Merge branch 'main' into lunny/milestone_filter

Author: 6543

cmd/dump.go

@@ -112,6 +112,10 @@ It can be used for backup and capture Gitea server image to send to maintainer`,
 			Name:  "verbose, V",
 			Usage: "Show process details",
 		},
+		cli.BoolFlag{
+			Name:  "quiet, q",
+			Usage: "Only display warnings and errors",
+		},
 		cli.StringFlag{
 			Name:  "tempdir, t",
 			Value: os.TempDir(),
@@ -192,12 +196,25 @@ func runDump(ctx *cli.Context) error {
 	if _, err := setting.CfgProvider.Section("log.console").NewKey("STDERR", "true"); err != nil {
 		fatal("Setting console logger to stderr failed: %v", err)
 	}
+
+	// Set loglevel to Warn if quiet-mode is requested
+	if ctx.Bool("quiet") {
+		if _, err := setting.CfgProvider.Section("log.console").NewKey("LEVEL", "Warn"); err != nil {
+			fatal("Setting console log-level failed: %v", err)
+		}
+	}
+
 	if !setting.InstallLock {
 		log.Error("Is '%s' really the right config path?\n", setting.CustomConf)
 		return fmt.Errorf("gitea is not initialized")
 	}
 	setting.LoadSettings() // cannot access session settings otherwise
 
+	verbose := ctx.Bool("verbose")
+	if verbose && ctx.Bool("quiet") {
+		return fmt.Errorf("--quiet and --verbose cannot both be set")
+	}
+
 	stdCtx, cancel := installSignals()
 	defer cancel()
 
@@ -223,7 +240,6 @@ func runDump(ctx *cli.Context) error {
 		return err
 	}
 
-	verbose := ctx.Bool("verbose")
 	var iface interface{}
 	if fileName == "-" {
 		iface, err = archiver.ByExtension(fmt.Sprintf(".%s", outType))

custom/conf/app.example.ini

@@ -186,8 +186,8 @@ RUN_MODE = ; prod
 ;; default is the system temporary directory.
 ;SSH_KEY_TEST_PATH =
 ;;
-;; Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
-;SSH_KEYGEN_PATH = ssh-keygen
+;; Use `ssh-keygen` to parse public SSH keys. The value is passed to the shell. By default, Gitea does the parsing itself.
+;SSH_KEYGEN_PATH =
 ;;
 ;; Enable SSH Authorized Key Backup when rewriting all keys, default is true
 ;SSH_AUTHORIZED_KEYS_BACKUP = true

docs/content/doc/administration/config-cheat-sheet.en-us.md

@@ -345,7 +345,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `SSH_SERVER_MACS`: **[email protected], hmac-sha2-256, hmac-sha1**: For the built-in SSH server, choose the MACs to support for SSH connections, for system SSH this setting has no effect
 - `SSH_SERVER_HOST_KEYS`: **ssh/gitea.rsa, ssh/gogs.rsa**: For the built-in SSH server, choose the keypairs to offer as the host key. The private key should be at `SSH_SERVER_HOST_KEY` and the public `SSH_SERVER_HOST_KEY.pub`. Relative paths are made absolute relative to the `APP_DATA_PATH`. If no key exists a 4096 bit RSA key will be created for you.
 - `SSH_KEY_TEST_PATH`: **/tmp**: Directory to create temporary files in when testing public keys using ssh-keygen, default is the system temporary directory.
-- `SSH_KEYGEN_PATH`: **ssh-keygen**: Path to ssh-keygen, default is 'ssh-keygen' which means the shell is responsible for finding out which one to call.
+- `SSH_KEYGEN_PATH`: **\<empty\>**: Use `ssh-keygen` to parse public SSH keys. The value is passed to the shell. By default, Gitea does the parsing itself.
 - `SSH_EXPOSE_ANONYMOUS`: **false**: Enable exposure of SSH clone URL to anonymous visitors, default is false.
 - `SSH_PER_WRITE_TIMEOUT`: **30s**: Timeout for any write to the SSH connections. (Set to
   -1 to disable all timeouts.)

docs/content/doc/help/faq.en-us.md

@@ -118,6 +118,14 @@ The correct path for the template(s) will be relative to the `CustomPath`
 2. If you are still unable to find a path, the default can be [calculated above](#where-does-gitea-store-what-file)
 3. Once you have figured out the correct custom path, you can refer to the [customizing Gitea]({{< relref "doc/administration/customizing-gitea.en-us.md" >}}) page to add your template to the correct location.
 
+## Does Gitea have a "GitHub/GitLab pages" feature?
+
+Gitea doesn't provide a built-in Pages server. You need a dedicated domain to serve static pages to avoid CSRF security risks.
+
+For simple usage, you can use a reverse proxy to rewrite & serve static contents from Gitea's raw file URLs.
+
+And there are already available third-party services, like a standalone [pages server](https://codeberg.org/Codeberg/pages-server) or a [caddy plugin](https://github.com/42wim/caddy-gitea), that can provide the required functionality.
+
 ## Active user vs login prohibited user
 
 In Gitea, an "active" user refers to a user that has activated their account via email.

docs/content/doc/installation/comparison.en-us.md

@@ -31,6 +31,8 @@ _Symbols used in table:_
 
 - _✘ - unsupported_
 
+- _⚙️ - supported through third-party software_
+
 ## General Features
 
 | Feature                                          | Gitea                                               | Gogs | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE |
@@ -51,7 +53,7 @@ _Symbols used in table:_
 | Custom Theme Support                             | ✓                                                   | ✓    | ✘         | ✘         | ✘         | ✓         | ✘            |
 | Markdown support                                 | ✓                                                   | ✓    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | CSV support                                      | ✓                                                   | ✘    | ✓         | ✘         | ✘         | ✓         | ?            |
-| 'GitHub / GitLab pages'                          | [✘](https://github.com/go-gitea/gitea/issues/302)   | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
+| 'GitHub / GitLab pages'                          | [⚙️][gitea-pages-server], [⚙️][gitea-caddy-plugin]    | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
 | Repo-specific wiki (as a repo itself)            | ✓                                                   | ✓    | ✓         | ✓         | ✓         | /         | ✘            |
 | Deploy Tokens                                    | ✓                                                   | ✓    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | Repository Tokens with write rights              | ✓                                                   | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
@@ -144,3 +146,6 @@ _Symbols used in table:_
 | Two factor authentication (2FA)                | ✓                                                  | ✓    | ✓         | ✓         | ✓         | ✓         | ✘            |
 | Integration with the most common services      | ✓                                                  | /    | ⁄         | ✓         | ✓         | ⁄         | ✓            |
 | Incorporate external CI/CD                     | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
+
+[gitea-caddy-plugin]: https://github.com/42wim/caddy-gitea
+[gitea-pages-server]: https://codeberg.org/Codeberg/pages-server

docs/content/doc/installation/comparison.zh-cn.md

@@ -29,6 +29,8 @@ _表格中的符号含义:_
 
 * _? - 不确定_
 
+* _⚙️ - 由第三方服务或插件支持_
+
 #### 主要特性
 
 | 特性                  | Gitea                                              | Gogs | GitHub EE | GitLab CE | GitLab EE | BitBucket      | RhodeCode CE |
@@ -42,7 +44,7 @@ _表格中的符号含义:_
 | 支持 Orgmode          | ✓                                                  | ✘    | ✓         | ✘         | ✘         | ✘              | ?            |
 | 支持 CSV              | ✓                                                  | ✘    | ✓         | ✘         | ✘         | ✓              | ?            |
 | 支持第三方渲染工具    | ✓                                                  | ✘    | ✘         | ✘         | ✘         | ✓              | ?            |
-| Git 驱动的静态 pages  | [✘](https://github.com/go-gitea/gitea/issues/302)  | ✘    | ✓         | ✓         | ✓         | ✘              | ✘            |
+| Git 驱动的静态 pages  | [⚙️][gitea-pages-server], [⚙️][gitea-caddy-plugin]   | ✘    | ✓         | ✓         | ✓         | ✘              | ✘            |
 | Git 驱动的集成化 wiki | ✓                                                  | ✓    | ✓         | ✓         | ✓         | ✓ (cloud only) | ✘            |
 | 部署令牌              | ✓                                                  | ✓    | ✓         | ✓         | ✓         | ✓              | ✓            |
 | 仓库写权限令牌        | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✓              | ✓            |
@@ -129,3 +131,6 @@ _表格中的符号含义:_
 | 集成 Discord               | ✓                                                  | ✓                                             | ✓         | ✓         | ✓         | ✘         | ✘            |
 | 集成 Microsoft Teams       | ✓                                                  | ✘                                             | ✓         | ✓         | ✓         | ✓         | ✘            |
 | 显示外部 CI/CD 的状态      | ✓                                                  | ✘                                             | ✓         | ✓         | ✓         | ✓         | ✓            |
+
+[gitea-caddy-plugin]: https://github.com/42wim/caddy-gitea
+[gitea-pages-server]: https://codeberg.org/Codeberg/pages-server

docs/content/doc/installation/comparison.zh-tw.md

@@ -31,6 +31,8 @@ menu:
 
 - ✘ - 不支援
 
+- _⚙️ - 由第三方服務或外掛程式支援_
+
 ## 一般功能
 
 | 功能                     | Gitea                                              | Gogs | GitHub EE | GitLab CE | GitLab EE | BitBucket | RhodeCode CE |
@@ -44,7 +46,7 @@ menu:
 | 支援 Orgmode             | ✓                                                  | ✘    | ✓         | ✘         | ✘         | ✘         | ?            |
 | 支援 CSV                 | ✓                                                  | ✘    | ✓         | ✘         | ✘         | ✓         | ?            |
 | 支援第三方渲染工具       | ✓                                                  | ✘    | ✘         | ✘         | ✘         | ✓         | ?            |
-| Git 驅動的靜態頁面       | [✘](https://github.com/go-gitea/gitea/issues/302)  | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
+| Git 驅動的靜態頁面       | [⚙️][gitea-pages-server], [⚙️][gitea-caddy-plugin]   | ✘    | ✓         | ✓         | ✓         | ✘         | ✘            |
 | Git 驅動的整合 wiki      | ✓                                                  | ✓    | ✓         | ✓         | ✓         | ✓         | ✘            |
 | 部署 Token               | ✓                                                  | ✓    | ✓         | ✓         | ✓         | ✓         | ✓            |
 | 有寫入權限的儲存庫 Token | ✓                                                  | ✘    | ✓         | ✓         | ✓         | ✘         | ✓            |
@@ -130,3 +132,6 @@ menu:
 | 整合 Discord              | ✓                                                | ✓    | ✓         | ✓         | ✓         | ✘         | ✘            |
 | 整合 Microsoft Teams      | ✓                                                | ✘    | ✓         | ✓         | ✓         | ✓         | ✘            |
 | 顯示外部 CI/CD 狀態       | ✓                                                | ✘    | ✓         | ✓         | ✓         | ✓         | ✓            |
+
+[gitea-caddy-plugin]: https://github.com/42wim/caddy-gitea
+[gitea-pages-server]: https://codeberg.org/Codeberg/pages-server

models/asymkey/ssh_key_parse.go

@@ -16,7 +16,6 @@ import (
 	"strconv"
 	"strings"
 
-	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/modules/log"
 	"code.gitea.io/gitea/modules/process"
 	"code.gitea.io/gitea/modules/setting"
@@ -158,10 +157,6 @@ func parseKeyString(content string) (string, error) {
 // CheckPublicKeyString checks if the given public key string is recognized by SSH.
 // It returns the actual public key line on success.
 func CheckPublicKeyString(content string) (_ string, err error) {
-	if setting.SSH.Disabled {
-		return "", db.ErrSSHDisabled{}
-	}
-
 	content, err = parseKeyString(content)
 	if err != nil {
 		return "", err
@@ -184,7 +179,7 @@ func CheckPublicKeyString(content string) (_ string, err error) {
 		keyType string
 		length  int
 	)
-	if setting.SSH.StartBuiltinServer {
+	if len(setting.SSH.KeygenPath) == 0 {
 		fnName = "SSHNativeParsePublicKey"
 		keyType, length, err = SSHNativeParsePublicKey(content)
 	} else {
@@ -290,7 +285,12 @@ func SSHKeyGenParsePublicKey(key string) (string, int, error) {
 		}
 	}()
 
-	stdout, stderr, err := process.GetManager().Exec("SSHKeyGenParsePublicKey", setting.SSH.KeygenPath, "-lf", tmpName)
+	keygenPath := setting.SSH.KeygenPath
+	if len(keygenPath) == 0 {
+		keygenPath = "ssh-keygen"
+	}
+
+	stdout, stderr, err := process.GetManager().Exec("SSHKeyGenParsePublicKey", keygenPath, "-lf", tmpName)
 	if err != nil {
 		return "", 0, fmt.Errorf("fail to parse public key: %s - %s", err, stderr)
 	}

models/asymkey/ssh_key_test.go

@@ -57,6 +57,14 @@ func Test_SSHParsePublicKey(t *testing.T) {
 				assert.Equal(t, tc.keyType, keyTypeK)
 				assert.EqualValues(t, tc.length, lengthK)
 			})
+			t.Run("SSHParseKeyNative", func(t *testing.T) {
+				keyTypeK, lengthK, err := SSHNativeParsePublicKey(tc.content)
+				if err != nil {
+					assert.Fail(t, "%v", err)
+				}
+				assert.Equal(t, tc.keyType, keyTypeK)
+				assert.EqualValues(t, tc.length, lengthK)
+			})
 		})
 	}
 }

models/git/protected_banch_list_test.go

@@ -0,0 +1,76 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package git
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestBranchRuleMatchPriority(t *testing.T) {
+	kases := []struct {
+		Rules            []string
+		BranchName       string
+		ExpectedMatchIdx int
+	}{
+		{
+			Rules:            []string{"release/*", "release/v1.17"},
+			BranchName:       "release/v1.17",
+			ExpectedMatchIdx: 1,
+		},
+		{
+			Rules:            []string{"release/v1.17", "release/*"},
+			BranchName:       "release/v1.17",
+			ExpectedMatchIdx: 0,
+		},
+		{
+			Rules:            []string{"release/**/v1.17", "release/test/v1.17"},
+			BranchName:       "release/test/v1.17",
+			ExpectedMatchIdx: 1,
+		},
+		{
+			Rules:            []string{"release/test/v1.17", "release/**/v1.17"},
+			BranchName:       "release/test/v1.17",
+			ExpectedMatchIdx: 0,
+		},
+		{
+			Rules:            []string{"release/**", "release/v1.0.0"},
+			BranchName:       "release/v1.0.0",
+			ExpectedMatchIdx: 1,
+		},
+		{
+			Rules:            []string{"release/v1.0.0", "release/**"},
+			BranchName:       "release/v1.0.0",
+			ExpectedMatchIdx: 0,
+		},
+		{
+			Rules:            []string{"release/**", "release/v1.0.0"},
+			BranchName:       "release/v2.0.0",
+			ExpectedMatchIdx: 0,
+		},
+		{
+			Rules:            []string{"release/*", "release/v1.0.0"},
+			BranchName:       "release/1/v2.0.0",
+			ExpectedMatchIdx: -1,
+		},
+	}
+
+	for _, kase := range kases {
+		var pbs ProtectedBranchRules
+		for _, rule := range kase.Rules {
+			pbs = append(pbs, &ProtectedBranch{RuleName: rule})
+		}
+		pbs.sort()
+		matchedPB := pbs.GetFirstMatched(kase.BranchName)
+		if matchedPB == nil {
+			if kase.ExpectedMatchIdx >= 0 {
+				assert.Error(t, fmt.Errorf("no matched rules but expected %s[%d]", kase.Rules[kase.ExpectedMatchIdx], kase.ExpectedMatchIdx))
+			}
+		} else {
+			assert.EqualValues(t, kase.Rules[kase.ExpectedMatchIdx], matchedPB.RuleName)
+		}
+	}
+}

models/git/protected_branch_list.go

@@ -28,12 +28,8 @@ func (rules ProtectedBranchRules) sort() {
 	sort.Slice(rules, func(i, j int) bool {
 		rules[i].loadGlob()
 		rules[j].loadGlob()
-		if rules[i].isPlainName {
-			if !rules[j].isPlainName {
-				return true
-			}
-		} else if rules[j].isPlainName {
-			return true
+		if rules[i].isPlainName != rules[j].isPlainName {
+			return rules[i].isPlainName // plain name comes first, so plain name means "less"
 		}
 		return rules[i].CreatedUnix < rules[j].CreatedUnix
 	})
@@ -46,7 +42,7 @@ func FindRepoProtectedBranchRules(ctx context.Context, repoID int64) (ProtectedB
 	if err != nil {
 		return nil, err
 	}
-	rules.sort()
+	rules.sort() // to make non-glob rules have higher priority, and for same glob/non-glob rules, first created rules have higher priority
 	return rules, nil
 }
 

models/user/user.go

@@ -537,7 +537,8 @@ var (
 		"gitea-actions",
 	}
 
-	reservedUserPatterns = []string{"*.keys", "*.gpg", "*.rss", "*.atom"}
+	// DON'T ADD ANY NEW STUFF, WE SOLVE THIS WITH `/user/{obj}` PATHS!
+	reservedUserPatterns = []string{"*.keys", "*.gpg", "*.rss", "*.atom", "*.png"}
 )
 
 // IsUsableUsername returns an error when a username is reserved

modules/setting/ssh.go

@@ -58,7 +58,7 @@ var SSH = struct {
 	ServerCiphers:                 []string{"[email protected]", "aes128-ctr", "aes192-ctr", "aes256-ctr", "[email protected]", "[email protected]"},
 	ServerKeyExchanges:            []string{"curve25519-sha256", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1"},
 	ServerMACs:                    []string{"[email protected]", "hmac-sha2-256", "hmac-sha1"},
-	KeygenPath:                    "ssh-keygen",
+	KeygenPath:                    "",
 	MinimumKeySizeCheck:           true,
 	MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047},
 	ServerHostKeys:                []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
@@ -134,7 +134,7 @@ func loadSSHFrom(rootCfg ConfigProvider) {
 		}
 	}
 
-	SSH.KeygenPath = sec.Key("SSH_KEYGEN_PATH").MustString("ssh-keygen")
+	SSH.KeygenPath = sec.Key("SSH_KEYGEN_PATH").String()
 	SSH.Port = sec.Key("SSH_PORT").MustInt(22)
 	SSH.ListenPort = sec.Key("SSH_LISTEN_PORT").MustInt(SSH.Port)
 	SSH.UseProxyProtocol = sec.Key("SSH_SERVER_USE_PROXY_PROTOCOL").MustBool(false)

modules/templates/helper.go

@@ -138,7 +138,7 @@ func NewFuncMap() []template.FuncMap {
 		"TimeSinceUnix": timeutil.TimeSinceUnix,
 		"Sec2Time":      util.SecToTime,
 		"DateFmtLong": func(t time.Time) string {
-			return t.Format(time.RFC1123Z)
+			return t.Format(time.RFC3339)
 		},
 		"LoadTimes": func(startTime time.Time) string {
 			return fmt.Sprint(time.Since(startTime).Nanoseconds()/1e6) + "ms"