Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Fix panic when get editor config file (go-gitea#36241)
  Refactor compare router param parse (go-gitea#36105)
  [skip ci] Updated translations via Crowdin
  Use flatten translation keys (go-gitea#36225)
  Replace CSRF cookie with `CrossOriginProtection` (go-gitea#36183)
  Remove fomantic form module (go-gitea#36222)
  Fix panic in blame view when a file has only a single commit (go-gitea#36230)
  fix: spelling error in migrate-storage cmd utility (go-gitea#36226)

# Conflicts:
#	templates/user/settings/security/twofa.tmpl

Author: zjjhot

build/update-locales.sh

@@ -9,11 +9,11 @@ fi
 mv ./options/locale/locale_en-US.json ./options/
 
 # Remove translation under 25% of en_us
-baselines=$(wc -l "./options/locale_en-US.json" | cut -d" " -f1)
+baselines=$(cat "./options/locale_en-US.json" | wc -l)
 baselines=$((baselines / 4))
 for filename in ./options/locale/*.json; do
-  lines=$(wc -l "$filename" | cut -d" " -f1)
-  if [ $lines -lt $baselines ]; then
+  lines=$(cat "$filename" | wc -l)
+  if [ "$lines" -lt "$baselines" ]; then
     echo "Removing $filename: $lines/$baselines"
     rm "$filename"
   fi

cmd/migrate_storage.go

@@ -36,7 +36,7 @@ var CmdMigrateStorage = &cli.Command{
 			Name:    "type",
 			Aliases: []string{"t"},
 			Value:   "",
-			Usage:   "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages', 'actions-log', 'actions-artifacts",
+			Usage:   "Type of stored files to copy.  Allowed types: 'attachments', 'lfs', 'avatars', 'repo-avatars', 'repo-archivers', 'packages', 'actions-log', 'actions-artifacts'",
 		},
 		&cli.StringFlag{
 			Name:    "storage",

custom/conf/app.example.ini

@@ -503,9 +503,6 @@ INTERNAL_TOKEN =
 ;; Password Hash algorithm, either "argon2", "pbkdf2", "scrypt" or "bcrypt"
 ;PASSWORD_HASH_ALGO = pbkdf2
 ;;
-;; Set false to allow JavaScript to read CSRF cookie
-;CSRF_COOKIE_HTTP_ONLY = true
-;;
 ;; Validate against https://haveibeenpwned.com/Passwords to see if a password has been exposed
 ;PASSWORD_CHECK_PWN = false
 ;;

modules/git/blob_gogit.go

@@ -9,24 +9,38 @@ package git
 import (
 	"io"
 
+	"code.gitea.io/gitea/modules/log"
+
 	"github.com/go-git/go-git/v5/plumbing"
 )
 
 // Blob represents a Git object.
 type Blob struct {
-	ID ObjectID
+	ID   ObjectID
+	repo *Repository
+	name string
+}
 
-	gogitEncodedObj plumbing.EncodedObject
-	name            string
+func (b *Blob) gogitEncodedObj() (plumbing.EncodedObject, error) {
+	return b.repo.gogitRepo.Storer.EncodedObject(plumbing.AnyObject, plumbing.Hash(b.ID.RawValue()))
 }
 
 // DataAsync gets a ReadCloser for the contents of a blob without reading it all.
 // Calling the Close function on the result will discard all unread output.
 func (b *Blob) DataAsync() (io.ReadCloser, error) {
-	return b.gogitEncodedObj.Reader()
+	obj, err := b.gogitEncodedObj()
+	if err != nil {
+		return nil, err
+	}
+	return obj.Reader()
 }
 
 // Size returns the uncompressed size of the blob
 func (b *Blob) Size() int64 {
-	return b.gogitEncodedObj.Size()
+	obj, err := b.gogitEncodedObj()
+	if err != nil {
+		log.Error("Error getting gogit encoded object for blob %s(%s): %v", b.name, b.ID.String(), err)
+		return 0
+	}
+	return obj.Size()
 }

modules/git/repo_blob.go

@@ -9,5 +9,11 @@ func (repo *Repository) GetBlob(idStr string) (*Blob, error) {
 	if err != nil {
 		return nil, err
 	}
-	return repo.getBlob(id)
+	if id.IsZero() {
+		return nil, ErrNotExist{id.String(), ""}
+	}
+	return &Blob{
+		ID:   id,
+		repo: repo,
+	}, nil
 }

modules/git/repo_blob_gogit.go

@@ -53,14 +53,9 @@ func (te *TreeEntry) Size() int64 {
 
 // Blob returns the blob object the entry
 func (te *TreeEntry) Blob() *Blob {
-	encodedObj, err := te.ptree.repo.gogitRepo.Storer.EncodedObject(plumbing.AnyObject, te.toGogitTreeEntry().Hash)
-	if err != nil {
-		return nil
-	}
-
 	return &Blob{
-		ID:              te.ID,
-		gogitEncodedObj: encodedObj,
-		name:            te.Name(),
+		ID:   te.ID,
+		repo: te.ptree.repo,
+		name: te.Name(),
 	}
 }

modules/git/repo_blob_nogogit.go

@@ -255,7 +255,7 @@ func newMarkupRenderer(name string, sec ConfigSection) {
 	}
 
 	// ATTENTION! at the moment, only a safe set like "allow-scripts" are allowed for sandbox mode.
-	// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
+	// "allow-same-origin" should NEVER be used, it leads to XSS attack: makes the JS in iframe can access parent window's config and send requests with user's credentials.
 	renderContentSandbox := sec.Key("RENDER_CONTENT_SANDBOX").MustString("allow-scripts allow-popups")
 	if renderContentSandbox == "disabled" {
 		renderContentSandbox = ""

modules/git/tree_entry_gogit.go

@@ -133,7 +133,7 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 
 	// FIXME: at the moment, no matter oauth2 is enabled or not, it must generate a "oauth2 JWT_SECRET"
 	// Because this secret is also used as GeneralTokenSigningSecret (as a quick not-that-breaking fix for some legacy problems).
-	// Including: CSRF token, account validation token, etc ...
+	// Including: account validation token, etc ...
 	// In main branch, the signing token should be refactored (eg: one unique for LFS/OAuth2/etc ...)
 	jwtSecretBase64 := loadSecret(sec, "JWT_SECRET_URI", "JWT_SECRET")
 	if InstallLock {