "repo/diff/comment_form_datahandler" dict "hidden" true "root" $ "comment" (index $line.Comments 0)}}
+																		{{template "repo/diff/comment_form_datahandler" dict "reply" (index $line.Comments 0).ReviewID "hidden" true "root" $ "comment" (index $line.Comments 0)}}
 																	</div>
 																{{end}}
 															</td>

templates/repo/diff/comment_form.tmpl

@@ -25,19 +25,19 @@
 		<div class="footer">
 			<span class="markdown-info"><i class="octicon octicon-markdown"></i> {{$.root.i18n.Tr "repo.diff.comment.markdown_info"}}</span>
 			<div class="ui right floated">
-				{{if not $.reply}}
+				{{if $.reply}}
+					<button name="reply" value="{{$.reply}}" class="ui submit green tiny button btn-reply">{{$.root.i18n.Tr "repo.diff.comment.reply"}}</button>
+				{{else}}
 					{{if $.root.CurrentReview}}
 						<button name="is_review" value="true" type="submit"
 								class="ui submit green tiny button btn-add-comment">{{$.root.i18n.Tr "repo.diff.comment.add_review_comment"}}</button>
 					{{else}}
 						<button name="is_review" value="true"  type="submit"
 								class="ui submit green tiny button btn-start-review">{{$.root.i18n.Tr "repo.diff.comment.start_review"}}</button>
-					{{end}}
-				{{end}}
-				{{if not $.root.CurrentReview}}
 						<button type="submit"
 								class="ui submit tiny basic button btn-add-single">{{$.root.i18n.Tr "repo.diff.comment.add_single_comment"}}</button>
 					{{end}}
+				{{end}}
 				{{if or (not $.HasComments) $.hidden}}
 					<button type="button" class="ui submit tiny basic button btn-cancel" onclick="cancelCodeComment(this);">{{$.root.i18n.Tr "cancel"}}</button>
 				{{end}}

templates/repo/diff/section_unified.tmpl

@@ -32,7 +32,7 @@
 						{{ template "repo/diff/comments" dict "root" $.root "comments" $line.Comments}}
 						</ui>
 					</div>
-					{{template "repo/diff/comment_form_datahandler" dict "hidden" true "root" $.root "comment" (index $line.Comments 0)}}
+					{{template "repo/diff/comment_form_datahandler" dict "hidden" true "reply" (index $line.Comments 0).ReviewID "root" $.root "comment" (index $line.Comments 0)}}
 				</div>
 			</td>
 		</tr>

templates/repo/issue/view_content/comments.tmpl

@@ -342,7 +342,7 @@
 										</div>
 									{{end}}
 								</div>
-								{{template "repo/diff/comment_form_datahandler" dict "hidden" true "reply" true "root" $ "comment" (index $comms 0)}}
+								{{template "repo/diff/comment_form_datahandler" dict "hidden" true "reply" (index $comms 0).ReviewID "root" $ "comment" (index $comms 0)}}
 							</div>
 						</div>
 				{{end}}

templates/swagger/v1_json.tmpl

@@ -6198,6 +6198,10 @@
           "format": "date-time",
           "x-go-name": "Created"
         },
+        "fingerprint": {
+          "type": "string",
+          "x-go-name": "Fingerprint"
+        },
         "id": {
           "type": "integer",
           "format": "int64",
@@ -6207,10 +6211,18 @@
           "type": "string",
           "x-go-name": "Key"
         },
+        "key_id": {
+          "type": "integer",
+          "format": "int64",
+          "x-go-name": "KeyID"
+        },
         "read_only": {
           "type": "boolean",
           "x-go-name": "ReadOnly"
         },
+        "repository": {
+          "$ref": "#/definitions/Repository"
+        },
         "title": {
           "type": "string",
           "x-go-name": "Title"
@@ -7092,6 +7104,14 @@
           "type": "string",
           "x-go-name": "Key"
         },
+        "key_type": {
+          "type": "string",
+          "x-go-name": "KeyType"
+        },
+        "read_only": {
+          "type": "boolean",
+          "x-go-name": "ReadOnly"
+        },
         "title": {
           "type": "string",
           "x-go-name": "Title"
@@ -7099,6 +7119,9 @@
         "url": {
           "type": "string",
           "x-go-name": "URL"
+        },
+        "user": {
+          "$ref": "#/definitions/User"
         }
       },
       "x-go-package": "code.gitea.io/gitea/vendor/code.gitea.io/sdk/gitea"
@@ -7313,6 +7336,10 @@
       "description": "Repository represents a repository",
       "type": "object",
       "properties": {
+        "archived": {
+          "type": "boolean",
+          "x-go-name": "Archived"
+        },
         "clone_url": {
           "type": "string",
           "x-go-name": "CloneURL"

templates/user/dashboard/issues.tmpl

@@ -71,7 +71,7 @@
 								especially on mobile views. */}}
 								<span style="line-height: 2.5">
 									{{range .}}
-										<a class="ui label" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}" title="{{.Description}}">{{.Name}}</a>
+										<a class="ui label" href="{{$.Link}}?q={{$.Keyword}}&type={{$.ViewType}}&state={{$.State}}&labels={{.ID}}&milestone={{$.MilestoneID}}&assignee={{$.AssigneeID}}&repo={{$.RepoID}}" style="color: {{.ForegroundColor}}; background-color: {{.Color}}" title="{{.Description}}">{{.Name}}</a>
 									{{end}}
 								</span>
 							{{end}}

vendor/code.gitea.io/sdk/gitea/hook.go

@@ -199,7 +199,7 @@ type CreatePayload struct {
 	Sender  *User       `json:"sender"`
 }
 
-// SetSecret FIXME
+// SetSecret modifies the secret of the CreatePayload
 func (p *CreatePayload) SetSecret(secret string) {
 	p.Secret = secret
 }
@@ -246,6 +246,7 @@ const (
 
 // DeletePayload represents delete payload
 type DeletePayload struct {
+	Secret     string      `json:"secret"`
 	Ref        string      `json:"ref"`
 	RefType    string      `json:"ref_type"`
 	PusherType PusherType  `json:"pusher_type"`
@@ -253,8 +254,9 @@ type DeletePayload struct {
 	Sender     *User       `json:"sender"`
 }
 
-// SetSecret implements Payload
+// SetSecret modifies the secret of the DeletePayload
 func (p *DeletePayload) SetSecret(secret string) {
+	p.Secret = secret
 }
 
 // JSONPayload implements Payload
@@ -271,13 +273,15 @@ func (p *DeletePayload) JSONPayload() ([]byte, error) {
 
 // ForkPayload represents fork payload
 type ForkPayload struct {
+	Secret string      `json:"secret"`
 	Forkee *Repository `json:"forkee"`
 	Repo   *Repository `json:"repository"`
 	Sender *User       `json:"sender"`
 }
 
-// SetSecret implements Payload
+// SetSecret modifies the secret of the ForkPayload
 func (p *ForkPayload) SetSecret(secret string) {
+	p.Secret = secret
 }
 
 // JSONPayload implements Payload
@@ -297,6 +301,7 @@ const (
 
 // IssueCommentPayload represents a payload information of issue comment event.
 type IssueCommentPayload struct {
+	Secret     string                 `json:"secret"`
 	Action     HookIssueCommentAction `json:"action"`
 	Issue      *Issue                 `json:"issue"`
 	Comment    *Comment               `json:"comment"`
@@ -305,8 +310,9 @@ type IssueCommentPayload struct {
 	Sender     *User                  `json:"sender"`
 }
 
-// SetSecret implements Payload
+// SetSecret modifies the secret of the IssueCommentPayload
 func (p *IssueCommentPayload) SetSecret(secret string) {
+	p.Secret = secret
 }
 
 // JSONPayload implements Payload
@@ -333,14 +339,16 @@ const (
 
 // ReleasePayload represents a payload information of release event.
 type ReleasePayload struct {
+	Secret     string            `json:"secret"`
 	Action     HookReleaseAction `json:"action"`
 	Release    *Release          `json:"release"`
 	Repository *Repository       `json:"repository"`
 	Sender     *User             `json:"sender"`
 }
 
-// SetSecret implements Payload
+// SetSecret modifies the secret of the ReleasePayload
 func (p *ReleasePayload) SetSecret(secret string) {
+	p.Secret = secret
 }
 
 // JSONPayload implements Payload
@@ -368,7 +376,7 @@ type PushPayload struct {
 	Sender     *User            `json:"sender"`
 }
 
-// SetSecret FIXME
+// SetSecret modifies the secret of the PushPayload
 func (p *PushPayload) SetSecret(secret string) {
 	p.Secret = secret
 }
@@ -520,7 +528,7 @@ type RepositoryPayload struct {
 	Sender       *User          `json:"sender"`
 }
 
-// SetSecret set the payload's secret
+// SetSecret modifies the secret of the RepositoryPayload
 func (p *RepositoryPayload) SetSecret(secret string) {
 	p.Secret = secret
 }

vendor/code.gitea.io/sdk/gitea/issue.go

@@ -152,3 +152,9 @@ type IssueDeadline struct {
 	// swagger:strfmt date-time
 	Deadline *time.Time `json:"due_date"`
 }
+
+// EditPriorityOption options for updating priority
+type EditPriorityOption struct {
+	// required:true
+	Priority int `json:"priority"`
+}

vendor/code.gitea.io/sdk/gitea/repo.go

@@ -40,6 +40,7 @@ type Repository struct {
 	Watchers      int         `json:"watchers_count"`
 	OpenIssues    int         `json:"open_issues_count"`
 	DefaultBranch string      `json:"default_branch"`
+	Archived      bool        `json:"archived"`
 	// swagger:strfmt date-time
 	Created time.Time `json:"created_at"`
 	// swagger:strfmt date-time

vendor/code.gitea.io/sdk/gitea/repo_key.go

@@ -14,12 +14,15 @@ import (
 // DeployKey a deploy key
 type DeployKey struct {
 	ID          int64  `json:"id"`
+	KeyID       int64  `json:"key_id"`
 	Key         string `json:"key"`
 	URL         string `json:"url"`
 	Title       string `json:"title"`
+	Fingerprint string `json:"fingerprint"`
 	// swagger:strfmt date-time
 	Created    time.Time   `json:"created_at"`
 	ReadOnly   bool        `json:"read_only"`
+	Repository *Repository `json:"repository,omitempty"`
 }
 
 // ListDeployKeys list all the deploy keys of one repository

vendor/code.gitea.io/sdk/gitea/user_key.go

@@ -20,6 +20,9 @@ type PublicKey struct {
 	Fingerprint string `json:"fingerprint,omitempty"`
 	// swagger:strfmt date-time
 	Created  time.Time `json:"created_at,omitempty"`
+	Owner    *User     `json:"user,omitempty"`
+	ReadOnly bool      `json:"read_only,omitempty"`
+	KeyType  string    `json:"key_type,omitempty"`
 }
 
 // ListPublicKeys list all the public keys of the user

vendor/github.com/go-macaron/session/file.go

@@ -86,7 +86,7 @@ func (s *FileStore) Release() error {
 		return err
 	}
 
-	return ioutil.WriteFile(s.p.filepath(s.sid), data, os.ModePerm)
+	return ioutil.WriteFile(s.p.filepath(s.sid), data, 0600)
 }
 
 // Flush deletes all session data.
@@ -121,7 +121,7 @@ func (p *FileProvider) filepath(sid string) string {
 // Read returns raw session store by session ID.
 func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
 	filename := p.filepath(sid)
-	if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
+	if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
 		return nil, err
 	}
 	p.lock.RLock()
@@ -129,7 +129,7 @@ func (p *FileProvider) Read(sid string) (_ RawStore, err error) {
 
 	var f *os.File
 	if com.IsFile(filename) {
-		f, err = os.OpenFile(filename, os.O_RDWR, os.ModePerm)
+		f, err = os.OpenFile(filename, os.O_RDONLY, 0600)
 	} else {
 		f, err = os.Create(filename)
 	}
@@ -187,15 +187,15 @@ func (p *FileProvider) regenerate(oldsid, sid string) (err error) {
 		if err != nil {
 			return err
 		}
-		if err = os.MkdirAll(path.Dir(oldname), os.ModePerm); err != nil {
+		if err = os.MkdirAll(path.Dir(oldname), 0700); err != nil {
 			return err
 		}
-		if err = ioutil.WriteFile(oldname, data, os.ModePerm); err != nil {
+		if err = ioutil.WriteFile(oldname, data, 0600); err != nil {
 			return err
 		}
 	}
 
-	if err = os.MkdirAll(path.Dir(filename), os.ModePerm); err != nil {
+	if err = os.MkdirAll(path.Dir(filename), 0700); err != nil {
 		return err
 	}
 	if err = os.Rename(oldname, filename); err != nil {

vendor/github.com/go-macaron/session/session.go

@@ -18,15 +18,17 @@ package session
 
 import (
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"
 	"time"
 
 	"gopkg.in/macaron.v1"
 )
 
-const _VERSION = "0.3.0"
+const _VERSION = "0.4.0"
 
 func Version() string {
 	return _VERSION
@@ -245,8 +247,8 @@ func NewManager(name string, opt Options) (*Manager, error) {
 	return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
 }
 
-// sessionId generates a new session ID with rand string, unix nano time, remote addr by hash function.
+// sessionID generates a new session ID with rand string, unix nano time, remote addr by hash function.
-func (m *Manager) sessionId() string {
+func (m *Manager) sessionID() string {
 	return hex.EncodeToString(generateRandomKey(m.opt.IDLength / 2))
 }
 
@@ -255,10 +257,10 @@ func (m *Manager) sessionId() string {
 func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 	sid := ctx.GetCookie(m.opt.CookieName)
 	if len(sid) > 0 && m.provider.Exist(sid) {
-		return m.provider.Read(sid)
+		return m.Read(sid)
 	}
 
-	sid = m.sessionId()
+	sid = m.sessionID()
 	sess, err := m.provider.Read(sid)
 	if err != nil {
 		return nil, err
@@ -282,6 +284,12 @@ func (m *Manager) Start(ctx *macaron.Context) (RawStore, error) {
 
 // Read returns raw session store by session ID.
 func (m *Manager) Read(sid string) (RawStore, error) {
+	// No slashes or dots "./" should ever occur in the sid and to prevent session file forgery bug.
+	// See https://github.com/gogs/gogs/issues/5469
+	if strings.ContainsAny(sid, "./") {
+		return nil, errors.New("invalid 'sid': " + sid)
+	}
+
 	return m.provider.Read(sid)
 }
 
@@ -308,7 +316,7 @@ func (m *Manager) Destory(ctx *macaron.Context) error {
 
 // RegenerateId regenerates a session store from old session ID to new one.
 func (m *Manager) RegenerateId(ctx *macaron.Context) (sess RawStore, err error) {
-	sid := m.sessionId()
+	sid := m.sessionID()
 	oldsid := ctx.GetCookie(m.opt.CookieName)
 	sess, err = m.provider.Regenerate(oldsid, sid)
 	if err != nil {