diff --git a/CHANGELOG.md b/CHANGELOG.md index bb5920173208d..8f9bb3f4cdf27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,14 @@ This changelog goes through all the changes that have been made in each release without substantial changes to our git log; to see the highlights of what has been added to each release, please refer to the [blog](https://blog.gitea.io). +## [1.18.3](https://github.com/go-gitea/gitea/releases/tag/v1.18.3) - 2023-01-23 + +* SECURITY + * Prevent multiple `To` recipients (#22566) (#22569) +* BUGFIXES + * Truncate commit summary on repo files table. (#22551) (#22552) + * Mute all links in issue timeline (#22534) + ## [1.18.2](https://github.com/go-gitea/gitea/releases/tag/v1.18.2) - 2023-01-19 * BUGFIXES diff --git a/routers/private/mail.go b/routers/private/mail.go index e858992aee13b..d55e33fd235eb 100644 --- a/routers/private/mail.go +++ b/routers/private/mail.go @@ -81,7 +81,7 @@ func SendEmail(ctx *context.PrivateContext) { func sendEmail(ctx *context.PrivateContext, subject, message string, to []string) { for _, email := range to { - msg := mailer.NewMessage([]string{email}, subject, message) + msg := mailer.NewMessage(email, subject, message) mailer.SendAsync(msg) } diff --git a/services/mailer/mail.go b/services/mailer/mail.go index a5bfa496f9eaf..eece83ca43534 100644 --- a/services/mailer/mail.go +++ b/services/mailer/mail.go @@ -61,7 +61,7 @@ func SendTestMail(email string) error { // No mail service configured return nil } - return gomail.Send(Sender, NewMessage([]string{email}, "Gitea Test Email!", "Gitea Test Email!").ToMessage()) + return gomail.Send(Sender, NewMessage(email, "Gitea Test Email!", "Gitea Test Email!").ToMessage()) } // sendUserMail sends a mail to the user @@ -86,7 +86,7 @@ func sendUserMail(language string, u *user_model.User, tpl base.TplName, code, s return } - msg := NewMessage([]string{u.Email}, subject, content.String()) + msg := NewMessage(u.Email, subject, content.String()) msg.Info = fmt.Sprintf("UID: %d, %s", u.ID, info) SendAsync(msg) @@ -137,7 +137,7 @@ func SendActivateEmailMail(u *user_model.User, email *user_model.EmailAddress) { return } - msg := NewMessage([]string{email.Email}, locale.Tr("mail.activate_email"), content.String()) + msg := NewMessage(email.Email, locale.Tr("mail.activate_email"), content.String()) msg.Info = fmt.Sprintf("UID: %d, activate email", u.ID) SendAsync(msg) @@ -168,7 +168,7 @@ func SendRegisterNotifyMail(u *user_model.User) { return } - msg := NewMessage([]string{u.Email}, locale.Tr("mail.register_notify"), content.String()) + msg := NewMessage(u.Email, locale.Tr("mail.register_notify"), content.String()) msg.Info = fmt.Sprintf("UID: %d, registration notify", u.ID) SendAsync(msg) @@ -202,7 +202,7 @@ func SendCollaboratorMail(u, doer *user_model.User, repo *repo_model.Repository) return } - msg := NewMessage([]string{u.Email}, subject, content.String()) + msg := NewMessage(u.Email, subject, content.String()) msg.Info = fmt.Sprintf("UID: %d, add collaborator", u.ID) SendAsync(msg) @@ -306,7 +306,7 @@ func composeIssueCommentMessages(ctx *mailCommentContext, lang string, recipient msgs := make([]*Message, 0, len(recipients)) for _, recipient := range recipients { - msg := NewMessageFrom([]string{recipient.Email}, ctx.Doer.DisplayName(), setting.MailService.FromEmail, subject, mailBody.String()) + msg := NewMessageFrom(recipient.Email, ctx.Doer.DisplayName(), setting.MailService.FromEmail, subject, mailBody.String()) msg.Info = fmt.Sprintf("Subject: %s, %s", subject, info) msg.SetHeader("Message-ID", "<"+msgID+">") diff --git a/services/mailer/mail_release.go b/services/mailer/mail_release.go index 6df3fbbf1d0d6..5e8edf7ad1870 100644 --- a/services/mailer/mail_release.go +++ b/services/mailer/mail_release.go @@ -90,7 +90,7 @@ func mailNewRelease(ctx context.Context, lang string, tos []string, rel *repo_mo publisherName := rel.Publisher.DisplayName() relURL := "<" + rel.HTMLURL() + ">" for _, to := range tos { - msg := NewMessageFrom([]string{to}, publisherName, setting.MailService.FromEmail, subject, mailBody.String()) + msg := NewMessageFrom(to, publisherName, setting.MailService.FromEmail, subject, mailBody.String()) msg.Info = subject msg.SetHeader("Message-ID", relURL) msgs = append(msgs, msg) diff --git a/services/mailer/mail_repo.go b/services/mailer/mail_repo.go index 6fe9df0926e88..f8f443febdf38 100644 --- a/services/mailer/mail_repo.go +++ b/services/mailer/mail_repo.go @@ -83,9 +83,12 @@ func sendRepoTransferNotifyMailPerLang(lang string, newOwner, doer *user_model.U return err } - msg := NewMessage(emails, subject, content.String()) - msg.Info = fmt.Sprintf("UID: %d, repository pending transfer notification", newOwner.ID) + for _, to := range emails { + msg := NewMessage(to, subject, content.String()) + msg.Info = fmt.Sprintf("UID: %d, repository pending transfer notification", newOwner.ID) + + SendAsync(msg) + } - SendAsync(msg) return nil } diff --git a/services/mailer/mail_team_invite.go b/services/mailer/mail_team_invite.go index c2b2a00e76097..45963a6660838 100644 --- a/services/mailer/mail_team_invite.go +++ b/services/mailer/mail_team_invite.go @@ -53,7 +53,7 @@ func MailTeamInvite(ctx context.Context, inviter *user_model.User, team *org_mod return err } - msg := NewMessage([]string{invite.Email}, subject, mailBody.String()) + msg := NewMessage(invite.Email, subject, mailBody.String()) msg.Info = subject SendAsync(msg) diff --git a/services/mailer/mailer.go b/services/mailer/mailer.go index 2663b6b2bab11..76106d30e1075 100644 --- a/services/mailer/mailer.go +++ b/services/mailer/mailer.go @@ -36,7 +36,7 @@ type Message struct { Info string // Message information for log purpose. FromAddress string FromDisplayName string - To []string + To string // Use only one recipient to prevent leaking of addresses Subject string Date time.Time Body string @@ -47,7 +47,7 @@ type Message struct { func (m *Message) ToMessage() *gomail.Message { msg := gomail.NewMessage() msg.SetAddressHeader("From", m.FromAddress, m.FromDisplayName) - msg.SetHeader("To", m.To...) + msg.SetHeader("To", m.To) for header := range m.Headers { msg.SetHeader(header, m.Headers[header]...) } @@ -86,7 +86,7 @@ func (m *Message) generateAutoMessageID() string { dateMs := m.Date.UnixNano() / 1e6 h := fnv.New64() if len(m.To) > 0 { - _, _ = h.Write([]byte(m.To[0])) + _, _ = h.Write([]byte(m.To)) } _, _ = h.Write([]byte(m.Subject)) _, _ = h.Write([]byte(m.Body)) @@ -94,7 +94,7 @@ func (m *Message) generateAutoMessageID() string { } // NewMessageFrom creates new mail message object with custom From header. -func NewMessageFrom(to []string, fromDisplayName, fromAddress, subject, body string) *Message { +func NewMessageFrom(to, fromDisplayName, fromAddress, subject, body string) *Message { log.Trace("NewMessageFrom (body):\n%s", body) return &Message{ @@ -109,7 +109,7 @@ func NewMessageFrom(to []string, fromDisplayName, fromAddress, subject, body str } // NewMessage creates new mail message object with default From header. -func NewMessage(to []string, subject, body string) *Message { +func NewMessage(to, subject, body string) *Message { return NewMessageFrom(to, setting.MailService.FromName, setting.MailService.FromEmail, subject, body) } diff --git a/services/mailer/mailer_test.go b/services/mailer/mailer_test.go index b94fce8443ae8..5504fdda7dc17 100644 --- a/services/mailer/mailer_test.go +++ b/services/mailer/mailer_test.go @@ -22,17 +22,17 @@ func TestGenerateMessageID(t *testing.T) { setting.Domain = "localhost" date := time.Date(2000, 1, 2, 3, 4, 5, 6, time.UTC) - m := NewMessageFrom(nil, "display-name", "from-address", "subject", "body") + m := NewMessageFrom("", "display-name", "from-address", "subject", "body") m.Date = date gm := m.ToMessage() assert.Equal(t, "", gm.GetHeader("Message-ID")[0]) - m = NewMessageFrom([]string{"a@b.com"}, "display-name", "from-address", "subject", "body") + m = NewMessageFrom("a@b.com", "display-name", "from-address", "subject", "body") m.Date = date gm = m.ToMessage() assert.Equal(t, "", gm.GetHeader("Message-ID")[0]) - m = NewMessageFrom([]string{"a@b.com"}, "display-name", "from-address", "subject", "body") + m = NewMessageFrom("a@b.com", "display-name", "from-address", "subject", "body") m.SetHeader("Message-ID", "") gm = m.ToMessage() assert.Equal(t, "", gm.GetHeader("Message-ID")[0]) diff --git a/templates/repo/issue/view_content/comments.tmpl b/templates/repo/issue/view_content/comments.tmpl index e9b7172d1b324..a9ceb084fdbc9 100644 --- a/templates/repo/issue/view_content/comments.tmpl +++ b/templates/repo/issue/view_content/comments.tmpl @@ -29,7 +29,7 @@ {{svg (MigrationIcon $.Repository.GetOriginalURLHostname)}} {{.OriginalAuthor}} - + {{$.locale.Tr "repo.issues.commented_at" (.HashTag|Escape) $createdStr | Safe}} {{if $.Repository.OriginalURL}} @@ -41,7 +41,7 @@ {{avatar .Poster}} {{end}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.commented_at" (.HashTag|Escape) $createdStr | Safe}} @@ -95,7 +95,7 @@
{{svg "octicon-dot-fill"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if .Issue.IsPull}} {{$.locale.Tr "repo.pulls.reopened_at" .EventTag $createdStr | Safe}} @@ -108,7 +108,7 @@
{{svg "octicon-circle-slash"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if .Issue.IsPull}} {{$.locale.Tr "repo.pulls.closed_at" .EventTag $createdStr | Safe}} @@ -121,7 +121,7 @@
{{svg "octicon-git-merge"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$link := printf "%s/commit/%s" $.Repository.HTMLURL ($.Issue.PullRequest.MergedCommitID|PathEscape)}} {{if eq $.Issue.PullRequest.Status 3}} @@ -156,20 +156,20 @@ {{if eq .RefAction 3}}{{end}}
- {{.RefIssueTitle}} {{.RefIssueIdent}} + {{.RefIssueTitle}} {{.RefIssueIdent}}
{{else if eq .Type 4}}
{{svg "octicon-bookmark"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.commit_ref_at" .EventTag $createdStr | Safe}}
{{svg "octicon-git-commit"}} - {{.Content | Str2html}} + {{.Content | Str2html}}
{{else if eq .Type 7}} @@ -177,7 +177,7 @@
{{svg "octicon-tag"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if and .AddedLabels (not .RemovedLabels)}} {{$.locale.TrN (len .AddedLabels) "repo.issues.add_label" "repo.issues.add_labels" (RenderLabels .AddedLabels $.RepoLink) $createdStr | Safe}} @@ -193,7 +193,7 @@
{{svg "octicon-milestone"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if gt .OldMilestoneID 0}}{{if gt .MilestoneID 0}}{{$.locale.Tr "repo.issues.change_milestone_at" (.OldMilestone.Name|Escape) (.Milestone.Name|Escape) $createdStr | Safe}}{{else}}{{$.locale.Tr "repo.issues.remove_milestone_at" (.OldMilestone.Name|Escape) $createdStr | Safe}}{{end}}{{else if gt .MilestoneID 0}}{{$.locale.Tr "repo.issues.add_milestone_at" (.Milestone.Name|Escape) $createdStr | Safe}}{{end}} @@ -204,7 +204,7 @@ {{if gt .AssigneeID 0}} {{if .RemovedAssignee}} {{template "shared/user/avatarlink" .Assignee}} - + {{template "shared/user/authorlink" .Assignee}} {{if eq .Poster.ID .Assignee.ID}} {{$.locale.Tr "repo.issues.remove_self_assignment" $createdStr | Safe}} @@ -214,7 +214,7 @@ {{else}} {{template "shared/user/avatarlink" .Assignee}} - + {{template "shared/user/authorlink" .Assignee}} {{if eq .Poster.ID .AssigneeID}} {{$.locale.Tr "repo.issues.self_assign_at" $createdStr | Safe}} @@ -229,7 +229,7 @@
{{svg "octicon-pencil"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.change_title_at" (.OldTitle|RenderEmoji) (.NewTitle|RenderEmoji) $createdStr | Safe}} @@ -238,7 +238,7 @@
{{svg "octicon-git-branch"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.delete_branch_at" (.OldRef|Escape) $createdStr | Safe}} @@ -247,7 +247,7 @@
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.start_tracking_history" $createdStr | Safe}} @@ -256,35 +256,35 @@
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.stop_tracking_history" $createdStr | Safe}} {{template "repo/issue/view_content/comments_delete_time" Dict "ctx" $ "comment" .}}
{{svg "octicon-clock"}} - {{.Content}} + {{.Content}}
{{else if eq .Type 14}}
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.add_time_history" $createdStr | Safe}} {{template "repo/issue/view_content/comments_delete_time" Dict "ctx" $ "comment" .}}
{{svg "octicon-clock"}} - {{.Content}} + {{.Content}}
{{else if eq .Type 15}}
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.cancel_tracking_history" $createdStr | Safe}} @@ -293,7 +293,7 @@
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.due_date_added" .Content $createdStr | Safe}} @@ -302,7 +302,7 @@
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$parsedDeadline := .Content | ParseDeadline}} {{$.locale.Tr "repo.issues.due_date_modified" (index $parsedDeadline 0) (index $parsedDeadline 1) $createdStr | Safe}} @@ -312,7 +312,7 @@
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.due_date_remove" .Content $createdStr | Safe}} @@ -321,15 +321,15 @@
{{svg "octicon-package-dependents"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.dependency.added_dependency" $createdStr | Safe}} {{if .DependentIssue}}
{{svg "octicon-plus"}} - - + + {{if eq .DependentIssue.RepoID .Issue.RepoID}} #{{.DependentIssue.Index}} {{.DependentIssue.Title}} {{else}} @@ -344,15 +344,15 @@
{{svg "octicon-package-dependents"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.dependency.removed_dependency" $createdStr | Safe}} {{if .DependentIssue}}
- {{svg "octicon-trash"}} - - + {{svg "octicon-trash"}} + + {{if eq .DependentIssue.RepoID .Issue.RepoID}} #{{.DependentIssue.Index}} {{.DependentIssue.Title}} {{else}} @@ -373,13 +373,13 @@ {{end}} {{svg (printf "octicon-%s" .Review.Type.Icon)}} - + {{if .OriginalAuthor}} {{svg (MigrationIcon $.Repository.GetOriginalURLHostname)}} {{.OriginalAuthor}} - {{if $.Repository.OriginalURL}} + {{if $.Repository.OriginalURL}} ({{$.locale.Tr "repo.migrated_from" ($.Repository.OriginalURL|Escape) ($.Repository.GetOriginalURLHostname|Escape) | Safe}}){{end}} {{else}} {{template "shared/user/authorlink" .Poster}} @@ -404,13 +404,13 @@
- + {{if .OriginalAuthor}} {{svg (MigrationIcon $.Repository.GetOriginalURLHostname)}} {{.OriginalAuthor}} - {{if $.Repository.OriginalURL}} + {{if $.Repository.OriginalURL}} ({{$.locale.Tr "repo.migrated_from" ($.Repository.OriginalURL|Escape) ($.Repository.GetOriginalURLHostname|Escape) | Safe}}){{end}} {{else}} {{template "shared/user/authorlink" .Poster}} @@ -532,13 +532,13 @@ {{avatar .Poster}} {{end}} - + {{if .OriginalAuthor}} {{svg (MigrationIcon $.Repository.GetOriginalURLHostname)}} {{.OriginalAuthor}} - {{if $.Repository.OriginalURL}} + {{if $.Repository.OriginalURL}} ({{$.locale.Tr "repo.migrated_from" ($.Repository.OriginalURL|Escape) ($.Repository.GetOriginalURLHostname|Escape) | Safe}}){{end}} {{else}} {{template "shared/user/authorlink" .Poster}} @@ -628,12 +628,12 @@ {{svg "octicon-lock"}} {{template "shared/user/avatarlink" .Poster}} {{if .Content}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.lock_with_reason" .Content $createdStr | Safe}} {{else}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.lock_no_reason" $createdStr | Safe}} @@ -643,7 +643,7 @@
{{svg "octicon-key"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.unlock_comment" $createdStr | Safe}} @@ -652,7 +652,7 @@
{{svg "octicon-git-branch"}} {{template "shared/user/avatarlink" .Poster}} - + {{.Poster.Name}} {{$.locale.Tr "repo.pulls.change_target_branch_at" (.OldRef|Escape) (.NewRef|Escape) $createdStr | Safe}} @@ -661,21 +661,21 @@
{{svg "octicon-clock"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{$.locale.Tr "repo.issues.del_time_history" $createdStr | Safe}}
{{svg "octicon-clock"}} - {{.Content}} + {{.Content}}
{{else if eq .Type 27}}
{{svg "octicon-eye"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if (gt .AssigneeID 0)}} {{if .RemovedAssignee}} @@ -699,7 +699,7 @@ {{else if and (eq .Type 29) (or (gt .CommitsNum 0) .IsForcePush)}}
{{svg "octicon-repo-push"}} - + {{template "shared/user/authorlink" .Poster}} {{if .IsForcePush}} {{$.locale.Tr "repo.issues.force_push_codes" ($.Issue.PullRequest.HeadBranch|Escape) (ShortSha .OldCommit) (($.Issue.Repo.CommitLink .OldCommit)|Escape) (ShortSha .NewCommit) (($.Issue.Repo.CommitLink .NewCommit)|Escape) $createdStr | Safe}} @@ -716,7 +716,7 @@
{{svg "octicon-project"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if gt .OldProjectID 0}} {{if gt .ProjectID 0}} @@ -737,7 +737,7 @@ {{svg "octicon-x" 16}} - + {{template "shared/user/authorlink" .Poster}} {{$reviewerName := ""}} {{if eq .Review.OriginalAuthor ""}} @@ -752,7 +752,7 @@
- + {{$.locale.Tr "action.review_dismissed_reason"}}
@@ -773,7 +773,7 @@
{{svg "octicon-git-branch"}} {{template "shared/user/avatarlink" .Poster}} - + {{template "shared/user/authorlink" .Poster}} {{if and .OldRef .NewRef}} {{$.locale.Tr "repo.issues.change_ref_at" (.OldRef|Escape) (.NewRef|Escape) $createdStr | Safe}} @@ -787,7 +787,7 @@ {{else if or (eq .Type 34) (eq .Type 35)}}
{{svg "octicon-git-merge" 16}} - + {{template "shared/user/authorlink" .Poster}} {{if eq .Type 34}}{{$.locale.Tr "repo.pulls.auto_merge_newly_scheduled_comment" $createdStr | Safe}} {{else}}{{$.locale.Tr "repo.pulls.auto_merge_canceled_schedule_comment" $createdStr | Safe}}{{end}} diff --git a/web_src/less/_repository.less b/web_src/less/_repository.less index 3b828b2a8279e..a3b373f43bc4a 100644 --- a/web_src/less/_repository.less +++ b/web_src/less/_repository.less @@ -2845,6 +2845,11 @@ tbody.commit-list { display: inline; } +// but in the repo-files-table we cannot +#repo-files-table .commit-list .message-wrapper { + display: inline-block; +} + @media @mediaSm { tr.commit-list { width: 100%;