Add URL function to serve attachments directly from S3/Minio#6
Closed
tystuyfzand wants to merge 0 commit into
Closed
Add URL function to serve attachments directly from S3/Minio#6tystuyfzand wants to merge 0 commit into
tystuyfzand wants to merge 0 commit into
Conversation
lunny
requested changes
Jun 25, 2020
lunny
reviewed
Jun 25, 2020
Owner
|
Please rebase, I just force pushed to this branch |
Author
|
Hopefully that worked... not terribly familiar with the rebase procedure like that. |
Owner
|
@tystuyfzand I have merged this PR to my branch. |
GiteaBot
pushed a commit
that referenced
this pull request
Aug 7, 2023
- Currently the post processing will transform all issue indexes (such as `#6`) into a clickable link. - This makes sense in an situation like issues or PRs, where referencing to other issues is quite common and only referencing their issue index is an handy and efficient way to do it. - Currently this is also run for documents (which is the user profile and viewing rendered files), but in those situations it's less common to reference issues by their index and instead could mean something else. - This patch disables this post processing for issue index for documents. Matches Github's behavior. - Added unit tests. - Resolves https://codeberg.org/Codeberg/Community/issues/1120 Co-authored-by: Gusted <postmaster@gusted.xyz>
lunny
pushed a commit
that referenced
this pull request
Jan 30, 2026
## Overview This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for the Gitea project. ## Changes ### Toolchain Update - **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6` This is a minor toolchain version bump that ensures the project uses the latest patch release of Go 1.25. ## Security Improvements While this PR primarily addresses the toolchain update, the project maintains a strong security posture through: ### Current Security Measures ```log Vulnerability #1: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: archive/zip@go1.25.5 Fixed in: archive/zip@go1.25.6 Example traces found: #1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open Vulnerability #2: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.25.5 Fixed in: net/url@go1.25.6 Example traces found: #1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery #2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query Vulnerability #3: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.25.5 Fixed in: crypto/tls@go1.25.6 Example traces found: #1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake #2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext #3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read #4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write #5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial #6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer #7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext ``` ## Breaking Changes None expected. This is a minor toolchain patch update.
lunny
pushed a commit
that referenced
this pull request
Feb 12, 2026
…6487) Backport go-gitea#36480 by @ZPascal ## Overview This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for the Gitea project. ## Changes ### Toolchain Update - **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6` This is a minor toolchain version bump that ensures the project uses the latest patch release of Go 1.25. ## Security Improvements While this PR primarily addresses the toolchain update, the project maintains a strong security posture through: ### Current Security Measures ```log Vulnerability #1: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: archive/zip@go1.25.5 Fixed in: archive/zip@go1.25.6 Example traces found: #1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open Vulnerability #2: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.25.5 Fixed in: net/url@go1.25.6 Example traces found: #1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery #2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query Vulnerability #3: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.25.5 Fixed in: crypto/tls@go1.25.6 Example traces found: #1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake #2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext #3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read #4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write #5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial #6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer #7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext ``` Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the ability for S3/Object storage to serve files directly (authenticated, of course) instead of passing through Gitea itself.
This has many benefits, including:
This has a single TODO item, which involves possibly determining whether to inline or attach the file, or serve it as plain text. S3/Minio support the "Content-Disposition" header via the parameter "response-content-disposition" (MinIO Docs, Amazon S3 docs - Overriding Response Header Values), as well as a few others.