Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  [skip ci] Updated translations via Crowdin
  Display when a release attachment was uploaded (go-gitea#34261)
  Fix Set Email Preference dropdown and button placement (go-gitea#34255)
  [skip ci] Updated translations via Crowdin
  Update compare.tmpl (go-gitea#34251)
  Make public URL generation configurable (go-gitea#34250)
  Add API endpoint to request contents of multiple files simultaniously (go-gitea#34139)

Author: zjjhot

custom/conf/app.example.ini

@@ -63,14 +63,19 @@ RUN_USER = ; git
 ;PROTOCOL = http
 ;;
 ;; Set the domain for the server.
-;; Most users should set it to the real website domain of their Gitea instance.
 ;DOMAIN = localhost
 ;;
-;; The AppURL used by Gitea to generate absolute links, defaults to "{PROTOCOL}://{DOMAIN}:{HTTP_PORT}/".
+;; The AppURL is used to generate public URL links, defaults to "{PROTOCOL}://{DOMAIN}:{HTTP_PORT}/".
 ;; Most users should set it to the real website URL of their Gitea instance when there is a reverse proxy.
-;; When it is empty, Gitea will use HTTP "Host" header to generate ROOT_URL, and fall back to the default one if no "Host" header.
 ;ROOT_URL =
 ;;
+;; Controls how to detect the public URL.
+;; Although it defaults to "legacy" (to avoid breaking existing users), most instances should use the "auto" behavior,
+;; especially when the Gitea instance needs to be accessed in a container network.
+;; * legacy: detect the public URL from "Host" header if "X-Forwarded-Proto" header exists, otherwise use "ROOT_URL".
+;; * auto: always use "Host" header, and also use "X-Forwarded-Proto" header if it exists. If no "Host" header, use "ROOT_URL".
+;PUBLIC_URL_DETECTION = legacy
+;;
 ;; For development purpose only. It makes Gitea handle sub-path ("/sub-path/owner/repo/...") directly when debugging without a reverse proxy.
 ;; DO NOT USE IT IN PRODUCTION!!!
 ;USE_SUB_URL_PATH = false
@@ -2439,6 +2444,8 @@ LEVEL = Info
 ;DEFAULT_GIT_TREES_PER_PAGE = 1000
 ;; Default max size of a blob returned by the blobs API (default is 10MiB)
 ;DEFAULT_MAX_BLOB_SIZE = 10485760
+;; Default max combined size of all blobs returned by the files API (default is 100MiB)
+;DEFAULT_MAX_RESPONSE_SIZE = 104857600
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

modules/git/repo_object.go

@@ -85,17 +85,3 @@ func (repo *Repository) hashObject(reader io.Reader, save bool) (string, error)
 	}
 	return strings.TrimSpace(stdout.String()), nil
 }
-
-// GetRefType gets the type of the ref based on the string
-func (repo *Repository) GetRefType(ref string) ObjectType {
-	if repo.IsTagExist(ref) {
-		return ObjectTag
-	} else if repo.IsBranchExist(ref) {
-		return ObjectBranch
-	} else if repo.IsCommitExist(ref) {
-		return ObjectCommit
-	} else if _, err := repo.GetBlob(ref); err == nil {
-		return ObjectBlob
-	}
-	return ObjectType("invalid")
-}

modules/httplib/url.go

@@ -53,30 +53,31 @@ func getRequestScheme(req *http.Request) string {
 	return ""
 }
 
-// GuessCurrentAppURL tries to guess the current full app URL (with sub-path) by http headers. It always has a '/' suffix, exactly the same as setting.AppURL
+// GuessCurrentAppURL tries to guess the current full public URL (with sub-path) by http headers. It always has a '/' suffix, exactly the same as setting.AppURL
+// TODO: should rename it to GuessCurrentPublicURL in the future
 func GuessCurrentAppURL(ctx context.Context) string {
 	return GuessCurrentHostURL(ctx) + setting.AppSubURL + "/"
 }
 
 // GuessCurrentHostURL tries to guess the current full host URL (no sub-path) by http headers, there is no trailing slash.
 func GuessCurrentHostURL(ctx context.Context) string {
-	req, ok := ctx.Value(RequestContextKey).(*http.Request)
-	if !ok {
-		return strings.TrimSuffix(setting.AppURL, setting.AppSubURL+"/")
-	}
-	// If no scheme provided by reverse proxy, then do not guess the AppURL, use the configured one.
+	// Try the best guess to get the current host URL (will be used for public URL) by http headers.
 	// At the moment, if site admin doesn't configure the proxy headers correctly, then Gitea would guess wrong.
 	// There are some cases:
 	// 1. The reverse proxy is configured correctly, it passes "X-Forwarded-Proto/Host" headers. Perfect, Gitea can handle it correctly.
 	// 2. The reverse proxy is not configured correctly, doesn't pass "X-Forwarded-Proto/Host" headers, eg: only one "proxy_pass http://gitea:3000" in Nginx.
 	// 3. There is no reverse proxy.
 	// Without more information, Gitea is impossible to distinguish between case 2 and case 3, then case 2 would result in
-	// wrong guess like guessed AppURL becomes "http://gitea:3000/" behind a "https" reverse proxy, which is not accessible by end users.
-	// So we introduced "UseHostHeader" option, it could be enabled by setting "ROOT_URL" to empty
+	// wrong guess like guessed public URL becomes "http://gitea:3000/" behind a "https" reverse proxy, which is not accessible by end users.
+	// So we introduced "PUBLIC_URL_DETECTION" option, to control the guessing behavior to satisfy different use cases.
+	req, ok := ctx.Value(RequestContextKey).(*http.Request)
+	if !ok {
+		return strings.TrimSuffix(setting.AppURL, setting.AppSubURL+"/")
+	}
 	reqScheme := getRequestScheme(req)
 	if reqScheme == "" {
 		// if no reverse proxy header, try to use "Host" header for absolute URL
-		if setting.UseHostHeader && req.Host != "" {
+		if setting.PublicURLDetection == setting.PublicURLAuto && req.Host != "" {
 			return util.Iif(req.TLS == nil, "http://", "https://") + req.Host
 		}
 		// fall back to default AppURL
@@ -93,8 +94,8 @@ func GuessCurrentHostDomain(ctx context.Context) string {
 	return util.IfZero(domain, host)
 }
 
-// MakeAbsoluteURL tries to make a link to an absolute URL:
-// * If link is empty, it returns the current app URL.
+// MakeAbsoluteURL tries to make a link to an absolute public URL:
+// * If link is empty, it returns the current public URL.
 // * If link is absolute, it returns the link.
 // * Otherwise, it returns the current host URL + link, the link itself should have correct sub-path (AppSubURL) if needed.
 func MakeAbsoluteURL(ctx context.Context, link string) string {

modules/httplib/url_test.go

@@ -43,20 +43,37 @@ func TestIsRelativeURL(t *testing.T) {
 func TestGuessCurrentHostURL(t *testing.T) {
 	defer test.MockVariableValue(&setting.AppURL, "http://cfg-host/sub/")()
 	defer test.MockVariableValue(&setting.AppSubURL, "/sub")()
-	defer test.MockVariableValue(&setting.UseHostHeader, false)()
+	headersWithProto := http.Header{"X-Forwarded-Proto": {"https"}}
 
-	ctx := t.Context()
-	assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(ctx))
+	t.Run("Legacy", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.PublicURLDetection, setting.PublicURLLegacy)()
+
+		assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(t.Context()))
+
+		// legacy: "Host" is not used when there is no "X-Forwarded-Proto" header
+		ctx := context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000"})
+		assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(ctx))
+
+		// if "X-Forwarded-Proto" exists, then use it and "Host" header
+		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000", Header: headersWithProto})
+		assert.Equal(t, "https://req-host:3000", GuessCurrentHostURL(ctx))
+	})
+
+	t.Run("Auto", func(t *testing.T) {
+		defer test.MockVariableValue(&setting.PublicURLDetection, setting.PublicURLAuto)()
 
-	ctx = context.WithValue(ctx, RequestContextKey, &http.Request{Host: "localhost:3000"})
-	assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(ctx))
+		assert.Equal(t, "http://cfg-host", GuessCurrentHostURL(t.Context()))
 
-	defer test.MockVariableValue(&setting.UseHostHeader, true)()
-	ctx = context.WithValue(ctx, RequestContextKey, &http.Request{Host: "http-host:3000"})
-	assert.Equal(t, "http://http-host:3000", GuessCurrentHostURL(ctx))
+		// auto: always use "Host" header, the scheme is determined by "X-Forwarded-Proto" header, or TLS config if no "X-Forwarded-Proto" header
+		ctx := context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000"})
+		assert.Equal(t, "http://req-host:3000", GuessCurrentHostURL(ctx))
 
-	ctx = context.WithValue(ctx, RequestContextKey, &http.Request{Host: "http-host", TLS: &tls.ConnectionState{}})
-	assert.Equal(t, "https://http-host", GuessCurrentHostURL(ctx))
+		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host", TLS: &tls.ConnectionState{}})
+		assert.Equal(t, "https://req-host", GuessCurrentHostURL(ctx))
+
+		ctx = context.WithValue(t.Context(), RequestContextKey, &http.Request{Host: "req-host:3000", Header: headersWithProto})
+		assert.Equal(t, "https://req-host:3000", GuessCurrentHostURL(ctx))
+	})
 }
 
 func TestMakeAbsoluteURL(t *testing.T) {

modules/setting/api.go

@@ -18,13 +18,15 @@ var API = struct {
 	DefaultPagingNum       int
 	DefaultGitTreesPerPage int
 	DefaultMaxBlobSize     int64
+	DefaultMaxResponseSize int64
 }{
 	EnableSwagger:          true,
 	SwaggerURL:             "",
 	MaxResponseItems:       50,
 	DefaultPagingNum:       30,
 	DefaultGitTreesPerPage: 1000,
 	DefaultMaxBlobSize:     10485760,
+	DefaultMaxResponseSize: 104857600,
 }
 
 func loadAPIFrom(rootCfg ConfigProvider) {

modules/setting/server.go

@@ -41,12 +41,20 @@ const (
 	LandingPageLogin         LandingPage = "/user/login"
 )
 
+const (
+	PublicURLAuto   = "auto"
+	PublicURLLegacy = "legacy"
+)
+
 // Server settings
 var (
 	// AppURL is the Application ROOT_URL. It always has a '/' suffix
 	// It maps to ini:"ROOT_URL"
 	AppURL string
 
+	// PublicURLDetection controls how to use the HTTP request headers to detect public URL
+	PublicURLDetection string
+
 	// AppSubURL represents the sub-url mounting point for gitea, parsed from "ROOT_URL"
 	// It is either "" or starts with '/' and ends without '/', such as '/{sub-path}'.
 	// This value is empty if site does not have sub-url.
@@ -56,9 +64,6 @@ var (
 	// to make it easier to debug sub-path related problems without a reverse proxy.
 	UseSubURLPath bool
 
-	// UseHostHeader makes Gitea prefer to use the "Host" request header for construction of absolute URLs.
-	UseHostHeader bool
-
 	// AppDataPath is the default path for storing data.
 	// It maps to ini:"APP_DATA_PATH" in [server] and defaults to AppWorkPath + "/data"
 	AppDataPath string
@@ -283,10 +288,10 @@ func loadServerFrom(rootCfg ConfigProvider) {
 	PerWritePerKbTimeout = sec.Key("PER_WRITE_PER_KB_TIMEOUT").MustDuration(PerWritePerKbTimeout)
 
 	defaultAppURL := string(Protocol) + "://" + Domain + ":" + HTTPPort
-	AppURL = sec.Key("ROOT_URL").String()
-	if AppURL == "" {
-		UseHostHeader = true
-		AppURL = defaultAppURL
+	AppURL = sec.Key("ROOT_URL").MustString(defaultAppURL)
+	PublicURLDetection = sec.Key("PUBLIC_URL_DETECTION").MustString(PublicURLLegacy)
+	if PublicURLDetection != PublicURLAuto && PublicURLDetection != PublicURLLegacy {
+		log.Fatal("Invalid PUBLIC_URL_DETECTION value: %s", PublicURLDetection)
 	}
 
 	// Check validity of AppURL

modules/structs/git_blob.go

@@ -5,9 +5,9 @@ package structs
 
 // GitBlobResponse represents a git blob
 type GitBlobResponse struct {
-	Content  string `json:"content"`
-	Encoding string `json:"encoding"`
-	URL      string `json:"url"`
-	SHA      string `json:"sha"`
-	Size     int64  `json:"size"`
+	Content  *string `json:"content"`
+	Encoding *string `json:"encoding"`
+	URL      string  `json:"url"`
+	SHA      string  `json:"sha"`
+	Size     int64   `json:"size"`
 }

modules/structs/repo_file.go

@@ -176,3 +176,8 @@ type FileDeleteResponse struct {
 	Commit       *FileCommitResponse        `json:"commit"`
 	Verification *PayloadCommitVerification `json:"verification"`
 }
+
+// GetFilesOptions options for retrieving metadate and content of multiple files
+type GetFilesOptions struct {
+	Files []string `json:"files" binding:"Required"`
+}

modules/structs/settings.go

@@ -26,6 +26,7 @@ type GeneralAPISettings struct {
 	DefaultPagingNum       int   `json:"default_paging_num"`
 	DefaultGitTreesPerPage int   `json:"default_git_trees_per_page"`
 	DefaultMaxBlobSize     int64 `json:"default_max_blob_size"`
+	DefaultMaxResponseSize int64 `json:"default_max_response_size"`
 }
 
 // GeneralAttachmentSettings contains global Attachment settings exposed by API

options/locale/locale_cs-CZ.ini

@@ -1652,7 +1652,6 @@ issues.pin_comment=připnuto %s
 issues.unpin_comment=odepnul/a tento %s
 issues.lock=Uzamknout konverzaci
 issues.unlock=Odemknout konverzaci
-issues.lock.unknown_reason=Úkol nelze z neznámého důvodu uzamknout.
 issues.lock_duplicate=Úkol nemůže být uzamčený dvakrát.
 issues.unlock_error=Nelze odemknout úkol, který je uzamčený.
 issues.lock_with_reason=uzamkl/a jako <strong>%s</strong> a omezil/a konverzaci na spolupracovníky %s