Add 1.4.2 changelog (#4115)

* update git vendor (#4059)

* fix errors resulting from git vendor update

* fmt

CHANGELOG.md

@@ -4,27 +4,47 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
-## [1.4.0-rc2](https://github.com/go-gitea/gitea/releases/tag/v1.4.0-rc2) - 2018-03-02
-* SECURITY
-  * Fix escaping changed title in comments (#3530) (#3534)
-  * Escape search query (#3486) (#3488)
+## [1.4.2](https://github.com/go-gitea/gitea/releases/tag/v1.4.2) - 2018-06-04
 * BUGFIXES
-  * Fix query protected branch bug (#3563) (#3571)
-  * Fix remove team member issue (#3566) (#3570)
-  * Fix the protected branch panic issue (#3567) (#3569)
-  * If Mirrors repository no content is fetched, updated time should not be changed (#3551) (#3565)
-  * Bug fix for mirrored repository releases sorted (#3522) (#3555)
-  * Add issue closed time column to fix activity closed issues list (#3537) (#3540)
-  * Update markbates/goth library to support OAuth2 with new dropbox API (#3533) (#3539)
-  * Fixes missing avatars in offline mode (#3471) (#3477)
-  * Fix synchronization bug in repo indexer (#3455) (#3461)
-  * Fix rendering of wiki page list if wiki repo contains other files (#3454) (#3463)
+  * Adjust z-index for floating labels (#3939) (#3950)
+  * Add missing token validation on application settings page (#3976) #3978
+  * Webhook and hook_task clean up (#4006)
+  * Fix webhook bug of response info is not displayed in UI (#4023)
+  * Fix writer cannot read bare repo guide (#4033) (#4039)
+  * Don't force due date to current time (#3830) (#4057)
+  * Fix wiki redirects (#3919) (#4065)
+  * Fix attachment ENABLED (#4064) (#4066)
+  * Added deletion of an empty line at the end of file (#4054) (#4074)
+  * Use ResolveReference instead of path.Join (#4073)
+  * Fix #4081 Check for leading / in base before removing it (#4083)
+  * Respository's home page not updated after first push (#4075)
 
-## [1.4.0-rc1](https://github.com/go-gitea/gitea/releases/tag/v1.4.0-rc1) - 2018-02-01
+## [1.4.1](https://github.com/go-gitea/gitea/releases/tag/v1.4.1) - 2018-05-03
+* BREAKING
+  * Add "error" as reserved username (#3882) (#3886)
+* SECURITY
+  * Do not allow inactive users to access repositories using private key (#3887) (#3889)
+  * Fix path cleanup in file editor, when initilizing new repository and LFS oids  (#3871) (#3873)
+  * Remove unnecessary allowed safe HTML (#3778) (#3779)
+  * Correctly check http git access rights for reverse proxy authorized users (#3721) (#3743)
+* BUGFIXES
+  * Fix to use only needed columns from tables to get repository git paths (#3870) (#3883)
+  * Fix GPG expire time display when time is zero (#3584) (#3884)
+  * Fix to update only issue last update time when adding a comment (#3855) (#3860)
+  * Fix repository star count after deleting user (#3781) (#3783)
+  * Use the active branch for the code tab (#3720) (#3776)
+  * Set default branch name on first push (#3715) (#3723)
+  * Show clipboard button if disable HTTP of git protocol (#3773) (#3774)
+
+## [1.4.0](https://github.com/go-gitea/gitea/releases/tag/v1.4.0) - 2018-03-25
 * BREAKING
   * Drop deprecated GOGS\_WORK\_DIR use (#2946)
   * Fix API status code for hook creation (#2814)
 * SECURITY
+  * Escape branch name in dropdown menu (#3691) (#3692)
+  * Refactor and simplify to correctly validate redirect to URL (#3674) (#3676)
+  * Fix escaping changed title in comments (#3530) (#3534)
+  * Escape search query (#3486) (#3488)
   * Sanitize logs for mirror sync (#3057)
 * FEATURE
   * Serve .patch and .diff for pull requests (#3305, #3293)
@@ -40,6 +60,17 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
   * Add dingtalk webhook  (#2777)
   * Responsive view (#2750)
 * BUGFIXES
+  * Fix wiki inter-links with spaces (#3560) (#3632)
+  * Fix query protected branch bug (#3563) (#3571)
+  * Fix remove team member issue (#3566) (#3570)
+  * Fix the protected branch panic issue (#3567) (#3569)
+  * If Mirrors repository no content is fetched, updated time should not be changed (#3551) (#3565)
+  * Bug fix for mirrored repository releases sorted (#3522) (#3555)
+  * Add issue closed time column to fix activity closed issues list (#3537) (#3540)
+  * Update markbates/goth library to support OAuth2 with new dropbox API (#3533) (#3539)
+  * Fixes missing avatars in offline mode (#3471) (#3477)
+  * Fix synchronization bug in repo indexer (#3455) (#3461)
+  * Fix rendering of wiki page list if wiki repo contains other files (#3454) (#3463)
   * Fix webhook X-GitHub-* headers casing for better compatibility (#3429)
   * Add content type and doctype to requests made with go-get (#3426, #3423)
   * Fix SQL type error for webhooks (#3424)

cmd/serv.go

@@ -230,6 +230,12 @@ func runServ(c *cli.Context) error {
 				fail("internal error", "Failed to get user by key ID(%d): %v", keyID, err)
 			}
 
+			if !user.IsActive || user.ProhibitLogin {
+				fail("Your account is not active or has been disabled by Administrator",
+					"User %s is disabled and have no access to repository %s",
+					user.Name, repoPath)
+			}
+
 			mode, err := models.AccessLevel(user.ID, repo)
 			if err != nil {
 				fail("Internal error", "Failed to check access: %v", err)

custom/conf/app.ini.sample

@@ -403,7 +403,7 @@ ENABLE_FEDERATED_AVATAR = false
 
 [attachment]
 ; Whether attachments are enabled. Defaults to `true`
-ENABLE = true
+ENABLED = true
 ; Path for attachments. Defaults to `data/attachments`
 PATH = data/attachments
 ; One or more allowed types, e.g. image/jpeg|image/png

docs/content/page/index.en-us.md

@@ -2,6 +2,7 @@
 date: "2016-11-08T16:00:00+02:00"
 title: "Documentation"
 slug: "documentation"
+url: "/en-us/"
 weight: 10
 toc: true
 draft: false

docs/content/page/index.fr-fr.md

@@ -2,6 +2,7 @@
 date: "2017-08-23T09:00:00+02:00"
 title: "Documentation"
 slug: "documentation"
+url: "/fr-fr/"
 weight: 10
 toc: true
 draft: false

docs/content/page/index.zh-cn.md

@@ -2,6 +2,7 @@
 date: "2016-11-08T16:00:00+02:00"
 title: "文档"
 slug: "documentation"
+url: "/zh-cn/"
 weight: 10
 toc: true
 draft: false

docs/content/page/index.zh-tw.md

@@ -2,6 +2,7 @@
 date: "2016-11-08T16:00:00+02:00"
 title: "文件"
 slug: "documentation"
+url: "/zh-tw/"
 weight: 10
 toc: true
 draft: false

docs/scripts/trans-copy

@@ -28,6 +28,8 @@ for SOURCE in $(find ${ROOT}/content -type f -iname *.en-us.md); do
     if [[ ! -f ${DEST} ]]; then
       echo "Creating fallback for ${DEST#${ROOT}/content/}"
       cp ${SOURCE} ${DEST}
+      sed -i.bak "s/en\-us/${LOCALE}/g" ${DEST}
+      rm ${DEST}.bak
     fi
   done
 done

models/action.go

@@ -523,6 +523,11 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 		return fmt.Errorf("GetRepositoryByName [owner_id: %d, name: %s]: %v", opts.RepoOwnerID, opts.RepoName, err)
 	}
 
+	refName := git.RefEndName(opts.RefFullName)
+	if repo.IsBare && refName != repo.DefaultBranch {
+		repo.DefaultBranch = refName
+	}
+
 	// Change repository bare status and update last updated time.
 	repo.IsBare = repo.IsBare && opts.Commits.Len <= 0
 	if err = UpdateRepository(repo, false); err != nil {
@@ -563,7 +568,6 @@ func CommitRepoAction(opts CommitRepoActionOptions) error {
 		return fmt.Errorf("Marshal: %v", err)
 	}
 
-	refName := git.RefEndName(opts.RefFullName)
 	if err = NotifyWatchers(&Action{
 		ActUserID: pusher.ID,
 		ActUser:   pusher,

models/git_diff.go

@@ -14,6 +14,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"strconv"
 	"strings"
 
 	"code.gitea.io/git"
@@ -368,8 +369,15 @@ func ParsePatch(maxLines, maxLineCharacters, maxFiles int, reader io.Reader) (*D
 			a := line[beg+2 : middle]
 			b := line[middle+3:]
 			if hasQuote {
-				a = string(git.UnescapeChars([]byte(a[1 : len(a)-1])))
-				b = string(git.UnescapeChars([]byte(b[1 : len(b)-1])))
+				var err error
+				a, err = strconv.Unquote(a)
+				if err != nil {
+					return nil, fmt.Errorf("Unquote: %v", err)
+				}
+				b, err = strconv.Unquote(b)
+				if err != nil {
+					return nil, fmt.Errorf("Unquote: %v", err)
+				}
 			}
 
 			curFile = &DiffFile{

models/git_diff_test.go

@@ -21,16 +21,16 @@ func assertLineEqual(t *testing.T, d1 *DiffLine, d2 *DiffLine) {
 
 func TestDiffToHTML(t *testing.T) {
 	assertEqual(t, "+foo <span class=\"added-code\">bar</span> biz", diffToHTML([]dmp.Diff{
-		{dmp.DiffEqual, "foo "},
-		{dmp.DiffInsert, "bar"},
-		{dmp.DiffDelete, " baz"},
-		{dmp.DiffEqual, " biz"},
+		{Type: dmp.DiffEqual, Text: "foo "},
+		{Type: dmp.DiffInsert, Text: "bar"},
+		{Type: dmp.DiffDelete, Text: " baz"},
+		{Type: dmp.DiffEqual, Text: " biz"},
 	}, DiffLineAdd))
 
 	assertEqual(t, "-foo <span class=\"removed-code\">bar</span> biz", diffToHTML([]dmp.Diff{
-		{dmp.DiffEqual, "foo "},
-		{dmp.DiffDelete, "bar"},
-		{dmp.DiffInsert, " baz"},
-		{dmp.DiffEqual, " biz"},
+		{Type: dmp.DiffEqual, Text: "foo "},
+		{Type: dmp.DiffDelete, Text: "bar"},
+		{Type: dmp.DiffInsert, Text: " baz"},
+		{Type: dmp.DiffEqual, Text: " biz"},
 	}, DiffLineDel))
 }

models/issue_comment.go

@@ -418,7 +418,7 @@ func createComment(e *xorm.Session, opts *CreateCommentOptions) (_ *Comment, err
 	}
 
 	// update the issue's updated_unix column
-	if err = updateIssueCols(e, opts.Issue); err != nil {
+	if err = updateIssueCols(e, opts.Issue, "updated_unix"); err != nil {
 		return nil, err
 	}
 

models/issue_milestone.go

@@ -31,11 +31,6 @@ type Milestone struct {
 	ClosedDateUnix util.TimeStamp
 }
 
-// BeforeInsert is invoked from XORM before inserting an object of this type.
-func (m *Milestone) BeforeInsert() {
-	m.DeadlineUnix = util.TimeStampNow()
-}
-
 // BeforeUpdate is invoked from XORM before updating this object.
 func (m *Milestone) BeforeUpdate() {
 	if m.NumIssues > 0 {

models/migrations/migrations.go

@@ -217,6 +217,66 @@ Please try to upgrade to a lower version (>= v0.6.0) first, then upgrade to curr
 	return nil
 }
 
+func dropTableColumns(x *xorm.Engine, tableName string, columnNames ...string) (err error) {
+	if tableName == "" || len(columnNames) == 0 {
+		return nil
+	}
+
+	switch {
+	case setting.UseSQLite3:
+		log.Warn("Unable to drop columns in SQLite")
+	case setting.UseMySQL, setting.UseTiDB, setting.UsePostgreSQL:
+		cols := ""
+		for _, col := range columnNames {
+			if cols != "" {
+				cols += ", "
+			}
+			cols += "DROP COLUMN `" + col + "`"
+		}
+		if _, err := x.Exec(fmt.Sprintf("ALTER TABLE `%s` %s", tableName, cols)); err != nil {
+			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+		}
+	case setting.UseMSSQL:
+		sess := x.NewSession()
+		defer sess.Close()
+
+		if err = sess.Begin(); err != nil {
+			return err
+		}
+
+		cols := ""
+		for _, col := range columnNames {
+			if cols != "" {
+				cols += ", "
+			}
+			cols += "`" + strings.ToLower(col) + "`"
+		}
+		sql := fmt.Sprintf("SELECT Name FROM SYS.DEFAULT_CONSTRAINTS WHERE PARENT_OBJECT_ID = OBJECT_ID('%[1]s') AND PARENT_COLUMN_ID IN (SELECT column_id FROM sys.columns WHERE lower(NAME) IN (%[2]s) AND object_id = OBJECT_ID('%[1]s'))",
+			tableName, strings.Replace(cols, "`", "'", -1))
+		constraints := make([]string, 0)
+		if err := sess.SQL(sql).Find(&constraints); err != nil {
+			sess.Rollback()
+			return fmt.Errorf("Find constraints: %v", err)
+		}
+		for _, constraint := range constraints {
+			if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` DROP CONSTRAINT `%s`", tableName, constraint)); err != nil {
+				sess.Rollback()
+				return fmt.Errorf("Drop table `%s` constraint `%s`: %v", tableName, constraint, err)
+			}
+		}
+		if _, err := sess.Exec(fmt.Sprintf("ALTER TABLE `%s` DROP COLUMN %s", tableName, cols)); err != nil {
+			sess.Rollback()
+			return fmt.Errorf("Drop table `%s` columns %v: %v", tableName, columnNames, err)
+		}
+
+		return sess.Commit()
+	default:
+		log.Fatal(4, "Unrecognized DB")
+	}
+
+	return nil
+}
+
 func fixLocaleFileLoadPanic(_ *xorm.Engine) error {
 	cfg, err := ini.Load(setting.CustomConf)
 	if err != nil {

models/migrations/v56.go

@@ -5,29 +5,9 @@
 package migrations
 
 import (
-	"fmt"
-
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-
 	"github.com/go-xorm/xorm"
 )
 
 func removeIsOwnerColumnFromOrgUser(x *xorm.Engine) (err error) {
-	switch {
-	case setting.UseSQLite3:
-		log.Warn("Unable to drop columns in SQLite")
-	case setting.UseMySQL, setting.UseTiDB, setting.UsePostgreSQL:
-		if _, err := x.Exec("ALTER TABLE org_user DROP COLUMN is_owner, DROP COLUMN num_teams"); err != nil {
-			return fmt.Errorf("DROP COLUMN org_user.is_owner, org_user.num_teams: %v", err)
-		}
-	case setting.UseMSSQL:
-		if _, err := x.Exec("ALTER TABLE org_user DROP COLUMN is_owner, num_teams"); err != nil {
-			return fmt.Errorf("DROP COLUMN org_user.is_owner, org_user.num_teams: %v", err)
-		}
-	default:
-		log.Fatal(4, "Unrecognized DB")
-	}
-
-	return nil
+	return dropTableColumns(x, "org_user", "is_owner", "num_teams")
 }

models/repo.go

@@ -163,6 +163,7 @@ func NewRepoContext() {
 type Repository struct {
 	ID            int64  `xorm:"pk autoincr"`
 	OwnerID       int64  `xorm:"UNIQUE(s)"`
+	OwnerName     string `xorm:"-"`
 	Owner         *User  `xorm:"-"`
 	LowerName     string `xorm:"UNIQUE(s) INDEX NOT NULL"`
 	Name          string `xorm:"INDEX NOT NULL"`
@@ -223,9 +224,17 @@ func (repo *Repository) MustOwner() *User {
 	return repo.mustOwner(x)
 }
 
+// MustOwnerName always returns valid owner name to avoid
+// conceptually impossible error handling.
+// It returns "error" and logs error details when error
+// occurs.
+func (repo *Repository) MustOwnerName() string {
+	return repo.mustOwnerName(x)
+}
+
 // FullName returns the repository full name
 func (repo *Repository) FullName() string {
-	return repo.MustOwner().Name + "/" + repo.Name
+	return repo.MustOwnerName() + "/" + repo.Name
 }
 
 // HTMLURL returns the repository HTML URL
@@ -477,6 +486,41 @@ func (repo *Repository) mustOwner(e Engine) *User {
 	return repo.Owner
 }
 
+func (repo *Repository) getOwnerName(e Engine) error {
+	if len(repo.OwnerName) > 0 {
+		return nil
+	}
+
+	if repo.Owner != nil {
+		repo.OwnerName = repo.Owner.Name
+		return nil
+	}
+
+	u := new(User)
+	has, err := e.ID(repo.OwnerID).Cols("name").Get(u)
+	if err != nil {
+		return err
+	} else if !has {
+		return ErrUserNotExist{repo.OwnerID, "", 0}
+	}
+	repo.OwnerName = u.Name
+	return nil
+}
+
+// GetOwnerName returns the repository owner name
+func (repo *Repository) GetOwnerName() error {
+	return repo.getOwnerName(x)
+}
+
+func (repo *Repository) mustOwnerName(e Engine) string {
+	if err := repo.getOwnerName(e); err != nil {
+		log.Error(4, "Error loading repository owner name: %v", err)
+		return "error"
+	}
+
+	return repo.OwnerName
+}
+
 // ComposeMetas composes a map of metas for rendering external issue tracker URL.
 func (repo *Repository) ComposeMetas() map[string]string {
 	unit, err := repo.GetUnit(UnitTypeExternalTracker)
@@ -588,7 +632,7 @@ func (repo *Repository) GetBaseRepo() (err error) {
 }
 
 func (repo *Repository) repoPath(e Engine) string {
-	return RepoPath(repo.mustOwner(e).Name, repo.Name)
+	return RepoPath(repo.mustOwnerName(e), repo.Name)
 }
 
 // RepoPath returns the repository path
@@ -1131,7 +1175,7 @@ type CreateRepoOptions struct {
 }
 
 func getRepoInitFile(tp, name string) ([]byte, error) {
-	cleanedName := strings.TrimLeft(name, "./")
+	cleanedName := strings.TrimLeft(path.Clean("/"+name), "/")
 	relPath := path.Join("options", tp, cleanedName)
 
 	// Use custom file when available.
@@ -1778,6 +1822,8 @@ func DeleteRepository(doer *User, uid, repoID int64) error {
 		&PullRequest{BaseRepoID: repoID},
 		&RepoUnit{RepoID: repoID},
 		&RepoRedirect{RedirectRepoID: repoID},
+		&Webhook{RepoID: repoID},
+		&HookTask{RepoID: repoID},
 	); err != nil {
 		return fmt.Errorf("deleteBeans: %v", err)
 	}
@@ -2133,7 +2179,7 @@ func ReinitMissingRepositories() error {
 // SyncRepositoryHooks rewrites all repositories' pre-receive, update and post-receive hooks
 // to make sure the binary and custom conf path are up-to-date.
 func SyncRepositoryHooks() error {
-	return x.Where("id > 0").Iterate(new(Repository),
+	return x.Cols("owner_id", "name").Where("id > 0").Iterate(new(Repository),
 		func(idx int, bean interface{}) error {
 			if err := createDelegateHooks(bean.(*Repository).RepoPath()); err != nil {
 				return fmt.Errorf("SyncRepositoryHook: %v", err)

models/user.go

@@ -651,7 +651,7 @@ func NewGhostUser() *User {
 }
 
 var (
-	reservedUsernames    = []string{"assets", "css", "explore", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatars", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "new", ".", ".."}
+	reservedUsernames    = []string{"assets", "css", "explore", "img", "js", "less", "plugins", "debug", "raw", "install", "api", "avatars", "user", "org", "help", "stars", "issues", "pulls", "commits", "repo", "template", "admin", "error", "new", ".", ".."}
 	reservedUserPatterns = []string{"*.keys"}
 )
 
@@ -934,7 +934,7 @@ func deleteUser(e *xorm.Session, u *User) error {
 	if err = e.Table("star").Cols("star.repo_id").
 		Where("star.uid = ?", u.ID).Find(&starredRepoIDs); err != nil {
 		return fmt.Errorf("get all stars: %v", err)
-	} else if _, err = e.Decr("num_watches").In("id", starredRepoIDs).Update(new(Repository)); err != nil {
+	} else if _, err = e.Decr("num_stars").In("id", starredRepoIDs).Update(new(Repository)); err != nil {
 		return fmt.Errorf("decrease repository num_stars: %v", err)
 	}
 	// ***** END: Star *****

models/webhook.go

@@ -437,7 +437,14 @@ func (t *HookTask) AfterLoad() {
 
 	t.RequestInfo = &HookRequest{}
 	if err := json.Unmarshal([]byte(t.RequestContent), t.RequestInfo); err != nil {
-		log.Error(3, "Unmarshal[%d]: %v", t.ID, err)
+		log.Error(3, "Unmarshal RequestContent[%d]: %v", t.ID, err)
+	}
+
+	if len(t.ResponseContent) > 0 {
+		t.ResponseInfo = &HookResponse{}
+		if err := json.Unmarshal([]byte(t.ResponseContent), t.ResponseInfo); err != nil {
+			log.Error(3, "Unmarshal ResponseContent[%d]: %v", t.ID, err)
+		}
 	}
 }
 
@@ -619,6 +626,10 @@ func (t *HookTask) deliver() {
 			log.Trace("Hook delivery failed: %s", t.UUID)
 		}
 
+		if err := UpdateHookTask(t); err != nil {
+			log.Error(4, "UpdateHookTask [%d]: %v", t.ID, err)
+		}
+
 		// Update webhook last delivery status.
 		w, err := GetWebhookByID(t.HookID)
 		if err != nil {
@@ -671,10 +682,6 @@ func DeliverHooks() {
 	// Update hook task status.
 	for _, t := range tasks {
 		t.deliver()
-
-		if err := UpdateHookTask(t); err != nil {
-			log.Error(4, "UpdateHookTask [%d]: %v", t.ID, err)
-		}
 	}
 
 	// Start listening on new hook requests.
@@ -695,10 +702,6 @@ func DeliverHooks() {
 		}
 		for _, t := range tasks {
 			t.deliver()
-			if err := UpdateHookTask(t); err != nil {
-				log.Error(4, "UpdateHookTask [%d]: %v", t.ID, err)
-				continue
-			}
 		}
 	}
 }

models/wiki.go

@@ -67,7 +67,7 @@ func WikiPath(userName, repoName string) string {
 
 // WikiPath returns wiki data path for given repository.
 func (repo *Repository) WikiPath() string {
-	return WikiPath(repo.MustOwner().Name, repo.Name)
+	return WikiPath(repo.MustOwnerName(), repo.Name)
 }
 
 // HasWiki returns true if repository has wiki.

modules/auth/user_form.go

@@ -182,7 +182,7 @@ func (f *AddKeyForm) Validate(ctx *macaron.Context, errs binding.Errors) binding
 
 // NewAccessTokenForm form for creating access token
 type NewAccessTokenForm struct {
-	Name string `binding:"Required"`
+	Name string `binding:"Required;MaxSize(255)"`
 }
 
 // Validate valideates the fields

modules/context/context.go

@@ -9,6 +9,7 @@ import (
 	"html/template"
 	"io"
 	"net/http"
+	"net/url"
 	"path"
 	"strings"
 	"time"
@@ -75,6 +76,26 @@ func (ctx *Context) HasValue(name string) bool {
 	return ok
 }
 
+// RedirectToFirst redirects to first not empty URL
+func (ctx *Context) RedirectToFirst(location ...string) {
+	for _, loc := range location {
+		if len(loc) == 0 {
+			continue
+		}
+
+		u, err := url.Parse(loc)
+		if err != nil || (u.Scheme != "" && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {
+			continue
+		}
+
+		ctx.Redirect(loc)
+		return
+	}
+
+	ctx.Redirect(setting.AppSubURL + "/")
+	return
+}
+
 // HTML calls Context.HTML and converts template name to string.
 func (ctx *Context) HTML(status int, name base.TplName) {
 	log.Debug("Template: %s", name)

modules/lfs/server.go

@@ -83,6 +83,8 @@ type link struct {
 	ExpiresAt time.Time         `json:"expires_at,omitempty"`
 }
 
+var oidRegExp = regexp.MustCompile(`^[A-Fa-f0-9]+$`)
+
 // ObjectOidHandler is the main request routing entry point into LFS server functions
 func ObjectOidHandler(ctx *context.Context) {
 
@@ -217,6 +219,12 @@ func PostHandler(ctx *context.Context) {
 
 	if !authenticate(ctx, repository, rv.Authorization, true) {
 		requireAuth(ctx)
+		return
+	}
+
+	if !oidRegExp.MatchString(rv.Oid) {
+		writeStatus(ctx, 404)
+		return
 	}
 
 	meta, err := models.NewLFSMetaObject(&models.LFSMetaObject{Oid: rv.Oid, Size: rv.Size, RepositoryID: repository.ID})
@@ -284,12 +292,14 @@ func BatchHandler(ctx *context.Context) {
 			continue
 		}
 
+		if oidRegExp.MatchString(object.Oid) {
 			// Object is not found
 			meta, err = models.NewLFSMetaObject(&models.LFSMetaObject{Oid: object.Oid, Size: object.Size, RepositoryID: repository.ID})
 			if err == nil {
 				responseObjects = append(responseObjects, Represent(object, meta, meta.Existing, !contentStore.Exists(meta)))
 			}
 		}
+	}
 
 	ctx.Resp.Header().Set("Content-Type", metaMediaType)
 

modules/markup/html.go

@@ -114,16 +114,25 @@ func cutoutVerbosePrefix(prefix string) string {
 
 // URLJoin joins url components, like path.Join, but preserving contents
 func URLJoin(base string, elems ...string) string {
-	u, err := url.Parse(base)
+	if !strings.HasSuffix(base, "/") {
+		base += "/"
+	}
+	baseURL, err := url.Parse(base)
 	if err != nil {
 		log.Error(4, "URLJoin: Invalid base URL %s", base)
 		return ""
 	}
-	joinArgs := make([]string, 0, len(elems)+1)
-	joinArgs = append(joinArgs, u.Path)
-	joinArgs = append(joinArgs, elems...)
-	u.Path = path.Join(joinArgs...)
-	return u.String()
+	joinedPath := path.Join(elems...)
+	argURL, err := url.Parse(joinedPath)
+	if err != nil {
+		log.Error(4, "URLJoin: Invalid arg %s", joinedPath)
+		return ""
+	}
+	joinedURL := baseURL.ResolveReference(argURL).String()
+	if !baseURL.IsAbs() && !strings.HasPrefix(base, "/") {
+		return joinedURL[1:] // Removing leading '/' if needed
+	}
+	return joinedURL
 }
 
 // RenderIssueIndexPatternOptions options for RenderIssueIndexPattern function
@@ -391,7 +400,11 @@ func RenderShortLinks(rawBytes []byte, urlPrefix string, noLink bool, isWikiMark
 		}
 		absoluteLink := isLink([]byte(link))
 		if !absoluteLink {
+			if image {
 				link = strings.Replace(link, " ", "+", -1)
+			} else {
+				link = strings.Replace(link, " ", "-", -1)
+			}
 		}
 		if image {
 			if !absoluteLink {

modules/markup/html_test.go

@@ -83,6 +83,14 @@ func TestURLJoin(t *testing.T) {
 			"a", "b/c/"),
 		newTest("a/b/d",
 			"a/", "b/c/", "/../d/"),
+		newTest("https://try.gitea.io/a/b/c#d",
+			"https://try.gitea.io", "a/b", "c#d"),
+		newTest("/a/b/d",
+			"/a/", "b/c/", "/../d/"),
+		newTest("/a/b/c",
+			"/a", "b/c/"),
+		newTest("/a/b/c#hash",
+			"/a", "b/c#hash"),
 	} {
 		assert.Equal(t, test.Expected, URLJoin(test.Base, test.Elements...))
 	}

modules/setting/setting.go

@@ -956,7 +956,7 @@ func NewContext() {
 	AttachmentAllowedTypes = strings.Replace(sec.Key("ALLOWED_TYPES").MustString("image/jpeg,image/png,application/zip,application/gzip"), "|", ",", -1)
 	AttachmentMaxSize = sec.Key("MAX_SIZE").MustInt64(4)
 	AttachmentMaxFiles = sec.Key("MAX_FILES").MustInt(5)
-	AttachmentEnabled = sec.Key("ENABLE").MustBool(true)
+	AttachmentEnabled = sec.Key("ENABLED").MustBool(true)
 
 	TimeFormatKey := Cfg.Section("time").Key("FORMAT").MustString("RFC1123")
 	TimeFormat = map[string]string{

modules/util/time_stamp.go

@@ -59,3 +59,8 @@ func (ts TimeStamp) FormatLong() string {
 func (ts TimeStamp) FormatShort() string {
 	return ts.Format("Jan 02, 2006")
 }
+
+// IsZero is zero time
+func (ts TimeStamp) IsZero() bool {
+	return ts.AsTime().IsZero()
+}

public/less/_base.less

@@ -152,6 +152,10 @@ pre, code {
         }
     }
 
+    &.floating.label {
+        z-index: 10;
+    }
+
     &.menu,
     &.vertical.menu,
     &.segment {
@@ -167,6 +171,14 @@ pre, code {
         font-size: .92857143rem;
     }
 
+    &.dropdown .menu>.item>.floating.label {
+        z-index: 11;
+    }
+
+    &.dropdown .menu .menu>.item>.floating.label {
+        z-index: 21;
+    }
+
     .text {
         &.red {
             color: #d95c5c !important;

routers/repo/editor.go

@@ -163,7 +163,7 @@ func editFilePost(ctx *context.Context, form auth.EditRepoFileForm, isNewFile bo
 		branchName = form.NewBranchName
 	}
 
-	form.TreePath = strings.Trim(form.TreePath, " /")
+	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 
 	ctx.Data["TreePath"] = form.TreePath
@@ -477,7 +477,7 @@ func UploadFilePost(ctx *context.Context, form auth.UploadRepoFileForm) {
 		branchName = form.NewBranchName
 	}
 
-	form.TreePath = strings.Trim(form.TreePath, " /")
+	form.TreePath = strings.Trim(path.Clean("/"+form.TreePath), " /")
 	treeNames, treePaths := getParentTreeFields(form.TreePath)
 	if len(treeNames) == 0 {
 		// We must at least have one element for user to input.

routers/repo/http.go

@@ -184,6 +184,7 @@ func HTTP(ctx *context.Context) {
 					return
 				}
 			}
+		}
 
 		if !isPublicPull {
 			has, err := models.HasAccess(authUser.ID, repo, accessMode)
@@ -211,7 +212,6 @@ func HTTP(ctx *context.Context) {
 				return
 			}
 		}
-		}
 
 		if !repo.CheckUnitUser(authUser.ID, authUser.IsAdmin, unitType) {
 			ctx.HandleText(http.StatusForbidden, fmt.Sprintf("User %s does not have allowed access to repository %s 's code",

routers/repo/issue_label_test.go

@@ -32,7 +32,7 @@ func TestInitializeLabels(t *testing.T) {
 	ctx := test.MockContext(t, "user2/repo1/labels/initialize")
 	test.LoadUser(t, ctx, 2)
 	test.LoadRepo(t, ctx, 2)
-	InitializeLabels(ctx, auth.InitializeLabelsForm{"Default"})
+	InitializeLabels(ctx, auth.InitializeLabelsForm{TemplateName: "Default"})
 	assert.EqualValues(t, http.StatusFound, ctx.Resp.Status())
 	models.AssertExistsAndLoadBean(t, &models.Label{
 		RepoID: 2,

routers/repo/repo.go

@@ -307,11 +307,7 @@ func Action(ctx *context.Context) {
 		return
 	}
 
-	redirectTo := ctx.Query("redirect_to")
-	if len(redirectTo) == 0 {
-		redirectTo = ctx.Repo.RepoLink
-	}
-	ctx.Redirect(redirectTo)
+	ctx.RedirectToFirst(ctx.Query("redirect_to"), ctx.Repo.RepoLink)
 }
 
 // Download download an archive of a repository

routers/repo/view.go

@@ -223,6 +223,10 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
 
 			var output bytes.Buffer
 			lines := strings.Split(fileContent, "\n")
+			//Remove blank line at the end of file
+			if len(lines) > 0 && lines[len(lines)-1] == "" {
+				lines = lines[:len(lines)-1]
+			}
 			for index, line := range lines {
 				line = gotemplate.HTMLEscapeString(line)
 				if index != len(lines)-1 {

routers/repo/wiki.go

@@ -350,7 +350,7 @@ func NewWikiPost(ctx *context.Context, form auth.NewWikiForm) {
 		return
 	}
 
-	ctx.Redirect(ctx.Repo.RepoLink + "/wiki/" + models.WikiNameToFilename(wikiName))
+	ctx.Redirect(ctx.Repo.RepoLink + "/wiki/" + models.WikiNameToSubURL(wikiName))
 }
 
 // EditWiki render wiki modify page
@@ -391,7 +391,7 @@ func EditWikiPost(ctx *context.Context, form auth.NewWikiForm) {
 		return
 	}
 
-	ctx.Redirect(ctx.Repo.RepoLink + "/wiki/" + models.WikiNameToFilename(newWikiName))
+	ctx.Redirect(ctx.Repo.RepoLink + "/wiki/" + models.WikiNameToSubURL(newWikiName))
 }
 
 // DeleteWikiPagePost delete wiki page

routers/user/auth.go

@@ -93,12 +93,8 @@ func checkAutoLogin(ctx *context.Context) bool {
 	}
 
 	if isSucceed {
-		if len(redirectTo) > 0 {
 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-			ctx.Redirect(redirectTo)
-		} else {
-			ctx.Redirect(setting.AppSubURL + string(setting.LandingPageURL))
-		}
+		ctx.RedirectToFirst(redirectTo, setting.AppSubURL+string(setting.LandingPageURL))
 		return true
 	}
 
@@ -350,7 +346,7 @@ func handleSignInFull(ctx *context.Context, u *models.User, remember bool, obeyR
 	if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
 		if obeyRedirect {
-			ctx.Redirect(redirectTo)
+			ctx.RedirectToFirst(redirectTo)
 		}
 		return
 	}
@@ -439,7 +435,7 @@ func handleOAuth2SignIn(u *models.User, gothUser goth.User, ctx *context.Context
 
 			if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 {
 				ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-				ctx.Redirect(redirectTo)
+				ctx.RedirectToFirst(redirectTo)
 				return
 			}
 

routers/user/auth_openid.go

@@ -49,12 +49,8 @@ func SignInOpenID(ctx *context.Context) {
 	}
 
 	if isSucceed {
-		if len(redirectTo) > 0 {
 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-			ctx.Redirect(redirectTo)
-		} else {
-			ctx.Redirect(setting.AppSubURL + "/")
-		}
+		ctx.RedirectToFirst(redirectTo)
 		return
 	}
 

routers/user/profile.go

@@ -271,9 +271,5 @@ func Action(ctx *context.Context) {
 		return
 	}
 
-	redirectTo := ctx.Query("redirect_to")
-	if len(redirectTo) == 0 {
-		redirectTo = u.HomeLink()
-	}
-	ctx.Redirect(redirectTo)
+	ctx.RedirectToFirst(ctx.Query("redirect_to"), u.HomeLink())
 }

templates/repo/bare.tmpl

@@ -5,7 +5,7 @@
 		<div class="ui grid">
 			<div class="sixteen wide column content">
 				{{template "base/alert" .}}
-				{{if .IsRepositoryAdmin}}
+				{{if .IsRepositoryWriter}}
 					<h4 class="ui top attached header">
 						{{.i18n.Tr "repo.quick_guide"}}
 					</h4>

templates/repo/branch/list.tmpl

@@ -69,12 +69,12 @@
 <div class="ui small basic delete modal">
 	<div class="ui icon header">
 		<i class="trash icon"></i>
-		{{.i18n.Tr "repo.branch.delete_html"| Safe}} <span class="branch-name"></span>
+		{{.i18n.Tr "repo.branch.delete_html"}} <span class="branch-name"></span>
 	</div>
 	<div class="content">
-		<p>{{.i18n.Tr "repo.branch.delete_desc" | Safe}}</p>
+		<p>{{.i18n.Tr "repo.branch.delete_desc"}}</p>
 		{{.i18n.Tr "repo.branch.delete_notices_1" | Safe}}<br>
-		{{.i18n.Tr "repo.branch.delete_notices_html" | Safe}} <span class="branch-name"></span><br>
+		{{.i18n.Tr "repo.branch.delete_notices_html"}} <span class="branch-name"></span><br>
 	</div>
 	{{template "base/delete_modal_actions" .}}
 </div>

templates/repo/branch_dropdown.tmpl

@@ -47,9 +47,9 @@
 						</div>
 						<div class="text small">
 							{{if .IsViewBranch}}
-								{{.i18n.Tr "repo.branch.create_from" .BranchName | Safe}}
+								{{.i18n.Tr "repo.branch.create_from" .BranchName}}
 							{{else}}
-								{{.i18n.Tr "repo.branch.create_from" (ShortSha .BranchName) | Safe}}
+								{{.i18n.Tr "repo.branch.create_from" (ShortSha .BranchName)}}
 							{{end}}
 						</div>
 					</a>

templates/repo/create.tmpl

@@ -36,7 +36,7 @@
 					<div class="inline required field {{if .Err_RepoName}}error{{end}}">
 						<label for="repo_name">{{.i18n.Tr "repo.repo_name"}}</label>
 						<input id="repo_name" name="repo_name" value="{{.repo_name}}" autofocus required>
-						<span class="help">{{.i18n.Tr "repo.repo_name_helper" | Safe}}</span>
+						<span class="help">{{.i18n.Tr "repo.repo_name_helper"}}</span>
 					</div>
 					<div class="inline field">
 						<label>{{.i18n.Tr "repo.visibility"}}</label>

templates/repo/editor/commit_form.tmpl

@@ -14,8 +14,7 @@
 					<input type="radio" class="js-quick-pull-choice-option" name="commit_choice" value="direct" {{if eq .commit_choice "direct"}}checked{{end}}>
 					<label>
 						<i class="octicon octicon-git-commit" height="16" width="14"></i>
-						{{$branchName := .BranchName | Str2html}}
-						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" $branchName | Safe}}
+						{{.i18n.Tr "repo.editor.commit_directly_to_this_branch" (.BranchName|Escape) | Safe}}
 					</label>
 				</div>
 			</div>

templates/repo/header.tmpl

@@ -48,7 +48,7 @@
 	<div class="ui tabs container">
 		<div class="ui tabular stackable menu navbar">
 			{{if .Repository.UnitEnabled $.UnitTypeCode}}
-			<a class="{{if .PageIsViewCode}}active{{end}} item" href="{{.RepoLink}}">
+			<a class="{{if .PageIsViewCode}}active{{end}} item" href="{{.RepoLink}}{{if (ne .BranchName .Repository.DefaultBranch)}}/src/branch/{{.BranchName}}{{end}}">
 				<i class="octicon octicon-code"></i> {{.i18n.Tr "repo.code"}}
 			</a>
 			{{end}}

templates/repo/home.tmpl

@@ -73,7 +73,7 @@
 						{{else if and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)}}
 							<input id="repo-clone-url" value="{{$.CloneLink.SSH}}" readonly>
 						{{end}}
-						{{if or ((not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH)))}}
+						{{if or (not $.DisableHTTP) (and (not $.DisableSSH) (or $.IsSigned $.ExposeAnonSSH))}}
 							<button class="ui basic icon button poping up clipboard" id="clipboard-btn" data-original="{{.i18n.Tr "repo.copy_link"}}" data-success="{{.i18n.Tr "repo.copy_link_success"}}" data-error="{{.i18n.Tr "repo.copy_link_error"}}" data-content="{{.i18n.Tr "repo.copy_link"}}" data-variation="inverted tiny" data-clipboard-target="#repo-clone-url">
 								<i class="octicon octicon-clippy"></i>
 							</button>

templates/repo/issue/view_content.tmpl

@@ -134,12 +134,12 @@
 <div class="ui small basic delete modal">
 	<div class="ui icon header">
 		<i class="trash icon"></i>
-		{{.i18n.Tr "repo.branch.delete" .HeadTarget | Safe}}
+		{{.i18n.Tr "repo.branch.delete" .HeadTarget }}
 	</div>
 	<div class="content">
-		<p>{{.i18n.Tr "repo.branch.delete_desc" | Safe}}</p>
+		<p>{{.i18n.Tr "repo.branch.delete_desc"}}</p>
 		{{.i18n.Tr "repo.branch.delete_notices_1" | Safe}}<br>
-		{{.i18n.Tr "repo.branch.delete_notices_2" .HeadTarget | Safe}}<br>
+		{{.i18n.Tr "repo.branch.delete_notices_2" .HeadTarget}}<br>
 	</div>
 	{{template "base/delete_modal_actions" .}}
 </div>

templates/repo/issue/view_content/comments.tmpl

@@ -145,7 +145,7 @@
 				<img src="{{.Poster.RelAvatarLink}}">
 			</a>
 			<span class="text grey"><a href="{{.Poster.HomeLink}}">{{.Poster.Name}}</a>
-			{{$.i18n.Tr "repo.issues.delete_branch_at" .CommitSHA $createdStr | Safe}}
+			{{$.i18n.Tr "repo.issues.delete_branch_at" (.CommitSHA|Escape) $createdStr | Safe}}
 			</span>
 		</div>
     {{else if eq .Type 12}}

templates/repo/settings/options.tmpl

@@ -302,7 +302,7 @@
 		</div>
 		<div class="content">
 			<div class="ui warning message text left">
-				{{.i18n.Tr "repo.settings.convert_notices_1" | Safe}}
+				{{.i18n.Tr "repo.settings.convert_notices_1"}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{.CsrfTokenHtml}}
@@ -333,8 +333,8 @@
 		</div>
 		<div class="content">
 			<div class="ui warning message text left">
-				{{.i18n.Tr "repo.settings.transfer_notices_1" | Safe}} <br>
-				{{.i18n.Tr "repo.settings.transfer_notices_2" | Safe}}
+				{{.i18n.Tr "repo.settings.transfer_notices_1"}} <br>
+				{{.i18n.Tr "repo.settings.transfer_notices_2"}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">
 				{{.CsrfTokenHtml}}
@@ -371,7 +371,7 @@
 				{{.i18n.Tr "repo.settings.delete_notices_1" | Safe}}<br>
 				{{.i18n.Tr "repo.settings.delete_notices_2" .Repository.FullName | Safe}}
 				{{if .Repository.NumForks}}<br>
-				{{.i18n.Tr "repo.settings.delete_notices_fork_1" | Safe}}
+				{{.i18n.Tr "repo.settings.delete_notices_fork_1"}}
 				{{end}}
 			</div>
 			<form class="ui form" action="{{.Link}}" method="post">

templates/user/settings/keys_gpg.tmpl

@@ -26,7 +26,7 @@
 					<div class="activity meta">
 						<i>{{$.i18n.Tr "settings.add_on"}} <span>{{.AddedUnix.FormatShort}}</span></i>
 						-
-						<i>{{if .ExpiredUnix}}{{$.i18n.Tr "settings.valid_until"}} <span>{{.ExpiredUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.valid_forever"}}{{end}}</i>
+						<i>{{if not .ExpiredUnix.IsZero}}{{$.i18n.Tr "settings.valid_until"}} <span>{{.ExpiredUnix.FormatShort}}</span>{{else}}{{$.i18n.Tr "settings.valid_forever"}}{{end}}</i>
 					</div>
 				</div>
 			</div>

vendor/code.gitea.io/git/Gopkg.lock

@@ -0,0 +1,38 @@
+# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
+
+
+[[projects]]
+  branch = "master"
+  name = "github.com/Unknwon/com"
+  packages = ["."]
+  revision = "7677a1d7c1137cd3dd5ba7a076d0c898a1ef4520"
+
+[[projects]]
+  name = "github.com/davecgh/go-spew"
+  packages = ["spew"]
+  revision = "6d212800a42e8ab5c146b8ace3490ee17e5225f9"
+
+[[projects]]
+  name = "github.com/mcuadros/go-version"
+  packages = ["."]
+  revision = "257f7b9a7d87427c8d7f89469a5958d57f8abd7c"
+
+[[projects]]
+  name = "github.com/pmezard/go-difflib"
+  packages = ["difflib"]
+  revision = "d8ed2627bdf02c080bf22230dbb337003b7aba2d"
+
+[[projects]]
+  name = "github.com/stretchr/testify"
+  packages = [
+    "assert",
+    "require"
+  ]
+  revision = "976c720a22c8eb4eb6a0b4348ad85ad12491a506"
+
+[solve-meta]
+  analyzer-name = "dep"
+  analyzer-version = 1
+  inputs-digest = "d37e90051cd58dd1f99f808626e82d64eac47f2b2334c6fcb9179bfcf2814622"
+  solver-name = "gps-cdcl"
+  solver-version = 1

vendor/code.gitea.io/git/Gopkg.toml

@@ -0,0 +1,34 @@
+# Gopkg.toml
+#
+# Refer to https://golang.github.io/dep/docs/Gopkg.toml.html
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#   name = "github.com/x/y"
+#   version = "2.4.0"
+#
+# [prune]
+#   non-go = false
+#   go-tests = true
+#   unused-packages = true
+
+
+[[constraint]]
+  name = "github.com/Unknwon/com"
+  branch = "master"
+
+[prune]
+  go-tests = true
+  unused-packages = true

vendor/code.gitea.io/git/MAINTAINERS

@@ -18,3 +18,4 @@ Antoine Girard <sapk@sapk.fr> (@sapk)
 Jonas Östanbäck <jonas.ostanback@gmail.com> (@cez81)
 David Schneiderbauer <dschneiderbauer@gmail.com> (@daviian)
 Peter Žeby <morlinest@gmail.com> (@morlinest)
+Jonas Franz <info@jonasfranz.software> (@JonasFranzDEV)

vendor/code.gitea.io/git/error.go

@@ -40,6 +40,16 @@ func (err ErrNotExist) Error() string {
 	return fmt.Sprintf("object does not exist [id: %s, rel_path: %s]", err.ID, err.RelPath)
 }
 
+// ErrBadLink entry.FollowLink error
+type ErrBadLink struct {
+	Name    string
+	Message string
+}
+
+func (err ErrBadLink) Error() string {
+	return fmt.Sprintf("%s: %s", err.Name, err.Message)
+}
+
 // ErrUnsupportedVersion error when required git version not matched
 type ErrUnsupportedVersion struct {
 	Required string

vendor/code.gitea.io/git/parse.go

@@ -0,0 +1,81 @@
+// Copyright 2018 The Gitea Authors. All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+
+package git
+
+import (
+	"bytes"
+	"fmt"
+	"strconv"
+)
+
+// ParseTreeEntries parses the output of a `git ls-tree` command.
+func ParseTreeEntries(data []byte) ([]*TreeEntry, error) {
+	return parseTreeEntries(data, nil)
+}
+
+func parseTreeEntries(data []byte, ptree *Tree) ([]*TreeEntry, error) {
+	entries := make([]*TreeEntry, 0, 10)
+	for pos := 0; pos < len(data); {
+		// expect line to be of the form "<mode> <type> <sha>\t<filename>"
+		entry := new(TreeEntry)
+		entry.ptree = ptree
+		if pos+6 > len(data) {
+			return nil, fmt.Errorf("Invalid ls-tree output: %s", string(data))
+		}
+		switch string(data[pos : pos+6]) {
+		case "100644":
+			entry.mode = EntryModeBlob
+			entry.Type = ObjectBlob
+			pos += 12 // skip over "100644 blob "
+		case "100755":
+			entry.mode = EntryModeExec
+			entry.Type = ObjectBlob
+			pos += 12 // skip over "100755 blob "
+		case "120000":
+			entry.mode = EntryModeSymlink
+			entry.Type = ObjectBlob
+			pos += 12 // skip over "120000 blob "
+		case "160000":
+			entry.mode = EntryModeCommit
+			entry.Type = ObjectCommit
+			pos += 14 // skip over "160000 object "
+		case "040000":
+			entry.mode = EntryModeTree
+			entry.Type = ObjectTree
+			pos += 12 // skip over "040000 tree "
+		default:
+			return nil, fmt.Errorf("unknown type: %v", string(data[pos:pos+6]))
+		}
+
+		if pos+40 > len(data) {
+			return nil, fmt.Errorf("Invalid ls-tree output: %s", string(data))
+		}
+		id, err := NewIDFromString(string(data[pos : pos+40]))
+		if err != nil {
+			return nil, fmt.Errorf("Invalid ls-tree output: %v", err)
+		}
+		entry.ID = id
+		pos += 41 // skip over sha and trailing space
+
+		end := pos + bytes.IndexByte(data[pos:], '\n')
+		if end < pos {
+			return nil, fmt.Errorf("Invalid ls-tree output: %s", string(data))
+		}
+
+		// In case entry name is surrounded by double quotes(it happens only in git-shell).
+		if data[pos] == '"' {
+			entry.name, err = strconv.Unquote(string(data[pos:end]))
+			if err != nil {
+				return nil, fmt.Errorf("Invalid ls-tree output: %v", err)
+			}
+		} else {
+			entry.name = string(data[pos:end])
+		}
+
+		pos = end + 1
+		entries = append(entries, entry)
+	}
+	return entries, nil
+}

vendor/code.gitea.io/git/repo_blame.go

@@ -4,7 +4,21 @@
 
 package git
 
+import "fmt"
+
 // FileBlame return the Blame object of file
 func (repo *Repository) FileBlame(revision, path, file string) ([]byte, error) {
-	return NewCommand("blame", "--root", file).RunInDirBytes(path)
+	return NewCommand("blame", "--root", "--", file).RunInDirBytes(path)
+}
+
+// LineBlame returns the latest commit at the given line
+func (repo *Repository) LineBlame(revision, path, file string, line uint) (*Commit, error) {
+	res, err := NewCommand("blame", fmt.Sprintf("-L %d,%d", line, line), "-p", revision, "--", file).RunInDir(path)
+	if err != nil {
+		return nil, err
+	}
+	if len(res) < 40 {
+		return nil, fmt.Errorf("invalid result of blame: %s", res)
+	}
+	return repo.GetCommit(string(res[:40]))
 }

vendor/code.gitea.io/git/repo_commit.go

@@ -9,6 +9,8 @@ import (
 	"container/list"
 	"strconv"
 	"strings"
+
+	"github.com/mcuadros/go-version"
 )
 
 // GetRefCommitID returns the last commit ID string of given reference (branch or tag).
@@ -316,15 +318,35 @@ func (repo *Repository) getCommitsBeforeLimit(id SHA1, num int) (*list.List, err
 }
 
 func (repo *Repository) getBranches(commit *Commit, limit int) ([]string, error) {
-	stdout, err := NewCommand("for-each-ref", "--count="+ strconv.Itoa(limit), "--format=%(refname)", "--contains", commit.ID.String(), BranchPrefix).RunInDir(repo.Path)
+	if version.Compare(gitVersion, "2.7.0", ">=") {
+		stdout, err := NewCommand("for-each-ref", "--count="+strconv.Itoa(limit), "--format=%(refname:strip=2)", "--contains", commit.ID.String(), BranchPrefix).RunInDir(repo.Path)
+		if err != nil {
+			return nil, err
+		}
+
+		branches := strings.Fields(stdout)
+		return branches, nil
+	}
+
+	stdout, err := NewCommand("branch", "--contains", commit.ID.String()).RunInDir(repo.Path)
 	if err != nil {
 		return nil, err
 	}
 
 	refs := strings.Split(stdout, "\n")
-	branches := make([]string, len(refs)-1)
-	for i, ref := range refs[:len(refs)-1] {
-		branches[i] = strings.TrimPrefix(ref, BranchPrefix)
+
+	var max int
+	if len(refs) > limit {
+		max = limit
+	} else {
+		max = len(refs) - 1
+	}
+
+	branches := make([]string, max)
+	for i, ref := range refs[:max] {
+		parts := strings.Fields(ref)
+
+		branches[i] = parts[len(parts)-1]
 	}
 	return branches, nil
 }

vendor/code.gitea.io/git/sha1.go

@@ -5,6 +5,7 @@
 package git
 
 import (
+	"bytes"
 	"encoding/hex"
 	"fmt"
 	"strings"
@@ -26,43 +27,23 @@ func (id SHA1) Equal(s2 interface{}) bool {
 		}
 		return v == id.String()
 	case []byte:
-		if len(v) != 20 {
-			return false
-		}
-		for i, v := range v {
-			if id[i] != v {
-				return false
-			}
-		}
+		return bytes.Equal(v, id[:])
 	case SHA1:
-		for i, v := range v {
-			if id[i] != v {
-				return false
-			}
-		}
+		return v == id
 	default:
 		return false
 	}
-	return true
 }
 
 // String returns string (hex) representation of the Oid.
 func (id SHA1) String() string {
-	result := make([]byte, 0, 40)
-	hexvalues := []byte("0123456789abcdef")
-	for i := 0; i < 20; i++ {
-		result = append(result, hexvalues[id[i]>>4])
-		result = append(result, hexvalues[id[i]&0xf])
-	}
-	return string(result)
+	return hex.EncodeToString(id[:])
 }
 
 // MustID always creates a new SHA1 from a [20]byte array with no validation of input.
 func MustID(b []byte) SHA1 {
 	var id SHA1
-	for i := 0; i < 20; i++ {
-		id[i] = b[i]
-	}
+	copy(id[:], b)
 	return id
 }
 

vendor/code.gitea.io/git/tree.go

@@ -5,8 +5,6 @@
 package git
 
 import (
-	"bytes"
-	"fmt"
 	"strings"
 )
 
@@ -30,84 +28,6 @@ func NewTree(repo *Repository, id SHA1) *Tree {
 	}
 }
 
-var escapeChar = []byte("\\")
-
-// UnescapeChars reverses escaped characters.
-func UnescapeChars(in []byte) []byte {
-	if bytes.Index(in, escapeChar) == -1 {
-		return in
-	}
-
-	endIdx := len(in) - 1
-	isEscape := false
-	out := make([]byte, 0, endIdx+1)
-	for i := range in {
-		if in[i] == '\\' && !isEscape {
-			isEscape = true
-			continue
-		}
-		isEscape = false
-		out = append(out, in[i])
-	}
-	return out
-}
-
-// parseTreeData parses tree information from the (uncompressed) raw
-// data from the tree object.
-func parseTreeData(tree *Tree, data []byte) ([]*TreeEntry, error) {
-	entries := make([]*TreeEntry, 0, 10)
-	l := len(data)
-	pos := 0
-	for pos < l {
-		entry := new(TreeEntry)
-		entry.ptree = tree
-		step := 6
-		switch string(data[pos : pos+step]) {
-		case "100644":
-			entry.mode = EntryModeBlob
-			entry.Type = ObjectBlob
-		case "100755":
-			entry.mode = EntryModeExec
-			entry.Type = ObjectBlob
-		case "120000":
-			entry.mode = EntryModeSymlink
-			entry.Type = ObjectBlob
-		case "160000":
-			entry.mode = EntryModeCommit
-			entry.Type = ObjectCommit
-
-			step = 8
-		case "040000":
-			entry.mode = EntryModeTree
-			entry.Type = ObjectTree
-		default:
-			return nil, fmt.Errorf("unknown type: %v", string(data[pos:pos+step]))
-		}
-		pos += step + 6 // Skip string type of entry type.
-
-		step = 40
-		id, err := NewIDFromString(string(data[pos : pos+step]))
-		if err != nil {
-			return nil, err
-		}
-		entry.ID = id
-		pos += step + 1 // Skip half of SHA1.
-
-		step = bytes.IndexByte(data[pos:], '\n')
-
-		// In case entry name is surrounded by double quotes(it happens only in git-shell).
-		if data[pos] == '"' {
-			entry.name = string(UnescapeChars(data[pos+1 : pos+step-1]))
-		} else {
-			entry.name = string(data[pos : pos+step])
-		}
-
-		pos += step + 1
-		entries = append(entries, entry)
-	}
-	return entries, nil
-}
-
 // SubTree get a sub tree by the sub dir path
 func (t *Tree) SubTree(rpath string) (*Tree, error) {
 	if len(rpath) == 0 {
@@ -142,12 +62,11 @@ func (t *Tree) ListEntries() (Entries, error) {
 	if t.entriesParsed {
 		return t.entries, nil
 	}
-	t.entriesParsed = true
 
 	stdout, err := NewCommand("ls-tree", t.ID.String()).RunInDirBytes(t.repo.Path)
 	if err != nil {
 		return nil, err
 	}
-	t.entries, err = parseTreeData(t, stdout)
+	t.entries, err = parseTreeEntries(stdout, t)
 	return t.entries, err
 }

vendor/code.gitea.io/git/tree_entry.go

@@ -5,6 +5,7 @@
 package git
 
 import (
+	"io"
 	"sort"
 	"strconv"
 	"strings"
@@ -90,6 +91,45 @@ func (te *TreeEntry) Blob() *Blob {
 	}
 }
 
+// FollowLink returns the entry pointed to by a symlink
+func (te *TreeEntry) FollowLink() (*TreeEntry, error) {
+	if !te.IsLink() {
+		return nil, ErrBadLink{te.Name(), "not a symlink"}
+	}
+
+	// read the link
+	r, err := te.Blob().Data()
+	if err != nil {
+		return nil, err
+	}
+	buf := make([]byte, te.Size())
+	_, err = io.ReadFull(r, buf)
+	if err != nil {
+		return nil, err
+	}
+
+	lnk := string(buf)
+	t := te.ptree
+
+	// traverse up directories
+	for ; t != nil && strings.HasPrefix(lnk, "../"); lnk = lnk[3:] {
+		t = t.ptree
+	}
+
+	if t == nil {
+		return nil, ErrBadLink{te.Name(), "points outside of repo"}
+	}
+
+	target, err := t.GetTreeEntryByPath(lnk)
+	if err != nil {
+		if IsErrNotExist(err) {
+			return nil, ErrBadLink{te.Name(), "broken link"}
+		}
+		return nil, err
+	}
+	return target, nil
+}
+
 // GetSubJumpablePathName return the full path of subdirectory jumpable ( contains only one directory )
 func (te *TreeEntry) GetSubJumpablePathName() string {
 	if te.IsSubModule() || !te.IsDir() {

vendor/github.com/markbates/goth/gothic/gothic.go

@@ -132,7 +132,7 @@ func GetAuthURL(res http.ResponseWriter, req *http.Request) (string, error) {
 		return "", err
 	}
 
-	err = storeInSession(providerName, sess.Marshal(), req, res)
+	err = StoreInSession(providerName, sess.Marshal(), req, res)
 
 	if err != nil {
 		return "", err
@@ -166,7 +166,7 @@ var CompleteUserAuth = func(res http.ResponseWriter, req *http.Request) (goth.Us
 		return goth.User{}, err
 	}
 
-	value, err := getFromSession(providerName, req)
+	value, err := GetFromSession(providerName, req)
 	if err != nil {
 		return goth.User{}, err
 	}
@@ -193,7 +193,7 @@ var CompleteUserAuth = func(res http.ResponseWriter, req *http.Request) (goth.Us
 		return goth.User{}, err
 	}
 
-	err = storeInSession(providerName, sess.Marshal(), req, res)
+	err = StoreInSession(providerName, sess.Marshal(), req, res)
 
 	if err != nil {
 		return goth.User{}, err
@@ -284,8 +284,9 @@ func getProviderName(req *http.Request) (string, error) {
 	return "", errors.New("you must select a provider")
 }
 
-func storeInSession(key string, value string, req *http.Request, res http.ResponseWriter) error {
-	session, _ := Store.Get(req, SessionName)
+// StoreInSession stores a specified key/value pair in the session.
+func StoreInSession(key string, value string, req *http.Request, res http.ResponseWriter) error {
+	session, _ := Store.New(req, SessionName)
 
 	if err := updateSessionValue(session, key, value); err != nil {
 		return err
@@ -294,7 +295,9 @@ func storeInSession(key string, value string, req *http.Request, res http.Respon
 	return session.Save(req, res)
 }
 
-func getFromSession(key string, req *http.Request) (string, error) {
+// GetFromSession retrieves a previously-stored value from the session.
+// If no value has previously been stored at the specified key, it will return an error.
+func GetFromSession(key string, req *http.Request) (string, error) {
 	session, _ := Store.Get(req, SessionName)
 	value, err := getSessionValue(session, key)
 	if err != nil {

vendor/github.com/markbates/goth/providers/dropbox/dropbox.go

@@ -2,9 +2,11 @@
 package dropbox
 
 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"strings"
 
@@ -25,6 +27,7 @@ type Provider struct {
 	ClientKey    string
 	Secret       string
 	CallbackURL  string
+	AccountURL   string
 	HTTPClient   *http.Client
 	config       *oauth2.Config
 	providerName string
@@ -44,6 +47,7 @@ func New(clientKey, secret, callbackURL string, scopes ...string) *Provider {
 		ClientKey:    clientKey,
 		Secret:       secret,
 		CallbackURL:  callbackURL,
+		AccountURL:   accountURL,
 		providerName: "dropbox",
 	}
 	p.config = newConfig(p, scopes)
@@ -87,7 +91,7 @@ func (p *Provider) FetchUser(session goth.Session) (goth.User, error) {
 		return user, fmt.Errorf("%s cannot get user information without accessToken", p.providerName)
 	}
 
-	req, err := http.NewRequest("POST", accountURL, nil)
+	req, err := http.NewRequest("POST", p.AccountURL, nil)
 	if err != nil {
 		return user, err
 	}
@@ -102,7 +106,17 @@ func (p *Provider) FetchUser(session goth.Session) (goth.User, error) {
 		return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, resp.StatusCode)
 	}
 
-	err = userFromReader(resp.Body, &user)
+	bits, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return user, err
+	}
+
+	err = json.NewDecoder(bytes.NewReader(bits)).Decode(&user.RawData)
+	if err != nil {
+		return user, err
+	}
+
+	err = userFromReader(bytes.NewReader(bits), &user)
 	return user, err
 }
 
@@ -162,22 +176,29 @@ func newConfig(p *Provider, scopes []string) *oauth2.Config {
 
 func userFromReader(r io.Reader, user *goth.User) error {
 	u := struct {
-		Name        string `json:"display_name"`
-		NameDetails struct {
-			NickName string `json:"familiar_name"`
-		} `json:"name_details"`
-		Location string `json:"country"`
+		AccountID string `json:"account_id"`
+		Name      struct {
+			GivenName   string `json:"given_name"`
+			Surname     string `json:"surname"`
+			DisplayName string `json:"display_name"`
+		} `json:"name"`
+		Country         string `json:"country"`
 		Email           string `json:"email"`
+		ProfilePhotoURL string `json:"profile_photo_url"`
 	}{}
 	err := json.NewDecoder(r).Decode(&u)
 	if err != nil {
 		return err
 	}
+	user.UserID = u.AccountID // The user's unique Dropbox ID.
+	user.FirstName = u.Name.GivenName
+	user.LastName = u.Name.Surname
+	user.Name = strings.TrimSpace(fmt.Sprintf("%s %s", u.Name.GivenName, u.Name.Surname))
+	user.Description = u.Name.DisplayName // Full name plus parenthetical team naem
 	user.Email = u.Email
-	user.Name = u.Name
-	user.NickName = u.NameDetails.NickName
-	user.UserID = u.Email // Dropbox doesn't provide a separate user ID
-	user.Location = u.Location
+	user.NickName = u.Email // Email is the dropbox username
+	user.Location = u.Country
+	user.AvatarURL = u.ProfilePhotoURL // May be blank
 	return nil
 }
 

vendor/vendor.json

@@ -3,10 +3,10 @@
 	"ignore": "test appengine",
 	"package": [
 		{
-			"checksumSHA1": "Gz+a5Qo4PCiB/Gf2f02v8HEAxDM=",
+			"checksumSHA1": "xwQNnA5geMAdbiBjBABtsjqZZMw=",
 			"path": "code.gitea.io/git",
-			"revision": "6798d0f202cdc7187c00a467b586a4bdee27e8c9",
-			"revisionTime": "2018-01-14T14:37:32Z"
+			"revision": "31f4b8e8c805438ac6d8914b38accb1d8aaf695e",
+			"revisionTime": "2018-05-26T05:17:21Z"
 		},
 		{
 			"checksumSHA1": "Qtq0kW+BnpYMOriaoCjMa86WGG8=",
@@ -655,63 +655,73 @@
 		},
 		{
 			"checksumSHA1": "q9MD1ienC+kmKq5i51oAktQEV1E=",
+			"origin": "github.com/go-gitea/goth",
 			"path": "github.com/markbates/goth",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
-			"checksumSHA1": "+nosptSgGb2qCAR6CSHV2avwmNg=",
+			"checksumSHA1": "FISfgOkoMtn98wglLUvfBTZ6baE=",
+			"origin": "github.com/go-gitea/goth/gothic",
 			"path": "github.com/markbates/goth/gothic",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "pJ+Cws/TU22K6tZ/ALFOvvH1K5U=",
+			"origin": "github.com/go-gitea/goth/providers/bitbucket",
 			"path": "github.com/markbates/goth/providers/bitbucket",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
-			"checksumSHA1": "bKokLof0Pkk5nEhW8NdbfcVzuqk=",
+			"checksumSHA1": "XsF5HI4240QHbFXbtWWnGgTsoq8=",
+			"origin": "github.com/go-gitea/goth/providers/dropbox",
 			"path": "github.com/markbates/goth/providers/dropbox",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "VzbroIA9R00Ig3iGnOlZLU7d4ls=",
+			"origin": "github.com/go-gitea/goth/providers/facebook",
 			"path": "github.com/markbates/goth/providers/facebook",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "P6nBZ850aaekpOcoXNdRhK86bH8=",
+			"origin": "github.com/go-gitea/goth/providers/github",
 			"path": "github.com/markbates/goth/providers/github",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "ld488t+yGoTwtmiCSSggEX4fxVk=",
+			"origin": "github.com/go-gitea/goth/providers/gitlab",
 			"path": "github.com/markbates/goth/providers/gitlab",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "qXEulD7vnwY9hFrxh91Pm5YrvTM=",
+			"origin": "github.com/go-gitea/goth/providers/gplus",
 			"path": "github.com/markbates/goth/providers/gplus",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "wsOBzyp4LKDhfCPmX1LLP7T0S3U=",
+			"origin": "github.com/go-gitea/goth/providers/openidConnect",
 			"path": "github.com/markbates/goth/providers/openidConnect",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "o6RqMbbE8QNZhNT9TsAIRMPI8tg=",
+			"origin": "github.com/go-gitea/goth/providers/twitter",
 			"path": "github.com/markbates/goth/providers/twitter",
-			"revision": "bc7deaf077a50416cf3a23aa5903d2a7b5a30ada",
-			"revisionTime": "2018-02-15T02:27:40Z"
+			"revision": "3b54d96084a5e11030f19556cf68a6ab5d93ba20",
+			"revisionTime": "2018-03-12T06:32:04Z"
 		},
 		{
 			"checksumSHA1": "61HNjGetaBoMp8HBOpuEZRSim8g=",