Skip to content

Limit reading bytes instead of ReadAll (#35928) #35934

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
wxiaoguang merged 1 commit into from
Nov 12, 2025
Merged

Limit reading bytes instead of ReadAll (#35928) #35934

wxiaoguang merged 1 commit into from
Nov 12, 2025

Conversation

@GiteaBot
Copy link
Collaborator

@GiteaBot GiteaBot commented Nov 12, 2025
edited by wxiaoguang
Loading

Backport #35928 by wxiaoguang

@GiteaBot GiteaBot added modifies/frontend modifies/go Pull requests that update Go code type/bug labels Nov 12, 2025
@GiteaBot GiteaBot added this to the 1.25.2 milestone Nov 12, 2025
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 12, 2025
@wxiaoguang wxiaoguang changed the title Limit read bytes instead of ReadAll (#35928) Limit reading bytes instead of ReadAll (#35928) Nov 12, 2025
@wxiaoguang wxiaoguang enabled auto-merge (squash) November 12, 2025 11:45
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 12, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 12, 2025
@silverwind silverwind disabled auto-merge November 12, 2025 18:26
@wxiaoguang wxiaoguang merged commit 01fa8b2 into go-gitea:release/v1.25 Nov 12, 2025
26 checks passed
@delvh
Copy link
Member

delvh commented Nov 13, 2025

It does sound a little bit strange to me to backport a possibly breaking change for users.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 13, 2025

It does sound a little bit strange to me to backport a possibly breaking change for users.

How does it break?

And it indeed is a "security fix" to avoid DoS attack.

@delvh
Copy link
Member

delvh commented Nov 13, 2025

Let's assume you had a large workflow file.
You do a minor version upgrade and suddenly it doesn't work as intended anymore.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 13, 2025

Let's assume you had a large workflow file. You do a minor version upgrade and suddenly it doesn't work as intended anymore.

Why a workflow file can be that large?

@delvh
Copy link
Member

delvh commented Nov 13, 2025

I don't know, humans are strange.
The chance of anyone being affected is really low, but it is not 0.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 13, 2025

Hmm, let's wait and see. I will handle related issue reports.

zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 24, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/release/v1.25'
0a09b13 
* giteaofficial/release/v1.25: (77 commits)
  Add "site admin" back to profile menu (go-gitea#36010) (go-gitea#36013)
  release notes for 1.25.2 (go-gitea#35986)
  Allow empty commit when merging pull request with squash style (go-gitea#35989) (go-gitea#36003)
  Fix various permission & login related bugs (go-gitea#36002) (go-gitea#36004)
  upgrade golang.org/x/crypto to 0.45.0 (go-gitea#35988)
  Change project default column icon to 'star' (go-gitea#35967) (go-gitea#35979)
  Misc CSS fixes (go-gitea#35888) (go-gitea#35981)
  Fix container push tag overwriting (go-gitea#35936) (go-gitea#35954)
  Fix corrupted external render content (go-gitea#35946) (go-gitea#35950)
  Don't show unnecessary error message to end users for DeleteBranchAfterMerge (go-gitea#35937) (go-gitea#35941)
  Limit read bytes instead of ReadAll (go-gitea#35928) (go-gitea#35934)
  Load jQuery as early as possible to support custom scripts (go-gitea#35926) (go-gitea#35929)
  Allow to display embed images/pdfs when SERVE_DIRECT was enabled on MinIO storage (go-gitea#35882) (go-gitea#35917)
  Use correct form field for allowed force push users in branch protection API (go-gitea#35894) (go-gitea#35908)
  Make OAuth2 issuer configurable (go-gitea#35915) (go-gitea#35916)
  Fix go-gitea#35763: Add proper page title for project pages (go-gitea#35773) (go-gitea#35909)
  Display source code downloads last for release attachments (go-gitea#35897) (go-gitea#35903)
  Fix team member access check (go-gitea#35899) (go-gitea#35905)
  Fix conda null depend issue (go-gitea#35900) (go-gitea#35902)
  Fix avatar upload error handling (go-gitea#35887) (go-gitea#35890)
  ...

# Conflicts:
#	go.mod
#	go.sum
#	models/actions/run_test.go
#	models/fixtures/action_run.yml
#	models/fixtures/action_run_job.yml
#	models/fixtures/action_task.yml
#	models/fixtures/branch.yml
#	models/fixtures/repo_unit.yml
#	modules/git/tree_entry_gogit.go
#	modules/git/tree_gogit.go
#	routers/web/repo/actions/view.go
#	routers/web/repo/issue_comment.go
#	services/actions/workflow.go
#	services/doctor/actions_test.go
#	services/pull/comment.go
#	services/pull/pull.go
#	services/pull/temp_repo.go
#	templates/base/head_navbar.tmpl
#	templates/swagger/v1_json.tmpl
#	tests/integration/actions_schedule_test.go
#	tests/integration/git_lfs_ssh_test.go
#	tests/integration/pull_create_test.go
#	tests/integration/pull_merge_test.go
#	tests/sqlite.ini.tmpl
#	web_src/js/components/ContextPopup.vue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@silverwind silverwind silverwind approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@ChristopherHX ChristopherHX Awaiting requested review from ChristopherHX

@delvh delvh Awaiting requested review from delvh

@lunny lunny Awaiting requested review from lunny

Assignees

@wxiaoguang wxiaoguang

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.25.2

Development

Successfully merging this pull request may close these issues.

4 participants

@GiteaBot @delvh @wxiaoguang @silverwind