* BUGFIXES
* Fix inconsistent PR comment counts (#18260) (#18261)
* Fix release link broken (#18252) (#18253)
* Fix update user from site administration page bug (#18250) (#18251)
* Set HeadCommit when creating tags (#18116) (#18173)
* Use correct translation key for error messages due to max repo limits (#18135 & #18153) (#18152)
* Fix purple color in suggested label colors (#18241) (#18242)
* SECURITY
* Bump mermaid from 8.10.1 to 8.13.8 (#18198) (#18206)
zeripath [Thu, 30 Dec 2021 05:03:04 +0000 (05:03 +0000)]
Changelog v1.15.9 (#18115)
* BUGFIXES
* Revert "Fix delete u2f keys bug (#18042)" (#18107)
* Migrating wiki don't require token, so we should move it out of the require form (#17645) (#18104)
* Prevent NPE if gitea uploader fails to open url (#18080) (#18101)
* Reset locale on login (#17734) (#18100)
* Correctly handle failed migrations (#17575) (#18099)
* Instead of using routerCtx just escape the url before routing (#18086) (#18098)
* Quote references to the user table in consistency checks (#18072) (#18073)
* Add NotFound handler (#18062) (#18067)
* Ensure that git repository is closed before transfer (#18049) (#18057)
* Use common sessioner for API and web routes (#18114)
* TRANSLATION
* Fix code search result hint on zh-CN (#18053)
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
DuckDuckWhale [Wed, 29 Dec 2021 11:44:34 +0000 (03:44 -0800)]
Fix: unstable sort skips/duplicates issues across pages (#18095)
When viewing issues in sorted order, some issues are duplicated across
pages and some are missing. This is caused by the lack of tie-breakers
in database queries, making pagination inconsistent.
zeripath [Tue, 28 Dec 2021 22:15:01 +0000 (22:15 +0000)]
Use common sessioner for API and web routes (#18114)
* Use common sessioner for API and web routes
Since the regenerate session ID PR some users of the memory session provider have been
reporting difficulties with getting API results.
I am uncertain as to why this is happening - but I think that the sessioner being
created twice may be a potential cause for this. Therefore this PR attempts to move
this out to a common sessioner as it is in 1.16.
Fix #18070
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update routers/init.go
zeripath [Sun, 26 Dec 2021 10:32:04 +0000 (10:32 +0000)]
Instead of using routerCtx just escape the url before routing (#18086) (#18098)
Backport #18086
A consequence of forcibly setting the RoutePath to the escaped url is that the
auto routing to endpoints without terminal slashes fails (Causing #18060.) This
failure raises the possibility that forcibly setting the RoutePath causes other
unexpected behaviors too.
Therefore, instead we should simply pre-escape the URL in the process registering
handler. Then the request URL will be properly escaped for all the following calls.
There is a bug in handling failed migrations whereby the migration task gets decoupled
from the migration repository. This leads to a failure of the task to get deleted with
the repository and also leads to the migration failed page resulting in a ISE.
This PR removes the zeroing out of the task id from the migration but also makes
the migration handler tolerate missing tasks much nicer.
Fix #17571
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
zeripath [Wed, 22 Dec 2021 15:26:37 +0000 (15:26 +0000)]
Add NotFound handler (#18062) (#18067)
Backport #18062
PR #17997 means that urls with terminal '/' are no longer immediately mapped
to the url without a terminal slash. However, it has revealed that the NotFound handler
appears to have been lost.
This PR adds back in a NotFound handler that simply redirects to a path without the
terminal slash or runs the NotFound handler.
zeripath [Mon, 20 Dec 2021 20:53:08 +0000 (20:53 +0000)]
Move POST /{username}/action/{action} to simply POST /{username} (#18045) (#18046)
Backport #18045
The current code unfortunately requires that `action` be a reserved
repository name as it prevents posts to change the settings for
action repositories. However, we can simply change action handler
to work on POST /{username} instead.
zeripath [Mon, 20 Dec 2021 16:38:58 +0000 (16:38 +0000)]
Prevent off-by-one error on comments on newly appended lines (#18029) (#18035)
* Prevent off-by-one error on comments on newly appended lines (#18029)
Backport #18029
There was a bug in CutDiffAroundLine whereby if a file without a terminal new line
has a patch which appends lines to it and a comment is placed on one of those lines
the comment diff will be a line out of place.
This fixes CutDiffAroundLine to simply ignore the missing terminal newline - however,
we should really improve this rendering to add a marker to say that there was a
previously missing terminal newline.
Fix #17875
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Apply suggestions from code review
zeripath [Sun, 19 Dec 2021 21:35:29 +0000 (21:35 +0000)]
Stop printing 03d after escaped characters in logs (#18030) (#18034)
Backport #18030
Strangely a weird bug was present in the log escaping code whereby any escaped
character would gain 03d - this was due to a mistake in the format string where
it should have read %03o but read instead %o03d. This has led to spurious 03d
trailing characters on these escaped characters!
zeripath [Fri, 17 Dec 2021 21:24:59 +0000 (21:24 +0000)]
Ensure complexity, minlength and ispwned are checked on password setting (#18005) (#18015)
Backport #18005
It appears that there are several places that password length, complexity and ispwned
are not currently been checked when changing passwords. This PR adds these.
zeripath [Fri, 17 Dec 2021 02:08:00 +0000 (02:08 +0000)]
Prevent hang in git cat-file if the repository is not a valid repository (Partial #17991) (#17992)
* Prevent hang in git cat-file if the repository is not a valid repository (Partial #17991)
Unfortunately it appears that if git cat-file is run in an invalid
repository it will hang until stdin is closed. This will result in
deadlocked /pulls pages and dangling git cat-file calls if a broken
repository is tried to be reviewed or pulls exists for a broken
repository.
Signed-off-by: Andrew Thornton <art27@cantab.net>
* placate lint
Signed-off-by: Andrew Thornton <art27@cantab.net>
* fix compilation bug
Signed-off-by: Andrew Thornton <art27@cantab.net>
* Add the missing directories to the testrepos
* fixup! Add the missing directories to the testrepos
* and ensure that all of the other places have the objects directories too
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
- Since https://gitea.com/gitea/test-env/pulls/10 the golangci-lint has been upgraded and is erroring about new warnings in the code, this PR fixes those warnings.
The call to html.EscapeString in routers/web/repo/blame.go:renderBlame is extraneous
as the commit message is now rendered by the template. The template will correctly
escape strings - therefore we are currently double escaping.
zeripath [Sat, 30 Oct 2021 09:28:11 +0000 (10:28 +0100)]
Run Migrate in Install rather than just SyncTables (#17475) (#17486)
Backport #17475
The underlying problem in #17328 appears to be that users are re-running the install
page during upgrades. The function that tests and creates the db did not intend for
this and thus instead the migration scripts being run - a simple sync tables occurs.
This then causes a weird partially migrated DB which causes, in this release cycle,
the duplicate column in task table error. It is likely the cause of some weird
partial migration errors in other cycles too.
This PR simply ensures that the migration scripts are also run at this point too.
zeripath [Thu, 28 Oct 2021 03:33:18 +0000 (04:33 +0100)]
Ensure that restricted users can access repos for which they are members (#17460) (#17464)
Backport #17460
There is a small bug in the way that repo access is checked in
repoAssignment: Accessibility is checked by checking if the user has a
marked access to the repository instead of checking if the user has any
team granted access.
This PR changes this permissions check to use HasAccess() which does the
correct test. There is also a fix in the release api ListReleases where
it should return draft releases if the user is a member of a team with
write access to the releases.
KN4CK3R [Mon, 25 Oct 2021 17:31:15 +0000 (19:31 +0200)]
Fix CSV render error (#17406) (#17431)
Backport #17406.
Closes #17378
Both errors from #17378 were caused by #15175.
Problem 1 (error with added file):
`ToUTF8WithFallbackReader` creates a `MultiReader` from a `byte[2048]` and the remaining reader. `CreateReaderAndGuessDelimiter` tries to read 10000 bytes from this reader but only gets 2048 because that's the first reader in the `MultiReader`. Then the `if size < 1e4` thinks the input is at EOF and just returns that.
Problem 2 (error with changed file):
The blob reader gets defer closed. That was fine because the old version reads the whole file into memory. Now with the streaming version the close needs to defer after the method.
wxiaoguang [Mon, 25 Oct 2021 09:02:39 +0000 (17:02 +0800)]
Fix markdown checkbox rendering (#17427)
We allow to render empty check list item - [ ], while GitHub doesn't allow.
To make the rendering correct, we need tune the UI (the last PR #17413 uses absolute layout, which makes the empty checkbox item can not be displayed correctly)
wxiaoguang [Sat, 23 Oct 2021 15:30:46 +0000 (23:30 +0800)]
Fix issue markdown bugs (#17413)
* Bug fix: render Markdown `http://AppURL/org/repo/issues/4?a=1&b=2#comment-123 test` to HTML correctly, close #17394
* Bug fix: fix the positions of checkboxes in rendered HTML, close #17395
zeripath [Thu, 21 Oct 2021 21:50:22 +0000 (22:50 +0100)]
Changelog 1.15.5 (#17392)
* SECURITY
* Upgrade Bluemonday to v1.0.16 (#17372) (#17374)
* Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
* BUGFIXES
* Prevent NPE in CSV diff rendering when column removed (#17018) (#17377)
* Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
* Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
* Ensure popup text is aligned left (backport for 1.15) (#17343)
* Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
* Disable core.protectNTFS (#17300) (#17302)
* Use pointer for wrappedConn methods (#17295) (#17296)
* AutoRegistration is supposed to be working with disabled registration (backport) (#17292)
* Handle duplicate keys on GPG key ring (#17242) (#17284)
* Fix SVG side by side comparison link (#17375) (#17391)
zeripath [Thu, 21 Oct 2021 08:37:49 +0000 (09:37 +0100)]
Offer rsa-sha2-512 and rsa-sha2-256 algorithms in internal SSH (#17281) (#17376)
Backport #17281
There is a subtle bug in the SSH library x/crypto/ssh which makes the incorrect
assumption that the public key type is the same as the signature algorithm type.
This means that only ssh-rsa signatures are offered by default.
This PR adds a workaround around this problem.
Fix #17175
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>
6543 [Wed, 20 Oct 2021 20:26:48 +0000 (22:26 +0200)]
Ensure correct SSH permissions check for private and restricted users (#17370) (#17373)
Repositories owned by private users and organisations and pulls by restricted users
need to have permissions checked. Previously Serv would simply assumed that if the
user could log in and the repository was not private then it would be visible.
Fix #17364
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: Andrew Thornton <art27@cantab.net>
zeripath [Wed, 20 Oct 2021 19:45:17 +0000 (20:45 +0100)]
Don't panic if we fail to parse U2FRegistration data (#17304) (#17371)
Backport #17304
Downgrade logging statement from Fatal to Error so that errors parsing
U2FRegistration data does not panic; instead, the invalid key will be
skipped and we will attempt to parse the next one, if available.
Signed-off-by: David Jimenez <dvejmz@sgfault.com> Co-authored-by: David Jimenez <dvejmz@users.noreply.github.com>
zeripath [Thu, 14 Oct 2021 16:07:53 +0000 (17:07 +0100)]
Ensure that git daemon export ok is created for mirrors (#17243) (#17306)
Backport #17243
There is an issue with #16508 where it appears that create repo requires that the
repo does not exist. This causes #17241 where an error is reported because of this.
This PR fixes this and also runs update-server-info for mirrors and generated repos.
zeripath [Wed, 13 Oct 2021 20:02:45 +0000 (21:02 +0100)]
Disable core.protectNTFS (#17300) (#17302)
Backport #17300
core.protectNTFS protects NTFS from files which may be difficult to remove or interact
with using the win32 api, however, it also appears to prevent such files from
being entered into the git indexes - fundamentally causing breakages with PRs that
affect these files. However, deliberately setting this to false may cause security
issues due to the remain sparse checkout of files in the merge pipeline.
The only sensible option therefore is to provide an optional setting which admins
could set which would forcibly switch this off if they are affected by this issue.
zeripath [Mon, 11 Oct 2021 02:13:10 +0000 (03:13 +0100)]
Handle duplicate keys on GPG key ring (#17242) (#17284)
Backport #17242
It is possible that a keyring can contain duplicate keys on a keyring due to jpegs or
other layers. This currently leads to a confusing error for the user - where we report
a duplicate key insertion.
This PR simply coalesces keys into one key if there are duplicates.
Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: 6543 <6543@obermui.de> Co-authored-by: 6543 <6543@obermui.de>