fix broken insecureskipverify handling in rediss connection uris (#20967) (#21053)
Backport #20967
Currently, it's impossible to connect to self-signed TLS encrypted redis instances. The problem lies in inproper error handling, when building redis tls options - only invalid booleans are allowed to be used in `tlsConfig` builder. The problem is, when `strconv.ParseBool(...)` returns error, it always defaults to false - meaning it's impossible to set `tlsOptions.InsecureSkipVerify` to true.
Fixes #19213
Co-authored-by: Igor Rzegocki <ajgon@users.noreply.github.com>
Do not add links to Posters or Assignees with ID < 0 (#20577) (#21037)
Backport #20577
There are several places in templates/repo/issue/view_content/comments.tmpl where links are made to Posters or Assignees who are Ghosts or have IDs <0.
Fix #20559
Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net>
silverwind [Sat, 27 Aug 2022 20:52:00 +0000 (22:52 +0200)]
Change review buttons to icons to make space for text (#20934) (#20978)
The layout on the review code view was broken depending on length of the text. Change all three buttons to icons with tooltip to make more space for these long texts.
silverwind [Thu, 25 Aug 2022 06:16:20 +0000 (08:16 +0200)]
Enable contenthash in filename for dynamic assets (#20813) (#20932)
This should solve the main problem of dynamic assets getting stale after
a version upgrade. Everything not affected will use query-string based
cache busting, which includes files loaded via HTML or worker scripts.
zeripath [Tue, 23 Aug 2022 20:42:55 +0000 (21:42 +0100)]
Set no-tags in git fetch on compare (#20893) (#20936)
Backport #20893
In the compare endpoint the git fetch is restricted to a certain branch however,
this does not completely prevent tag acquisition/pollution as git fetch will collect
any tags on that branch.
This causes pollution of the tag namespace and could cause confusion by users.
This PR adds `--no-tags` to the `git fetch` call.
Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net>
zeripath [Mon, 22 Aug 2022 18:35:18 +0000 (19:35 +0100)]
Pad GPG Key ID with preceding zeroes (#20878) (#20885)
Backport #20878
The go crypto library does not pad keyIDs to 16 characters with preceding zeroes. This
is a somewhat confusing thing for most users who expect these to have preceding zeroes.
This PR prefixes any sub 16 length KeyID with preceding zeroes and removes preceding
zeroes from KeyIDs inputted on the API.
zeripath [Mon, 22 Aug 2022 01:46:56 +0000 (02:46 +0100)]
Remove calls to load Mirrors in user.Dashboard (#20855) (#20897)
Backport #20855
Whilst looking at #20840 I noticed that the Mirrors data doesn't appear
to be being used therefore we can remove this and in fact none of the
related code is used elsewhere so it can also be removed.
Related #20840
Related #20804
Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Gusted [Sun, 21 Aug 2022 18:31:51 +0000 (20:31 +0200)]
Fix SQL Query for `SearchTeam` (#20844) (#20872)
Backport #20844
Currently the function takes in the UserID option, but isn't being used within the SQL query. This patch fixes that by checking that only teams are being returned that the user belongs to.
JonRB [Sun, 21 Aug 2022 12:18:22 +0000 (13:18 +0100)]
Ensure that graceful start-up is informed of unused SSH listener (#20877)
The graceful manager waits for 4 listeners to be created or to be told that they are not needed. If it is not told about them it will indefinitely and timeout.
This leads to SVC hosts not being told of being in the readyState but on Unix would lead to the termination of the process.
There was an unfortunate regression in #20299 which missed this subtly and in the case whereby SSH is disabled the `builtinUnused()` is not called.
This PR adds a call to `builtinUnused()` when not using the builtin ssh to allow `createServerWaitGroup.Done()` to be called.
In addition it was noted that the if/else clauses for timeout informing of the SVC host were in the wrong order. These have been swapped.
silverwind [Sat, 20 Aug 2022 14:49:16 +0000 (16:49 +0200)]
Rework repo buttons (#20602, #20718) (#20719)
* Rework repo buttons (#20602)
* Rework repo buttons
- Replace "New PR" and "Go to File" button with Icon Button
- Move all "Add File" actions into a dropdown button
- Remove most custom styling of clone buttons
- Margin and wiki tweaks
Buttons are now all equal height, mobile layout wraps gracefully.
* Restore history button and hide add button when unable to add (#20718)
Fix two regressions from #20602:
- Restore the 'History' button that was previously unable to render
because it's show condition was never hit
- Hide the 'Add File' button when there would be no items in the
dropdown.
zeripath [Thu, 18 Aug 2022 18:55:34 +0000 (19:55 +0100)]
Prevent 500 is head repo does not have PullRequest unit in IsUserAllowedToUpdate (#20839) (#20848)
Backport #20621
Some repositories do not have the PullRequest unit present in their configuration
and unfortunately the way that IsUserAllowedToUpdate currently works assumes
that this is an error instead of just returning false.
This PR simply swallows this error allowing the function to return false.
Fix #20621
Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net>
* SECURITY
* Correctly escape within tribute.js (#20831) (#20832)
* FEATURES
* Add support for NuGet API keys (#20721) (#20734)
* ENHANCEMENTS
* Display project in issue list (#20583)
* Add disable download source configuration (#20548) (#20579)
* BUGFIXES
* Use the total issue count for UI (#20785) (#20827)
* Add proxy host into allow list (#20798) (#20819)
* Add missing translation for queue flush workers (#20791) (#20792)
* Improve comment header for mobile (#20781) (#20789)
* Fix git.Init for doctor sub-command (#20782) (#20783)
* Check webhooks slice length before calling xorm (#20642) (#20768)
* Remove manual rollback for failed generated repositories (#20639) (#20762)
* Use correct field name in npm template (#20675) (#20760)
* Keep download count on Container tag overwrite (#20728) (#20735)
* Fix v220 migration to be compatible for MSSQL 2008 r2 (#20702) (#20707)
* Use request timeout for git service rpc (#20689) (#20693)
* Send correct NuGet status codes (#20647) (#20677)
* Use correct context to get package content (#20673) (#20676)
* Fix the JS error "EventSource is not defined" caused by some non-standard browsers (#20584) (#20663)
* Add default commit messages to PR for squash merge (#20618) (#20645)
* Fix package upload for files >32mb (#20622) (#20635)
* Fix the new-line copy-paste for rendered code (#20612)
* Clean up and fix clone button script (#20415 & #20600) (#20599)
* Fix default merge style (#20564) (#20565)
* Add repository condition for issue count (#20454) (#20496)
* MISC
* Make branch icon stand out more (#20726) (#20774)
* Fix loading button with invalid form (#20754) (#20759)
* Add username check to doctor (#20140) (#20671)
* Enable Wire 2 for Internal SSH Server (#20616) (#20617)
* Fix SecToTime edge-cases (#20610) (#20611)
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Apply suggestions from code review
Co-authored-by: John Olheiser <john+github@jolheiser.com>
* Update CHANGELOG.md
Lunny Xiao [Thu, 18 Aug 2022 08:57:40 +0000 (16:57 +0800)]
Check Mirror exists before linking its Repo (#20840) (#20842)
In MirrorRepositoryList.loadAttributes there is some code to load the Mirror entries
from the database. This assumes that every Repository which has IsMirror set has
a Mirror associated in the DB. This association is incorrect in the case of
Mirror repository under creation when there is no Mirror entry in the DB until
completion.
Unfortunately LoadAttributes makes this incorrect assumption and presumes that a
Mirror will always be loaded. This then causes a panic.
This PR simply double checks if there a Mirror before attempting to link back to
its Repo. Unfortunately it should be expected that there may be other cases where
this incorrect assumption causes further problems.
Fix #20804
Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
parnic [Wed, 17 Aug 2022 17:25:07 +0000 (12:25 -0500)]
Use the total issue count for UI (#20785) (#20827)
Backport #20785
This fixes a problem where the "All" line item on the Issues or Pull Requests page was only showing the count of the selected repos instead of the total of all issues/prs in all repos.
The "total number of shown issues" number is now stashed in a different context variable in case it wants to be used by the frontend later. It's currently not being used.
Gusted [Mon, 15 Aug 2022 11:09:46 +0000 (11:09 +0000)]
Improve comment header for mobile (#20781) (#20789)
- Backport #20781
- Since b9e8fa5 the avatar will be inlined into the comment header, so there's more room for the actual comment container(thus more text per line in the comment body). However this didn't take into consideration that the flex didn't allow any wrapping and thus was shrinking the avatar. Well this isn't a perfect solution, as you ideally all want these elements to be individually wrapped(such that comment-header-right can be on the same line as comment-header-left, which now causes a new line in certain situations). It's a better solution than the current CSS and to not mess with the desktop CSS/HTML.
Gusted [Fri, 12 Aug 2022 19:38:17 +0000 (19:38 +0000)]
Make branch icon stand out more (#20726) (#20774)
- Backport #20726
- Currently the branch icon is "squashed" between the two branch names and feels a bit "amateur-ish" to my feeling(relative to other UI elements).
- This patch tries to improve that by making the icon bigger and by adding some margin to not have a "squashed" icon.
- This patch also includes a "fix", for some reason this symbol is not centering correctly. So apply allign-items: center to the top div
wxiaoguang [Thu, 11 Aug 2022 10:11:49 +0000 (18:11 +0800)]
Remove manual rollback for failed generated repositories (#20639) (#20762)
Generating repositories from a template is done inside a transaction.
Manual rollback on error is not needed and it always results in error
"repository does not exist".
Co-authored-by: Gabriel Vasile <gabriel.vasile@email.com>
silverwind [Thu, 11 Aug 2022 08:26:09 +0000 (10:26 +0200)]
Fix loading button with invalid form (#20754) (#20759)
Previously, if a invalid form was submitted (for example issue with no
title), the form could not be re-submitted again because the button
would not stay stuck in loading state. Fix that by hooking the 'submit'
event instead which triggers only when the form is valid.
parnic [Sun, 7 Aug 2022 02:37:48 +0000 (21:37 -0500)]
Use request timeout for git service rpc (#20689) (#20693)
This enables git.Command's Run to optionally use the given context directly so its deadline will be respected. Otherwise, it falls back to the previous behavior of using the supplied timeout or a default timeout value of 360 seconds.
repo's serviceRPC() calls now use the context's deadline (which is unset/unlimited) instead of the default 6-minute timeout. This means that large repo clones will no longer arbitrarily time out on the upload-pack step, and pushes can take longer than 6 minutes on the receive-pack step.
John Olheiser [Thu, 4 Aug 2022 16:07:07 +0000 (11:07 -0500)]
Add username check to doctor (#20140) (#20671)
* Add username check to doctor
- Add a new breaking change detector to Gitea's doctor, which checks if
all users still have a valid username according to Gitea. Given from
time-to-time we need to make changes, either due to new routes or due to
security, it's for a instance's admin to check if all users still have a
valid username.
wxiaoguang [Tue, 2 Aug 2022 17:37:28 +0000 (01:37 +0800)]
Adjust line detection in highlight.go (#20612)
The code for detection of lines in highlight.go is somewhat too complex
and doesn't take account of how Chroma is actually splitting things into
lines for us.
Remove both the .line and .cl classes from Chroma's HTML which made
the old conditional work again. This fixed Copy of YAML files while also
reducing the amount of rendered HTML nodes.
Gusted [Tue, 2 Aug 2022 07:58:57 +0000 (09:58 +0200)]
Enable Wire 2 for Internal SSH Server (#20616) (#20617)
- Backport of #20616
- Git only decides to use the Wire 2 protocol when `git {receive,upload}-pack` receive the `GIT_PROTOCOL` environment with as value `version=2`. Currently the internal SSH Server wasn't passing this environment through. The `gitea serv` code already passed all received environments to the git command, so no code changes there.
- This is mentioned in Git manual, https://git-scm.com/docs/git#Documentation/git.txt-codeGITPROTOCOLcode
silverwind [Tue, 2 Aug 2022 04:31:38 +0000 (06:31 +0200)]
Clean up and fix clone button script (#20415 & #20600) (#20599)
* Clean up and fix clone button script (#20415)
The button 'primary' class needs to be set in a synchronous script to prevent flicker of the button which was regressed recently, fixed that.
Additionally, reduced the two script tags to just one, the previous scripts were actually initializing the buttons thrice on the empty repo page, now it only initializes once. Finally, removed duplicate code and re-used the inline function in the update code as well.
I had to split out the script into a separate template as on the empty repo page, the script needs access to the clone URL span in the example text, which is rendered below the clone buttons, so buttons and script could not be combined.
* Add default value for clone URLs
Default clone URLs to HTTP(S) in DOM rendering. JS will immediately
replace this if the user preference is SSH.
WebAuthn CredentialID field needs to be increased in size (#20530) (#20555)
WebAuthn have updated their specification to set the maximum size of the
CredentialID to 1023 bytes. This is somewhat larger than our current
size and therefore we need to migrate.
The PR changes the struct to add CredentialIDBytes and migrates the CredentialID string
to the bytes field before another migration drops the old CredentialID field. Another migration
renames this field back.
Fix #20457
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
Rework raw file http header logic (#20484) (#20542)
- Always respect the user's configured mime type map
- Allow more types like image/pdf/video/audio to serve with correct content-type
- Shorten cache duration of raw files to 5 minutes, matching GitHub
- Don't set `content-disposition: attachment`, let the browser decide whether it wants to download or display a file directly
- Implement rfc5987 for filenames, remove previous hack. Confirmed it working in Safari.
- Make PDF attachment work in Safari by removing `sandbox` attribute.
This change will make a lot more file types open directly in browser now. Logic should generally be more readable than before with less `if` nesting and such.
Update notification count for non-mobile version (#20544)
- Since #20108 we have two version of the notification bell, one for
mobile the other for non-mobile. However the code only accounts for one
notification count and thus was only updating the non-mobile one.
- This code fixes that by applying the code for all `.notification_count`s.
- Frontport will be in #20543
Ensure that all unmerged files are merged when conflict checking (#20528) (#20536)
There is a subtle bug in the code relating to collating the results of
`git ls-files -u -z` in `unmergedFiles()`. The code here makes the
mistake of assuming that every unmerged file will always have a stage 1
conflict, and this results in conflicts that occur in stage 3 only being
dropped.
This PR simply adjusts this code to ensure that any empty unmergedFile
will always be passed down the channel.
The PR also adds a lot of Trace commands to attempt to help find future
bugs in this code.
Fix #19527
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: zeripath <art27@cantab.net>
Stop logging EOFs and exit(1)s in ssh handler (#20476) (#20529)
Backport #20476
The code in modules/ssh/ssh.go:sessionHandler() currently cause an error to be
logged if `gitea serv` exits with a exit(1). This logging is useless because the
accompanying stderr is not provided and in any case the exit(1) is most likely due
to permissions errors.
Further it then causes the EOF to be logged - even though this is not helpful.
This PR simply checks the errors returned and stops logging them.
In the case of misconfigurations causing `gitea serv` to fail with exit(1)
the current logging is not helpful at determining this and users should simply
review the message passed over the ssh connection.
packages/generic: Do not restrict package versions to SemVer (#20414) (#20531)
There are existing packages out there whose version do not conform to SemVer, yet, one would like to have them available in a generic package repository. To this end, remove the SemVer restriction on package versions when using the Generic package registry, and replace it with a check that simply makes sure the version isn't empty.
Signed-off-by: Gergely Nagy <me@gergo.csillger.hu> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: Gergely Nagy <algernon@users.noreply.github.com>
Allow non-semver packages in the Conan package registry (#20412) (#20523)
Backport #20412
A lot of existing packages do not conform to SemVer, yet, they should be allowed
in the Conan package registry as-is. To achieve this, remove the SemVer check
from `NewRecipeReference`, and replace it with a simple empty string check.
A unit test with a non-semver version is also included.
Fixes #20405.
Signed-off-by: Gergely Nagy <me@gergo.csillger.hu> Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Gergely Nagy <algernon@users.noreply.github.com>
Fix dashboard switching on Mobile (#20238) (#20239)
- This is a regression of improving mobile experience on Gitea, currently organization dashboard aren't readable and the popup won't show up when you want to switch between users/organization(as we saw in #19978).
- This patch fixes that, by allowing the popup to allocate the required pixels(for some absurd reason, z-index doesn't work on the popup, so it's not able to render over the existing elements, we can investigate later of why this is). And also remove the additional dropdown menu for the pages link, so it's one unified list which then can be displayed as rows.
Add Cache-Control header to html and api responses, add no-transform (#20432) (#20459)
`no-transform` allegedly disables CloudFlare auto-minify and we did not
set caching headers on html or api requests, which seems good to have
regardless.
Transformation is still allowed for asset requests.
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Andrew Thornton <art27@cantab.net>
Unfortunately it appears that 2048 bit RSA keys can occasionally be created in such
a way that they appear to have 2047 bit length. This PR simply changes our defaults to
allow these.
Fix #20249
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Fix commit status icon when in subdirectory (#20285) (#20385)
When viewing a subdirectory and the latest commit to that directory in
the table, the commit status icon incorrectly showed the status of the
HEAD commit instead of the latest for that directory.