Skip to content

Comments

Limit reading bytes instead of ReadAll (#35928)#35934

Merged
wxiaoguang merged 1 commit intogo-gitea:release/v1.25from
GiteaBot:backport-35928-v1.25
Nov 12, 2025
Merged

Limit reading bytes instead of ReadAll (#35928)#35934
wxiaoguang merged 1 commit intogo-gitea:release/v1.25from
GiteaBot:backport-35928-v1.25

Conversation

@GiteaBot
Copy link
Collaborator

@GiteaBot GiteaBot commented Nov 12, 2025
edited by wxiaoguang
Loading

Backport #35928 by wxiaoguang

@GiteaBot GiteaBot added modifies/frontend modifies/go Pull requests that update Go code type/bug labels Nov 12, 2025
@GiteaBot GiteaBot added this to the 1.25.2 milestone Nov 12, 2025
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Nov 12, 2025
@wxiaoguang wxiaoguang changed the title Limit read bytes instead of ReadAll (#35928) Limit reading bytes instead of ReadAll (#35928) Nov 12, 2025
@wxiaoguang wxiaoguang enabled auto-merge (squash) November 12, 2025 11:45
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Nov 12, 2025
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Nov 12, 2025
@silverwind silverwind disabled auto-merge November 12, 2025 18:26
@wxiaoguang wxiaoguang merged commit 01fa8b2 into go-gitea:release/v1.25 Nov 12, 2025
26 checks passed
@delvh
Copy link
Member

delvh commented Nov 13, 2025

It does sound a little bit strange to me to backport a possibly breaking change for users.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 13, 2025

It does sound a little bit strange to me to backport a possibly breaking change for users.

How does it break?

And it indeed is a "security fix" to avoid DoS attack.

@delvh
Copy link
Member

delvh commented Nov 13, 2025

Let's assume you had a large workflow file.
You do a minor version upgrade and suddenly it doesn't work as intended anymore.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 13, 2025

Let's assume you had a large workflow file. You do a minor version upgrade and suddenly it doesn't work as intended anymore.

Why a workflow file can be that large?

@delvh
Copy link
Member

delvh commented Nov 13, 2025

I don't know, humans are strange.
The chance of anyone being affected is really low, but it is not 0.

@wxiaoguang
Copy link
Contributor

wxiaoguang commented Nov 13, 2025

Hmm, let's wait and see. I will handle related issue reports.

zjjhot added a commit to zjjhot/gitea that referenced this pull request Nov 24, 2025
@zjjhot
Merge remote-tracking branch 'giteaofficial/release/v1.25'
0a09b13 
* giteaofficial/release/v1.25: (77 commits)
  Add "site admin" back to profile menu (go-gitea#36010) (go-gitea#36013)
  release notes for 1.25.2 (go-gitea#35986)
  Allow empty commit when merging pull request with squash style (go-gitea#35989) (go-gitea#36003)
  Fix various permission & login related bugs (go-gitea#36002) (go-gitea#36004)
  upgrade golang.org/x/crypto to 0.45.0 (go-gitea#35988)
  Change project default column icon to 'star' (go-gitea#35967) (go-gitea#35979)
  Misc CSS fixes (go-gitea#35888) (go-gitea#35981)
  Fix container push tag overwriting (go-gitea#35936) (go-gitea#35954)
  Fix corrupted external render content (go-gitea#35946) (go-gitea#35950)
  Don't show unnecessary error message to end users for DeleteBranchAfterMerge (go-gitea#35937) (go-gitea#35941)
  Limit read bytes instead of ReadAll (go-gitea#35928) (go-gitea#35934)
  Load jQuery as early as possible to support custom scripts (go-gitea#35926) (go-gitea#35929)
  Allow to display embed images/pdfs when SERVE_DIRECT was enabled on MinIO storage (go-gitea#35882) (go-gitea#35917)
  Use correct form field for allowed force push users in branch protection API (go-gitea#35894) (go-gitea#35908)
  Make OAuth2 issuer configurable (go-gitea#35915) (go-gitea#35916)
  Fix go-gitea#35763: Add proper page title for project pages (go-gitea#35773) (go-gitea#35909)
  Display source code downloads last for release attachments (go-gitea#35897) (go-gitea#35903)
  Fix team member access check (go-gitea#35899) (go-gitea#35905)
  Fix conda null depend issue (go-gitea#35900) (go-gitea#35902)
  Fix avatar upload error handling (go-gitea#35887) (go-gitea#35890)
  ...

# Conflicts:
#	go.mod
#	go.sum
#	models/actions/run_test.go
#	models/fixtures/action_run.yml
#	models/fixtures/action_run_job.yml
#	models/fixtures/action_task.yml
#	models/fixtures/branch.yml
#	models/fixtures/repo_unit.yml
#	modules/git/tree_entry_gogit.go
#	modules/git/tree_gogit.go
#	routers/web/repo/actions/view.go
#	routers/web/repo/issue_comment.go
#	services/actions/workflow.go
#	services/doctor/actions_test.go
#	services/pull/comment.go
#	services/pull/pull.go
#	services/pull/temp_repo.go
#	templates/base/head_navbar.tmpl
#	templates/swagger/v1_json.tmpl
#	tests/integration/actions_schedule_test.go
#	tests/integration/git_lfs_ssh_test.go
#	tests/integration/pull_create_test.go
#	tests/integration/pull_merge_test.go
#	tests/sqlite.ini.tmpl
#	web_src/js/components/ContextPopup.vue
@xnox xnox mentioned this pull request Dec 7, 2025
Closed
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Feb 11, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@silverwind silverwind silverwind approved these changes

@wxiaoguang wxiaoguang wxiaoguang approved these changes

@ChristopherHX ChristopherHX Awaiting requested review from ChristopherHX

@delvh delvh Awaiting requested review from delvh

@lunny lunny Awaiting requested review from lunny

Assignees

@wxiaoguang wxiaoguang

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.25.2

Development

Successfully merging this pull request may close these issues.

4 participants

@GiteaBot @delvh @wxiaoguang @silverwind