Gitea-John71/Gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-06-15 07:11:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9b8bfdceb13511b2da979ffc58722bd70141ce04
Gitea/modules
History
Giteabot 9b8bfdceb1 fix: bound debian ParseControlFile to a single control stanza (#38044) (#38055) 
Backport #38044 by @metsw24-max

**Packages-index stanza injection via Debian control file**

A `.deb` whose `control` file appends extra paragraphs after a blank
line was still accepted, and `ParseControlFile` stored the whole
multi-stanza blob in `p.Control`. That blob is re-emitted verbatim into
the generated `Packages` index, so the embedded blank line splits it
into separate stanzas and an uploader can smuggle a package entry with
an attacker-chosen `Filename` into the shared index. A binary control
file only holds one stanza, so parsing now stops at the blank line that
terminates it; well-formed packages are unaffected and the new subtest
covers the trailing-stanza case.

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: metsw24-max <metsw24@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: bircni <bircni@icloud.com>
2026-06-14 14:29:27 +00:00
..
actions
fix(actions): exclude workflow_call from workflow trigger detection (#37894) (#37899)
2026-05-29 06:40:50 +00:00
analyze
Fix incorrect vendored detections (#36508)
2026-02-01 10:35:51 +00:00
assetfs
Fix theme discovery and Vite dev server in dev mode (#37033)
2026-03-30 14:59:10 +00:00
auth
Update Go dependencies (#36781)
2026-04-01 11:26:52 +08:00
avatar
Refactor avatar package, support default avatar fallback (#36788)
2026-03-01 13:32:35 +00:00
badge
base
Fix incorrect setting loading order (#36735)
2026-02-24 23:46:08 +08:00
cache
enforce explanation for necessary nolints and fix bugs (#34883)
2025-06-27 21:48:03 +08:00
cachegroup
charset
Improve control char rendering and escape button styling (#37094)
2026-04-06 11:07:33 +00:00
commitstatus
Update Combine method to treat warnings as failures and adjust tests (#37048)
2026-03-31 17:22:18 +00:00
container
csv
Disable Field count validation of CSV viewer (#35228)
2025-09-04 09:54:58 -07:00
dump
fix: dump with default zip type produces uncompressed zip (#37401) (#37402)
2026-04-24 17:45:10 +08:00
emoji
Update emoji data for Unicode 16 (#36596)
2026-02-12 21:39:36 +00:00
eventsource
Add more check for stopwatch read or list (#36340)
2026-01-13 13:13:39 +00:00
fileicon
Add FOLDER_ICON_THEME configuration option (#36496)
2026-01-30 20:48:56 +00:00
generate
Fix various bugs (#37096)
2026-04-03 20:03:59 +00:00
git
fix: git cmd (#38084) (#38087)
2026-06-12 21:28:13 +08:00
gitrepo
fix: git cmd (#38084) (#38087)
2026-06-12 21:28:13 +08:00
glob
Replace gobwas/glob package (#35478)
2025-09-13 18:01:00 +00:00
globallock
Upgrade golang to 1.25.1 and add descriptions for the swagger structs' fields (#35418)
2025-09-06 16:52:41 +00:00
graceful
Migrate from webpack to vite (#37002)
2026-03-29 10:24:30 +00:00
gtprof
Add start time on perf trace because it seems some steps haven't been recorded. (#35282)
2025-08-18 15:17:19 +00:00
hcaptcha
Clean up Makefile, tests and legacy code (#36638)
2026-02-19 01:23:32 +00:00
highlight
fix: http content file render (#37850) (#37856)
2026-05-26 06:41:47 +00:00
hostmatcher
fix(hostmatcher): block reserved IP ranges from external/private filters (#38039) (#38059)
2026-06-10 12:05:23 +02:00
htmlutil
Fix markup heading parsing, fix emphasis parsing (#36284)
2026-01-23 20:24:58 +00:00
httpcache
Refactor avatar package, support default avatar fallback (#36788)
2026-03-01 13:32:35 +00:00
httplib
Make ServeSetHeaders default to download attachment if filename exists (#37552) (#37555)
2026-05-05 18:21:07 +00:00
indexer
Improve control char rendering and escape button styling (#37094)
2026-04-06 11:07:33 +00:00
issue/template
Limit reading bytes instead of ReadAll (#35928)
2025-11-12 19:44:49 +08:00
json
Fix corrupted JSON caused by goccy library (#37214) (#37220)
2026-04-14 17:24:39 +00:00
label
Run gopls modernize on codebase (#34751)
2025-06-18 01:48:09 +00:00
lfs
Feature non-zipped actions artifacts (action v7) (#36786)
2026-03-26 00:37:48 +08:00
lfstransfer
Correct spelling (#36783)
2026-02-28 11:23:20 -08:00
log
fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register (#37564) (#37588) (#37726)
2026-05-16 14:15:53 +00:00
markup
fix(actions): keep action run title clickable when commit subject is a URL (#37867) (#37898)
2026-05-29 07:59:47 +02:00
mcaptcha
metrics
Remove incorrect "db.DefaultContext" usages (#35366)
2025-08-28 03:52:43 +00:00
migration
feat(api): encrypt AWS creds (#37679) (#37713)
2026-05-15 15:58:19 +02:00
nosql
Refactor git command context & pipeline (#36406)
2026-01-21 01:35:14 +00:00
optional
Fix API not persisting pull request unit config when has_pull_requests is not set (#36718)
2026-03-02 22:08:53 +00:00
options
Refactor embedded assets and drop unnecessary dependencies (#34692)
2025-06-12 03:59:33 +00:00
packages
fix: bound debian ParseControlFile to a single control stanza (#38044) (#38055)
2026-06-14 14:29:27 +00:00
paginator
pprof
private
feat: Add configurable permissions for Actions automatic tokens (#36173)
2026-03-21 15:39:47 -07:00
process
Refactor git command context & pipeline (#36406)
2026-01-21 01:35:14 +00:00
proxy
Replace gobwas/glob package (#35478)
2025-09-13 18:01:00 +00:00
proxyprotocol
public
Frontend iframe renderer framework: 3D models, OpenAPI (#37233) (#37273)
2026-04-18 16:02:18 +08:00
queue
Refactor git command context & pipeline (#36406)
2026-01-21 01:35:14 +00:00
recaptcha
Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (#36861)
2026-03-08 15:57:37 +00:00
references
Support closing keywords with URL references (#36221)
2025-12-27 09:05:24 -08:00
regexplru
repository
feat: Add configurable permissions for Actions automatic tokens (#36173)
2026-03-21 15:39:47 -07:00
reqctx
Run gopls modernize on codebase (#34751)
2025-06-18 01:48:09 +00:00
secret
session
Clean up Makefile, tests and legacy code (#36638)
2026-02-19 01:23:32 +00:00
setting
fix!: add DEFAULT_TITLE_SOURCE setting for pull request title default behavior (#37465) (#37766)
2026-05-18 11:01:09 -07:00
sitemap
ssh
Update x/crypto package and make builtin SSH use default parameters (#34667)
2025-06-09 19:51:02 +00:00
storage
Feature non-zipped actions artifacts (action v7) (#36786)
2026-03-26 00:37:48 +08:00
structs
Add webhook name field to improve webhook identification (#37025) (#37040)
2026-04-01 09:56:20 +08:00
svg
Add render cache for SVG icons (#36863)
2026-03-10 05:26:16 +00:00
system
Remove incorrect "db.DefaultContext" usages (#35366)
2025-08-28 03:52:43 +00:00
tailmsg
tempdir
Address some CodeQL security concerns (#35572)
2025-10-04 01:21:26 +08:00
templates
fix(actions): keep action run title clickable when commit subject is a URL (#37867) (#37898)
2026-05-29 07:59:47 +02:00
test
Swift registry metadata: preserve more JSON fields and accept empty metadata (#37254) (#37261)
2026-04-17 23:36:48 +02:00
testlogger
Clean up Makefile, tests and legacy code (#36638)
2026-02-19 01:23:32 +00:00
timeutil
Clean up Makefile, tests and legacy code (#36638)
2026-02-19 01:23:32 +00:00
translation
Fix various trivial problems (#36953)
2026-03-23 18:23:42 +00:00
turnstile
typesniffer
Feature non-zipped actions artifacts (action v7) (#36786)
2026-03-26 00:37:48 +08:00
updatechecker
uri
user
util
FIX: URL sanitization to handle schemeless credentials (#37440) (#37471)
2026-04-28 21:35:18 +00:00
validation
Fix corrupted JSON caused by goccy library (#37214) (#37220)
2026-04-14 17:24:39 +00:00
web
Fix RPM Registry 404 when package name contains 'package' (#37087)
2026-04-03 06:12:04 +00:00
webhook
actions: report commit status for pull_request_review events (#36589)
2026-02-20 16:12:22 +00:00
zstd
Refactor embedded assets and drop unnecessary dependencies (#34692)
2025-06-12 03:59:33 +00:00