Backport #36797 by @lunny
- set OAuth2 authorization code `ValidUntil` on creation and add expiry
checks during exchange
- return a specific error when codes are invalidated twice to prevent
concurrent reuse
- add unit tests covering validity timestamps, expiration, and double
invalidation
---
Generate by a coding agent with Codex 5.2
Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Backport #36805 by @ChristopherHX
* Use base64.RawURLEncoding to avoid equal sign
* using the nodejs package they seem to get lost
* Support uploads with unspecified length
* Support uploads with a single named blockid
* without requiring a blockmap
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #36671 by @lunny
Adds validation constraints to repository creation inputs, enforcing
max-length limits for labels/license/readme and enum validation for
trust model and object format. Updates both the API option struct and
the web form struct to keep validation consistent.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
When display or search branch's pushed time, we should use
`updated_unix` rather than `commit_time`.
Fix#36633
Backport #36693
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
…t focus (#36585)
Currently, pressing the space key in the Monaco editor scrolls the page
instead of inserting a space
if the editor is focused. This PR stops the space key event from
propagating to parent elements,
which prevents unwanted page scrolling while still allowing Monaco to
handle space input normally.
Changes:
- disable Monaco editContext
No changes to default editor behavior are needed; Monaco automatically
inserts the space character.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
Backport #36524 by @noeljackson
Fix data race when uploading container blobs concurrently
Co-authored-by: Noel Jackson <n@noeljackson.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Backport #36502 by @lunny
Fix#28479
When scrolling inside the editor and the editor has already reached the
end of its scroll area, the browser does not continue scrolling. This is
inconvenient because users must move the cursor out of the editor to
scroll the page further.
This PR enables automatic switching between the editor’s scroll and the
browser’s scroll, allowing seamless continuous scrolling.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36480 by @ZPascal
## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.
## Changes
### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`
This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.
## Security Improvements
While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:
### Current Security Measures
```log
Vulnerability #1: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: archive/zip@go1.25.5
Fixed in: archive/zip@go1.25.6
Example traces found:
#1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open
Vulnerability #2: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.25.5
Fixed in: net/url@go1.25.6
Example traces found:
#1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery
#2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query
Vulnerability #3: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: crypto/tls@go1.25.5
Fixed in: crypto/tls@go1.25.6
Example traces found:
#1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake
#2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
#4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
#5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
#6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
#7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```
Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
This PR fixes missed repo_id on the migration of attachments to Gitea.
It also provides a doctor check to fix the dirty data on the database.
Backport #36389
Backport #36339 by @lunny
When a user has been revoked permission to access a repository, the
related notification could still be visited. But the repository's
information should not be leaked any more.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
