Merge branch 'main' into fix-doc

cmd/cert.go

@@ -43,7 +43,7 @@ Outputs to 'cert.pem' and 'key.pem' and will overwrite existing files.`,
 		},
 		&cli.IntFlag{
 			Name:  "rsa-bits",
-			Value: 2048,
+			Value: 3072,
 			Usage: "Size of RSA key to generate. Ignored if --ecdsa-curve is set",
 		},
 		&cli.StringFlag{

custom/conf/app.example.ini

@@ -1339,7 +1339,7 @@ LEVEL = Info
 ;; Define allowed algorithms and their minimum key length (use -1 to disable a type)
 ;ED25519 = 256
 ;ECDSA = 256
-;RSA = 2047 ; we allow 2047 here because an otherwise valid 2048 bit RSA key can be reported as having 2047 bit length
+;RSA = 3071 ; we allow 3071 here because an otherwise valid 3072 bit RSA key can be reported as having 3071 bit length
 ;DSA = -1 ; set to 1024 to switch on
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docker/root/etc/s6/openssh/setup

@@ -11,7 +11,7 @@ fi
 
 if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
     echo "Generating /data/ssh/ssh_host_rsa_key..."
-    ssh-keygen -t rsa -b 2048 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
+    ssh-keygen -t rsa -b 3072 -f /data/ssh/ssh_host_rsa_key -N "" > /dev/null
 fi
 
 if [ ! -f /data/ssh/ssh_host_ecdsa_key ]; then

docs/content/administration/command-line.en-us.md

@@ -313,7 +313,7 @@ directory and will overwrite any existing files.
   - `--ecdsa-curve value`: ECDSA curve to use to generate a key. Optional. Valid options
     are P224, P256, P384, P521.
   - `--rsa-bits value`: Size of RSA key to generate. Optional. Ignored if --ecdsa-curve is
-    set. (default: 2048).
+    set. (default: 3072).
   - `--start-date value`: Creation date. Optional. (format: `Jan 1 15:04:05 2011`).
   - `--duration value`: Duration which the certificate is valid for. Optional. (default: 8760h0m0s)
   - `--ca`: If provided, this cert generates it's own certificate authority. Optional.

docs/content/administration/command-line.zh-cn.md

@@ -295,7 +295,7 @@ menu:
 - 选项：
   - `--host value`：逗号分隔的主机名和IP地址列表，此证书适用于这些主机。支持使用通配符。必填。
   - `--ecdsa-curve value`：用于生成密钥的ECDSA曲线。可选。有效选项为P224、P256、P384、P521。
-  - `--rsa-bits value`：要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve，则忽略此选项。（默认值：2048）。
+  - `--rsa-bits value`：要生成的RSA密钥的大小。可选。如果设置了--ecdsa-curve，则忽略此选项。（默认值：3072）。
   - `--start-date value`：证书的创建日期。可选。（格式：`Jan 1 15:04:05 2011`）。
   - `--duration value`：证书有效期。可选。（默认值：8760h0m0s）
   - `--ca`：如果提供此选项，则证书将生成自己的证书颁发机构。可选。

docs/content/administration/config-cheat-sheet.en-us.md

@@ -681,7 +681,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 
 - `ED25519`: **256**
 - `ECDSA`: **256**
-- `RSA`: **2047**: We set 2047 here because an otherwise valid 2048 RSA key can be reported as 2047 length.
+- `RSA`: **3071**: We set 3071 here because an otherwise valid 3072 RSA key can be reported as 3071 length.
 - `DSA`: **-1**: DSA is now disabled by default. Set to **1024** to re-enable but ensure you may need to reconfigure your SSHD provider
 
 ## Webhook (`webhook`)

docs/content/administration/config-cheat-sheet.zh-cn.md

@@ -648,7 +648,7 @@ Gitea 创建以下非唯一队列：
 
 - `ED25519`：**256**
 - `ECDSA`：**256**
-- `RSA`：**2047**：我们在这里设置为2047，因为一个其他方面有效的2048 RSA密钥可能被报告为2047长度。
+- `RSA`：**3071**：我们在这里设置为2047，因为一个其他方面有效的3072 RSA密钥可能被报告为3071长度。
 - `DSA`：**-1**：默认情况下禁用DSA。设置为**1024**以重新启用，但请注意可能需要重新配置您的SSHD提供者
 
 ## Webhook (`webhook`)

modules/activitypub/user_settings.go

@@ -8,7 +8,7 @@ import (
 	"code.gitea.io/gitea/modules/util"
 )
 
-const rsaBits = 2048
+const rsaBits = 3072
 
 // GetKeyPair function returns a user's private and public keys
 func GetKeyPair(user *user_model.User) (pub, priv string, err error) {

modules/log/event_writer_base.go

@@ -90,7 +90,7 @@ func (b *EventWriterBaseImpl) Run(ctx context.Context) {
 
 			if exprRegexp != nil {
 				fileLineCaller := fmt.Sprintf("%s:%d:%s", event.Origin.Filename, event.Origin.Line, event.Origin.Caller)
-				matched := exprRegexp.Match([]byte(fileLineCaller)) || exprRegexp.Match([]byte(event.Origin.MsgSimpleText))
+				matched := exprRegexp.MatchString(fileLineCaller) || exprRegexp.MatchString(event.Origin.MsgSimpleText)
 				if !matched {
 					continue
 				}

modules/repository/branch.go

@@ -106,23 +106,23 @@ func SyncRepoBranchesWithRepo(ctx context.Context, repo *repo_model.Repository,
 		return int64(len(allBranches)), nil
 	}
 
-	if err := db.WithTx(ctx, func(subCtx context.Context) error {
+	if err := db.WithTx(ctx, func(ctx context.Context) error {
 		if len(toAdd) > 0 {
-			if err := git_model.AddBranches(subCtx, toAdd); err != nil {
+			if err := git_model.AddBranches(ctx, toAdd); err != nil {
 				return err
 			}
 		}
 
 		for _, b := range toUpdate {
-			if _, err := db.GetEngine(subCtx).ID(b.ID).
+			if _, err := db.GetEngine(ctx).ID(b.ID).
 				Cols("commit_id, commit_message, pusher_id, commit_time, is_deleted").
 				Update(b); err != nil {
 				return err
 			}
 		}
 
 		if len(toRemove) > 0 {
-			if err := git_model.DeleteBranches(subCtx, repo.ID, doerID, toRemove); err != nil {
+			if err := git_model.DeleteBranches(ctx, repo.ID, doerID, toRemove); err != nil {
 				return err
 			}
 		}

modules/setting/ssh.go

@@ -60,7 +60,7 @@ var SSH = struct {
 	ServerMACs:                    []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1"},
 	KeygenPath:                    "",
 	MinimumKeySizeCheck:           true,
-	MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 2047},
+	MinimumKeySizes:               map[string]int{"ed25519": 256, "ed25519-sk": 256, "ecdsa": 256, "ecdsa-sk": 256, "rsa": 3071},
 	ServerHostKeys:                []string{"ssh/gitea.rsa", "ssh/gogs.rsa"},
 	AuthorizedKeysCommandTemplate: "{{.AppPath}} --config={{.CustomConf}} serv key-{{.Key.ID}}",
 	PerWriteTimeout:               PerWriteTimeout,

modules/structs/secret.go

@@ -14,21 +14,9 @@ type Secret struct {
 	Created time.Time `json:"created_at"`
 }
 
-// CreateSecretOption options when creating secret
+// CreateOrUpdateSecretOption options when creating or updating secret
 // swagger:model
-type CreateSecretOption struct {
-	// Name of the secret to create
-	//
-	// required: true
-	// unique: true
-	Name string `json:"name" binding:"Required;AlphaDashDot;MaxSize(100)"`
-	// Data of the secret to create
-	Data string `json:"data" binding:"Required"`
-}
-
-// UpdateSecretOption options when updating secret
-// swagger:model
-type UpdateSecretOption struct {
+type CreateOrUpdateSecretOption struct {
 	// Data of the secret to update
 	//
 	// required: true

options/license/GNU-compiler-exception

@@ -0,0 +1,6 @@
+As a special exception, if you link this library with files
+compiled with a GNU compiler to produce an executable, this
+does not cause the resulting executable to be covered by
+the GNU General Public License. This exception does not
+however invalidate any other reasons why the executable
+file might be covered by the GNU General Public License.

options/license/MIT-testregex

@@ -0,0 +1,17 @@
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of THIS SOFTWARE FILE (the "Software"), to deal in the Software
+ * without restriction, including without limitation the rights to use,
+ * copy, modify, merge, publish, distribute, and/or sell copies of the
+ * Software, and to permit persons to whom the Software is furnished to do
+ * so, subject to the following disclaimer:
+ *
+ * THIS SOFTWARE IS PROVIDED BY AT&T ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL AT&T BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

options/license/SANE-exception

@@ -0,0 +1,20 @@
+As a special exception, the authors of sane-airscan give permission for
+additional uses of the libraries contained in this release of sane-airscan.
+
+The exception is that, if you link a sane-airscan library with other files
+to produce an executable, this does not by itself cause the
+resulting executable to be covered by the GNU General Public
+License. Your use of that executable is in no way restricted on
+account of linking the sane-airscan library code into it.
+
+This exception does not, however, invalidate any other reasons why
+the executable file might be covered by the GNU General Public
+License.
+
+If you submit changes to sane-airscan to the maintainers to be included in
+a subsequent release, you agree by submitting the changes that
+those changes may be distributed with this exception intact.
+
+If you write modifications of your own for sane-airscan, it is your choice
+whether to permit this exception to apply to your modifications.
+If you do not wish that, delete this exception notice.

options/license/Soundex

@@ -1,7 +1,9 @@
-# (c) Copyright 1998-2007 by Mark Mielke # # Freedom to use
-these sources for whatever you want, as long as credit # is
-given where credit is due, is hereby granted. You may make
-modifications # where you see fit but leave this copyright
-somewhere visible. As well, try # to initial any changes you
-make so that if I like the changes I can # incorporate them
-into later versions. # # - Mark Mielke <mark@mielke.cc>
+(c) Copyright 1998-2007 by Mark Mielke
+
+Freedom to use these sources for whatever you want, as long as credit
+is given where credit is due, is hereby granted. You may make modifications
+where you see fit but leave this copyright somewhere visible. As well, try
+to initial any changes you make so that if I like the changes I can
+incorporate them into later versions.
+
+     - Mark Mielke <mark@mielke.cc>

options/license/TTYP0

@@ -0,0 +1,29 @@
+THE TTYP0 LICENSE
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this font software and associated files (the "Software"),
+to deal in the Software without restriction, including without
+limitation the rights to use, copy, modify, merge, publish,
+distribute, embed, sublicense, and/or sell copies of the Software,
+and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+(1) The above copyright notice, this permission notice, and the
+    disclaimer below shall be included in all copies or substantial
+    portions of the Software.
+
+(2) If the design of any glyphs in the fonts that are contained in the
+    Software or generated during the installation process is modified
+    or if additional glyphs are added to the fonts, the fonts
+    must be renamed. The new names may not contain the word "UW",
+    irrespective of capitalisation; the new names may contain the word
+    "ttyp0", irrespective of capitalisation, only if preceded by a
+    foundry name different from "UW".
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

options/license/libpng-2.0

@@ -10,7 +10,7 @@ PNG Reference Library License version 2
 The software is supplied "as is", without warranty of any kind,
 express or implied, including, without limitation, the warranties
 of merchantability, fitness for a particular purpose, title, and
-non-infringement.  In no even shall the Copyright owners, or
+non-infringement.  In no event shall the Copyright owners, or
 anyone distributing the software, be liable for any damages or
 other liability, whether in contract, tort or otherwise, arising
 from, out of, or in connection with the software, or the use or

options/license/stunnel-exception

@@ -0,0 +1,5 @@
+Linking stunnel statically or dynamically with other modules is making a combined work based on stunnel. Thus, the terms and conditions of the GNU General Public License cover the whole combination.
+
+In addition, as a special exception, the copyright holder of stunnel gives you permission to combine stunnel with free software programs or libraries that are released under the GNU LGPL and with code included in the standard release of OpenSSL under the OpenSSL License (or modified versions of such code, with unchanged license). You may copy and distribute such a system following the terms of the GNU GPL for stunnel and the licenses of the other code concerned.
+
+Note that people who make modified versions of stunnel are not obligated to grant this special exception for their modified versions; it is their choice whether to do so. The GNU General Public License gives permission to release a modified version without this exception; this exception also makes it possible to release a modified version which carries forward this exception.

routers/api/packages/cargo/cargo.go

@@ -16,6 +16,8 @@ import (
 	"code.gitea.io/gitea/modules/log"
 	packages_module "code.gitea.io/gitea/modules/packages"
 	cargo_module "code.gitea.io/gitea/modules/packages/cargo"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/structs"
 	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/routers/api/packages/helper"
 	"code.gitea.io/gitea/services/convert"
@@ -48,7 +50,7 @@ func apiError(ctx *context.Context, status int, obj any) {
 
 // https://rust-lang.github.io/rfcs/2789-sparse-index.html
 func RepositoryConfig(ctx *context.Context) {
-	ctx.JSON(http.StatusOK, cargo_service.BuildConfig(ctx.Package.Owner))
+	ctx.JSON(http.StatusOK, cargo_service.BuildConfig(ctx.Package.Owner, setting.Service.RequireSignInView || ctx.Package.Owner.Visibility != structs.VisibleTypePublic))
 }
 
 func EnumeratePackageVersions(ctx *context.Context) {

routers/api/v1/api.go

@@ -1300,9 +1300,8 @@ func Routes() *web.Route {
 			})
 			m.Group("/actions/secrets", func() {
 				m.Get("", reqToken(), reqOrgOwnership(), org.ListActionsSecrets)
-				m.Post("", reqToken(), reqOrgOwnership(), bind(api.CreateSecretOption{}), org.CreateOrgSecret)
 				m.Combo("/{secretname}").
-					Put(reqToken(), reqOrgOwnership(), bind(api.UpdateSecretOption{}), org.UpdateOrgSecret).
+					Put(reqToken(), reqOrgOwnership(), bind(api.CreateOrUpdateSecretOption{}), org.CreateOrUpdateOrgSecret).
 					Delete(reqToken(), reqOrgOwnership(), org.DeleteOrgSecret)
 			})
 			m.Group("/public_members", func() {

routers/api/v1/org/action.go

@@ -12,7 +12,6 @@ import (
 	"code.gitea.io/gitea/modules/web"
 	"code.gitea.io/gitea/routers/api/v1/utils"
 	"code.gitea.io/gitea/routers/web/shared/actions"
-	"code.gitea.io/gitea/services/convert"
 )
 
 // ListActionsSecrets list an organization's actions secrets
@@ -74,55 +73,11 @@ func listActionsSecrets(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, apiSecrets)
 }
 
-// CreateOrgSecret create one secret of the organization
-func CreateOrgSecret(ctx *context.APIContext) {
-	// swagger:operation POST /orgs/{org}/actions/secrets organization createOrgSecret
-	// ---
-	// summary: Create a secret in an organization
-	// consumes:
-	// - application/json
-	// produces:
-	// - application/json
-	// parameters:
-	// - name: org
-	//   in: path
-	//   description: name of organization
-	//   type: string
-	//   required: true
-	// - name: body
-	//   in: body
-	//   schema:
-	//     "$ref": "#/definitions/CreateSecretOption"
-	// responses:
-	//   "201":
-	//     "$ref": "#/responses/Secret"
-	//   "400":
-	//     "$ref": "#/responses/error"
-	//   "404":
-	//     "$ref": "#/responses/notFound"
-	//   "403":
-	//     "$ref": "#/responses/forbidden"
-	opt := web.GetForm(ctx).(*api.CreateSecretOption)
-	if err := actions.NameRegexMatch(opt.Name); err != nil {
-		ctx.Error(http.StatusBadRequest, "CreateOrgSecret", err)
-		return
-	}
-	s, err := secret_model.InsertEncryptedSecret(
-		ctx, ctx.Org.Organization.ID, 0, opt.Name, actions.ReserveLineBreakForTextarea(opt.Data),
-	)
-	if err != nil {
-		ctx.Error(http.StatusInternalServerError, "InsertEncryptedSecret", err)
-		return
-	}
-
-	ctx.JSON(http.StatusCreated, convert.ToSecret(s))
-}
-
-// UpdateOrgSecret update one secret of the organization
-func UpdateOrgSecret(ctx *context.APIContext) {
+// create or update one secret of the organization
+func CreateOrUpdateOrgSecret(ctx *context.APIContext) {
 	// swagger:operation PUT /orgs/{org}/actions/secrets/{secretname} organization updateOrgSecret
 	// ---
-	// summary: Update a secret value in an organization
+	// summary: Create or Update a secret value in an organization
 	// consumes:
 	// - application/json
 	// produces:
@@ -141,19 +96,34 @@ func UpdateOrgSecret(ctx *context.APIContext) {
 	// - name: body
 	//   in: body
 	//   schema:
-	//     "$ref": "#/definitions/UpdateSecretOption"
+	//     "$ref": "#/definitions/CreateOrUpdateSecretOption"
 	// responses:
+	//   "201":
+	//     description: response when creating a secret
 	//   "204":
-	//     description: update one secret of the organization
+	//     description: response when updating a secret
+	//   "400":
+	//     "$ref": "#/responses/error"
 	//   "403":
 	//     "$ref": "#/responses/forbidden"
 	secretName := ctx.Params(":secretname")
-	opt := web.GetForm(ctx).(*api.UpdateSecretOption)
+	if err := actions.NameRegexMatch(secretName); err != nil {
+		ctx.Error(http.StatusBadRequest, "CreateOrUpdateOrgSecret", err)
+		return
+	}
+	opt := web.GetForm(ctx).(*api.CreateOrUpdateSecretOption)
 	err := secret_model.UpdateSecret(
 		ctx, ctx.Org.Organization.ID, 0, secretName, opt.Data,
 	)
 	if secret_model.IsErrSecretNotFound(err) {
-		ctx.NotFound(err)
+		_, err := secret_model.InsertEncryptedSecret(
+			ctx, ctx.Org.Organization.ID, 0, secretName, actions.ReserveLineBreakForTextarea(opt.Data),
+		)
+		if err != nil {
+			ctx.Error(http.StatusInternalServerError, "InsertEncryptedSecret", err)
+			return
+		}
+		ctx.Status(http.StatusCreated)
 		return
 	}
 	if err != nil {

routers/api/v1/swagger/options.go

@@ -189,8 +189,5 @@ type swaggerParameterBodies struct {
 	UpdateRepoAvatarOptions api.UpdateRepoAvatarOption
 
 	// in:body
-	CreateSecretOption api.CreateSecretOption
-
-	// in:body
-	UpdateSecretOption api.UpdateSecretOption
+	CreateOrUpdateSecretOption api.CreateOrUpdateSecretOption
 }