Closes #27455
> The mechanism responsible for long-term authentication (the 'remember
me' cookie) uses a weak construction technique. It will hash the user's
hashed password and the rands value; it will then call the secure cookie
code, which will encrypt the user's name with the computed hash. If one
were able to dump the database, they could extract those two values to
rebuild that cookie and impersonate a user. That vulnerability exists
from the date the dump was obtained until a user changed their password.
>
> To fix this security issue, the cookie could be created and verified
using a different technique such as the one explained at
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#secure-remember-me-cookies.
The PR removes the now obsolete setting `COOKIE_USERNAME`.
1. `make build` fails because `||` and `&&` have the same precedence in
sh/bash, so the `false` command always evaluated (leading to an error).
```
+ which gmake /usr/local/bin/gmake
+ false
*** Failed target: .BEGIN
*** Failed command: which "gmake" || printf "Error: GNU Make is
required!\n\n" 1>&2 && false
*** Error code 1
```
2. When `GPREFIX` is set to an empty string with quotation marks,
`gmake` mistakenly thinks that it's a file name:
``` gmake: *** empty string invalid as file name. Stop. ```
1. Dropzone attachment removal, pretty simple replacement
2. Image diff: The previous code fetched every image twice, once via
`img[src]` and once via `$.ajax`. Now it's only fetched once and a
second time only when necessary. The image diff code was partially
rewritten.
---------
Co-authored-by: Giteabot <teabot@gitea.io>
assert.Fail() will continue to execute the code while assert.FailNow()
not. I thought those uses of assert.Fail() should exit immediately.
PS: perhaps it's a good idea to use
[require](https://pkg.go.dev/github.com/stretchr/testify/require)
somewhere because the assert package's default behavior does not exit
when an error occurs, which makes it difficult to find the root error
reason.
- Currently in the cron tasks, the 'Previous Time' only displays the
previous time of when the cron library executes the function, but not
any of the manual executions of the task.
- Store the last run's time in memory in the Task struct and use that,
when that time is later than time that the cron library has executed
this task.
- This ensures that if an instance admin manually starts a task, there's
feedback that this task is/has been run, because the task might be run
that quick, that the status icon already has been changed to an
checkmark,
- Tasks that are executed at startup now reflect this as well, as the
time of the execution of that task on startup is now being shown as
'Previous Time'.
- Added integration tests for the API part, which is easier to test
because querying the HTML table of cron tasks is non-trivial.
- Resolves https://codeberg.org/forgejo/forgejo/issues/949
(cherry picked from commit fd34fdac1408ece6b7d9fe6a76501ed9a45d06fa)
---------
Co-authored-by: Gusted <postmaster@gusted.xyz>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: silverwind <me@silverwind.io>
Fix #27541
The INI package has a quirk: by default, the keys are inherited.
When maintaining the keys, the newly added sub key should not be
affected by the parent key.
Follow #27354
Major changes:
1. The `right aligned` in `<th class="one wide right aligned">` is a
no-op because it doesn't have any content
2. The `gt-df` in `<td class="sha gt-df">` was wrong, it causes UI
misalignment, a table cell shouldn't be "flex"
3. Use `gt-py-0` for `gt-pt-0 gt-pb-0`
4. Simplify the layout for buttons, because the `text right aligned` is
widely used and good enough, it doesn't make sense to introduce the
`<div class="gt-df gt-je">`
5. Escape the `$.FileName` correctly
Before:
![image](https://github.com/go-gitea/gitea/assets/2114189/eb2ced3f-1dad-4149-9ed2-aee4c0663621)
After:
![image](https://github.com/go-gitea/gitea/assets/2114189/08244b61-416b-4279-b495-029bc0a96f67)
This script was trying to be too smart, make it more straightforward and
less error-prone so that i could be used by the backport bot too
ideally.
- Always delete the backport branch so that script is idempotent in this
regard
- Remove the push functionality, it's best done by the user because only
they know the remote name
- Remove reading docs/config.yaml, it no longer exists
- Remove version detection, version is now a required argument
- Remove opening the pull request with xdg-open, xdg-open is not
portable
- Remove continue from failed cherry pick. It's best to reset manually
in this case
- Clean up the console logging
Example run:
```
$ go run ./contrib/backport --version v1.21 27503
* Backporting 27503 to origin/release/v1.21 as backport-27503-v1.21
* `git fetch origin main`
* `git fetch origin release/v1.21`
* `git branch -D backport-27503-v1.21`
* `git checkout -b backport-27503-v1.21 origin/release/v1.21`
* Attempting git cherry-pick 08efeb5cdc
* Amending commit to prepend `Backport #27503` to body
Backport done! You can now push it with `git push yourremote backport-27503-v1.21`
```
---------
Co-authored-by: delvh <dev.lh@web.de>
Alternative to https://github.com/go-gitea/gitea/pull/27439. Removes a
few spammy labels, and disables `sync-labels` which make it never remove
labels (which is default behaviour).
This patch adds a hover background for the wiki row in wiki list page,
which make its behavior more close to repo's file list page.
This patch also make the wiki-git-entry visible on the row is hovered
instead of the cel, so users won't be confused since the 'grid' is not
visible from the web page.
After the patch: (when the wiki named 'Home' is hovered)
![image](https://github.com/go-gitea/gitea/assets/10095765/f6c67c41-ad54-4ce4-a3b1-8c7551396ce0)