Changelog v1.13.6 (#15129 )

Fix bug on avatar middleware (#15125 )
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2021-03-23 15:44:50 -04:00 · 2021-03-23 18:45:06 +00:00 · 2021-03-22 16:27:21 -04:00 · 2021-03-22 15:15:44 -04:00 · 2021-03-21 18:03:52 +01:00
7 changed files with 33 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,16 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).

+## [1.13.6](https://github.com/go-gitea/gitea/releases/tag/v1.13.6) - 2021-03-23
+
+* SECURITY
+  * Fix bug on avatar middleware (#15124) (#15125)
+  * Fix another clusterfuzz identified issue (#15096) (#15114)
+* API
+  * Fix nil exeption for get pull reviews API #15104 (#15106)
+* BUGFIXES
+  * Fix markdown rendering in milestone content (#15056) (#15092)
+
 ## [1.13.5](https://github.com/go-gitea/gitea/releases/tag/v1.13.5) - 2021-03-21

 * SECURITY
@ -228,7 +238,7 @@ been added to each release, please refer to the [blog](https://blog.gitea.io).
  * Fix scrolling to resolved comment anchors (#13343) (#13371)
  * Storage configuration support `[storage]` (#13314) (#13379)
  * When creating line diffs do not split within an html entity (#13357) (#13375) (#13425) (#13427)
-  * Fix reactions on code comments (#13390) (#13401) 
+  * Fix reactions on code comments (#13390) (#13401)
  * Add missing full names when DEFAULT_SHOW_FULL_NAME is enabled (#13424)
  * Replies to outdated code comments should also be outdated (#13217) (#13433)
  * Fix panic bug in handling multiple references in commit (#13486) (#13487)
--- a/modules/convert/user.go
+++ b/modules/convert/user.go
@ -13,6 +13,10 @@ import (
 // ToUser convert models.User to api.User
 // signed shall only be set if requester is logged in. authed shall only be set if user is site admin or user himself
 func ToUser(user *models.User, signed, authed bool) *api.User {
+	if user == nil {
+		return nil
+	}
+
 	result := &api.User{
 		ID:        user.ID,
 		UserName:  user.Name,
--- a/modules/markup/html.go
+++ b/modules/markup/html.go
@ -312,7 +312,7 @@ func (ctx *postProcessCtx) postProcess(rawHTML []byte) ([]byte, error) {
 	_, _ = res.WriteString("<html><body>")

 	// Strip out nuls - they're always invalid
-	_, _ = nulCleaner.WriteString(res, string(tagCleaner.ReplaceAll(rawHTML, []byte("&lt;$1"))))
+	_, _ = res.Write(tagCleaner.ReplaceAll([]byte(nulCleaner.Replace(string(rawHTML))), []byte("&lt;$1")))

 	// close the tags
 	_, _ = res.WriteString("</body></html>")
--- a/routers/routes/routes.go
+++ b/routers/routes/routes.go
@ -13,6 +13,7 @@ import (
 	"net/http"
 	"os"
 	"path"
+	"path/filepath"
 	"strings"
 	"text/template"
 	"time"
@ -152,12 +153,21 @@ func storageHandler(storageSetting setting.Storage, prefix string, objStore stor
 			return
 		}

-		if !strings.HasPrefix(req.URL.RequestURI(), "/"+prefix) {
+		prefix := strings.Trim(prefix, "/")
+
+		if !strings.HasPrefix(req.URL.EscapedPath(), "/"+prefix+"/") {
 			return
 		}
+		rPath := strings.TrimPrefix(req.URL.EscapedPath(), "/"+prefix+"/")

-		rPath := strings.TrimPrefix(req.URL.RequestURI(), "/"+prefix)
 		rPath = strings.TrimPrefix(rPath, "/")
+		if rPath == "" {
+			ctx.Error(404, "file not found")
+			return
+		}
+		rPath = path.Clean("/" + filepath.ToSlash(rPath))
+		rPath = rPath[1:]
+
 		//If we have matched and access to release or issue
 		fr, err := objStore.Open(rPath)
 		if err != nil {
--- a/templates/repo/issue/milestone_issues.tmpl
+++ b/templates/repo/issue/milestone_issues.tmpl
@ -4,8 +4,8 @@
 	<div class="ui container">
 		<div class="ui three column stackable grid">
 			<div class="column">
-				<h3>{{.Milestone.Name}}</h3>
-				<div class="content">
+				<h1>{{.Milestone.Name}}</h1>
+				<div class="markdown content">
 					{{.Milestone.RenderedContent|Str2html}}
 				</div>
 			</div>
--- a/templates/repo/issue/milestones.tmpl
+++ b/templates/repo/issue/milestones.tmpl
@ -43,7 +43,7 @@
 		<div class="milestone list">
 			{{range .Milestones}}
 				<li class="item">
-					{{svg "octicon-milestone"}} <a href="{{$.RepoLink}}/milestone/{{.ID}}">{{.Name}}</a>
+					{{svg "octicon-milestone" 16 "mr-2"}} <a href="{{$.RepoLink}}/milestone/{{.ID}}">{{.Name}}</a>
 					<div class="ui right green progress" data-percent="{{.Completeness}}">
 						<div class="bar" {{if not .Completeness}}style="background-color: transparent"{{end}}>
 							<div class="progress"></div>
@ -80,7 +80,7 @@
 						</div>
 					{{end}}
 					{{if .Content}}
-						<div class="content">
+						<div class="markdown content">
 							{{.RenderedContent|Str2html}}
 						</div>
 					{{end}}
--- a/web_src/less/_repository.less
+++ b/web_src/less/_repository.less
@ -1320,6 +1320,7 @@
        padding-top: 5px;
        padding-right: 10px;
        color: #000000;
+        font-size: 1.5rem;

        &:hover {
          color: #4078c0;
Author	SHA1	Message	Date
6543	6dfa92bb1c	Changelog v1.13.6 (#15129 )	2021-03-23 15:44:50 -04:00
6543	151bedab52	Fix bug on avatar middleware (#15125 ) Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>	2021-03-23 18:45:06 +00:00
zeripath	6198403fbc	Fix another clusterfuzz identified issue (#15096 ) (#15114 ) Backport #15096 Signed-off-by: Andrew Thornton <art27@cantab.net> Co-authored-by: techknowlogick <techknowlogick@gitea.io>	2021-03-22 16:27:21 -04:00
a1012112796	a6290f603f	fix #15104 (#15106 ) Signed-off-by: a1012112796 <1012112796@qq.com>	2021-03-22 15:15:44 -04:00
silverwind	2f09e5775f	Fix markdown rendering in milestone content (#15056 ) (#15092 ) - Add missing markdown class for rendered markdown. - Increase font size of milestone name in list. Fixes: https://github.com/go-gitea/gitea/issues/15046	2021-03-21 18:03:52 +01:00