Gusted [Fri, 19 Nov 2021 02:28:27 +0000 (02:28 +0000)]
perf: sent `data-path` once for each file (#17657)
- Don't sent it with each line, instead send it at the top-element for each file.
- Related:
https://github.com/go-gitea/gitea/pull/17618#issuecomment-968192761
wxiaoguang [Thu, 18 Nov 2021 16:45:00 +0000 (00:45 +0800)]
Refactor repo-legacy.js, remove messy global variables. Fix errors. (#17646)
Refactor repo-legacy.js, remove messy global variables. Fix errors.
Fix an error in Sortable
Fix a incorrect call assignMenuAttributes from the template
Gusted [Thu, 18 Nov 2021 14:45:56 +0000 (14:45 +0000)]
Add pagination to fork list (#17639)
- Resolves #14574
- Adds the necessary code to have pagination working in the forks list of
a repo. The code is mostly in par with the stars/watcher implementation.
Gusted [Thu, 18 Nov 2021 13:25:56 +0000 (13:25 +0000)]
Fix possible panic (#17694)
- The code will get the first and second character `link[{0,1]]`.
However in a rare case the `link` could have 1 character and thus the
`link[1]` will create a panic.
Gusted [Wed, 17 Nov 2021 18:08:25 +0000 (18:08 +0000)]
Sanitize user-input on file name (#17666)
* Sanitize user-input on file name
- Sanitize user-input before it get passed into the DOM.
- Prevent things like "<iframe onload=alert(1)></iframe>" from being
executed. This isn't a XSS attack as the server seems to be santizing
the path as well.
Gusted [Wed, 17 Nov 2021 05:41:01 +0000 (05:41 +0000)]
Update golangci-lint in Makefile (#17647)
* Update golangci-lint in Makefile
- Partially resolvess #17596
- Download specific version(v1.43.0) by default.
- If current installed version is older than the minium version, it will
download the mininium required version.
- Update the install script to avoid deprecated error
`golangci/golangci-lint err this script is deprecated, please do not use
it anymore. check https://github.com/goreleaser/godownloader/issues/207`
zeripath [Tue, 16 Nov 2021 18:18:25 +0000 (18:18 +0000)]
Multiple Escaping Improvements (#17551)
There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this.
This is an extensive PR attempting to fix these issues.
1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping.
2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand.
3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future.
4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.)
5. The title generation in feeds is now properly escaped.
6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net>
wxiaoguang [Tue, 16 Nov 2021 02:21:13 +0000 (10:21 +0800)]
Fix database deadlock when update issue labels (#17649)
This fix updates issue labels one by one, and won't cause database deadlock.
In future, we can use a batch API to update all changed labels by one request.
Gusted [Mon, 15 Nov 2021 06:02:53 +0000 (06:02 +0000)]
Remove unnecassary calls to `filepath.Join` (#17608)
- Partialy resolvess #17596
- Resolves `badCall` errors from go-critic `badCall: suspicious Join on
1 argument`
- When only 1 argument is passed into `filepath.Join`, it won't do
anything special other than `filepath.Clean(...)` will be applied over
it.
zeripath [Sat, 13 Nov 2021 11:28:50 +0000 (11:28 +0000)]
Correctly handle failed migrations (#17575)
* Correctly handle failed migrations
There is a bug in handling failed migrations whereby the migration task gets decoupled
from the migration repository. This leads to a failure of the task to get deleted with
the repository and also leads to the migration failed page resulting in a ISE.
This PR removes the zeroing out of the task id from the migration but also makes
the migration handler tolerate missing tasks much nicer.
Gusted [Thu, 11 Nov 2021 06:29:30 +0000 (07:29 +0100)]
Refactor commentTags functionality (#17558)
* feat: Allow multiple tags on comments
- Allow for multiples tags(Currently Poster + {Owner, Writer}).
- Utilize the Poster tag within the commentTag function and remove the
checking from templates.
- Use bitwise on CommentTags to enable specific tags.
- Don't show poster tag(view_content.tmpl) on the initial issue comment.
* Change parameters naming
* Change function name
* refactor variable wording
* Merge 'master' branch into 'tags-comments' branch
Gusted [Thu, 11 Nov 2021 05:28:45 +0000 (06:28 +0100)]
Remove `golint` as linter (#17609)
- Partialy resolvess #17596
- In the newer versions of `golangci-lint`, golint is deprecated and
replaced by the `revive` linter. Thus removing the `golint` linter is a
good idea, as we're already using the `revive` linter which covers all
the current `golint` cases.
Kamil Domański [Mon, 8 Nov 2021 22:47:19 +0000 (23:47 +0100)]
Allow U2F 2FA without TOTP (#11573)
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The `/user/auth/u2f` has been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.
Gusted [Mon, 8 Nov 2021 15:45:37 +0000 (16:45 +0100)]
Only allow returned deleted branche to be on repo (#17570)
- This will only allow `GetDeletedBranchByID` to return deletedBranch
which are on the repo, and thus don't return a deletedBranch from
another repo.
- This just should prevent possible bugs in the futher when a code is
passing the wrong ID into this function.