Merge remote-tracking branch 'giteaofficial/main'

* giteaofficial/main:
  Bump minimist from 1.2.5 to 1.2.6 (go-gitea#19194)
  Changelog for 1.16.5 (go-gitea#19189) (go-gitea#19192)
  Fix showing issues in your repositories (go-gitea#18916)
  Update issue_no_dependencies description (go-gitea#19112)
  Prevent redirect to Host (2) (go-gitea#19175)
  Prevent start panic due to missing DotEscape function
  Fix compare link in active feeds for new branch (go-gitea#19149)
  Redirect .wiki/* ui link to /wiki (go-gitea#18831)
  Try to prevent autolinking of displaynames by email readers (go-gitea#19169)
  Update HTTP status codes to modern codes (go-gitea#18063)

CHANGELOG.md

@@ -4,6 +4,37 @@ This changelog goes through all the changes that have been made in each release
 without substantial changes to our git log; to see the highlights of what has
 been added to each release, please refer to the [blog](https://blog.gitea.io).
 
+## [1.16.5](https://github.com/go-gitea/gitea/releases/tag/v1.16.5) - 2022-03-23
+
+* BREAKING
+  * Bump to build with go1.18 (#19120 et al) (#19127)
+* SECURITY
+  * Prevent redirect to Host (2) (#19175) (#19186)
+  * Try to prevent autolinking of displaynames by email readers (#19169) (#19183)
+  * Clean paths when looking in Storage (#19124) (#19179)
+  * Do not send notification emails to inactive users (#19131) (#19139)
+  * Do not send activation email if manual confirm is set (#19119) (#19122)
+* ENHANCEMENTS
+  * Use the new/choose link for New Issue on project page (#19172) (#19176)
+* BUGFIXES
+  * Fix showing issues in your repositories (#18916) (#19191)
+  * Fix compare link in active feeds for new branch (#19149) (#19185)
+  * Redirect .wiki/* ui link to /wiki (#18831) (#19184)
+  * Ensure deploy keys with write access can push (#19010) (#19182)
+  * Ensure that setting.LocalURL always has a trailing slash (#19171) (#19177)
+  * Cleanup protected branches when deleting users & teams (#19158) (#19174)
+  * Use IterateBufferSize whilst querying repositories during adoption check (#19140) (#19160)
+  * Fix NPE /repos/issues/search when not signed in (#19154) (#19155)
+  * Use custom favicon when viewing static files if it exists (#19130) (#19152)
+  * Fix the editor height in review box (#19003) (#19147)
+  * Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (#19028) (#19146)
+  * Fix wrong scopes caused by empty scope input (#19029) (#19145)
+  * Make migrations SKIP_TLS_VERIFY apply to git too (#19132) (#19141)
+  * Handle email address not exist (#19089) (#19121)
+* MISC
+  * Update json-iterator to allow compilation with go1.18 (#18644) (#19100)
+  * Update golang.org/x/crypto (#19097) (#19098)
+
 ## [1.16.4](https://github.com/go-gitea/gitea/releases/tag/v1.16.4) - 2022-03-14
 
 * SECURITY

cmd/web_acme.go

@@ -128,5 +128,5 @@ func runLetsEncryptFallbackHandler(w http.ResponseWriter, r *http.Request) {
 	// URI always contains a leading slash, which would result in a double
 	// slash
 	target := strings.TrimSuffix(setting.AppURL, "/") + r.URL.RequestURI()
-	http.Redirect(w, r, target, http.StatusFound)
+	http.Redirect(w, r, target, http.StatusTemporaryRedirect)
 }

docs/config.yaml

@@ -18,7 +18,7 @@ params:
   description: Git with a cup of tea
   author: The Gitea Authors
   website: https://docs.gitea.io
-  version: 1.16.4
+  version: 1.16.5
   minGoVersion: 1.17
   goVersion: 1.18
   minNodeVersion: 12.17

integrations/admin_user_test.go

@@ -46,7 +46,7 @@ func TestAdminEditUser(t *testing.T) {
 }
 
 func testSuccessfullEdit(t *testing.T, formData user_model.User) {
-	makeRequest(t, formData, http.StatusFound)
+	makeRequest(t, formData, http.StatusSeeOther)
 }
 
 func makeRequest(t *testing.T, formData user_model.User, headerCode int) {

integrations/api_branch_test.go

@@ -37,7 +37,7 @@ func testAPIGetBranchProtection(t *testing.T, branchName string, expectedHTTPSta
 	req := NewRequestf(t, "GET", "/api/v1/repos/user2/repo1/branch_protections/%s?token=%s", branchName, token)
 	resp := session.MakeRequest(t, req, expectedHTTPStatus)
 
-	if resp.Code == 200 {
+	if resp.Code == http.StatusOK {
 		var branchProtection api.BranchProtection
 		DecodeJSON(t, resp, &branchProtection)
 		assert.EqualValues(t, branchName, branchProtection.BranchName)
@@ -52,7 +52,7 @@ func testAPICreateBranchProtection(t *testing.T, branchName string, expectedHTTP
 	})
 	resp := session.MakeRequest(t, req, expectedHTTPStatus)
 
-	if resp.Code == 201 {
+	if resp.Code == http.StatusCreated {
 		var branchProtection api.BranchProtection
 		DecodeJSON(t, resp, &branchProtection)
 		assert.EqualValues(t, branchName, branchProtection.BranchName)
@@ -65,7 +65,7 @@ func testAPIEditBranchProtection(t *testing.T, branchName string, body *api.Bran
 	req := NewRequestWithJSON(t, "PATCH", "/api/v1/repos/user2/repo1/branch_protections/"+branchName+"?token="+token, body)
 	resp := session.MakeRequest(t, req, expectedHTTPStatus)
 
-	if resp.Code == 200 {
+	if resp.Code == http.StatusOK {
 		var branchProtection api.BranchProtection
 		DecodeJSON(t, resp, &branchProtection)
 		assert.EqualValues(t, branchName, branchProtection.BranchName)

integrations/api_helper_for_declarative_test.go

@@ -227,7 +227,7 @@ func doAPICreatePullRequest(ctx APITestContext, owner, repo, baseBranch, headBra
 			Title: fmt.Sprintf("create a pr from %s to %s", headBranch, baseBranch),
 		})
 
-		expected := 201
+		expected := http.StatusCreated
 		if ctx.ExpectedCode != 0 {
 			expected = ctx.ExpectedCode
 		}
@@ -246,7 +246,7 @@ func doAPIGetPullRequest(ctx APITestContext, owner, repo string, index int64) fu
 			owner, repo, index, ctx.Token)
 		req := NewRequest(t, http.MethodGet, urlStr)
 
-		expected := 200
+		expected := http.StatusOK
 		if ctx.ExpectedCode != 0 {
 			expected = ctx.ExpectedCode
 		}
@@ -287,7 +287,7 @@ func doAPIMergePullRequest(ctx APITestContext, owner, repo string, index int64)
 
 		expected := ctx.ExpectedCode
 		if expected == 0 {
-			expected = 200
+			expected = http.StatusOK
 		}
 
 		if !assert.EqualValues(t, expected, resp.Code,
@@ -310,7 +310,7 @@ func doAPIManuallyMergePullRequest(ctx APITestContext, owner, repo, commitID str
 			ctx.Session.MakeRequest(t, req, ctx.ExpectedCode)
 			return
 		}
-		ctx.Session.MakeRequest(t, req, 200)
+		ctx.Session.MakeRequest(t, req, http.StatusOK)
 	}
 }
 

integrations/api_pull_test.go

@@ -77,7 +77,7 @@ func TestAPICreatePullSuccess(t *testing.T) {
 		Base:  "master",
 		Title: "create a failure pr",
 	})
-	session.MakeRequest(t, req, 201)
+	session.MakeRequest(t, req, http.StatusCreated)
 	session.MakeRequest(t, req, http.StatusUnprocessableEntity) // second request should fail
 }
 
@@ -105,7 +105,7 @@ func TestAPICreatePullWithFieldsSuccess(t *testing.T) {
 
 	req := NewRequestWithJSON(t, http.MethodPost, fmt.Sprintf("/api/v1/repos/%s/%s/pulls?token=%s", owner10.Name, repo10.Name, token), opts)
 
-	res := session.MakeRequest(t, req, 201)
+	res := session.MakeRequest(t, req, http.StatusCreated)
 	pull := new(api.PullRequest)
 	DecodeJSON(t, res, pull)
 
@@ -165,20 +165,20 @@ func TestAPIEditPull(t *testing.T) {
 		Title: "create a success pr",
 	})
 	pull := new(api.PullRequest)
-	resp := session.MakeRequest(t, req, 201)
+	resp := session.MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, pull)
 	assert.EqualValues(t, "master", pull.Base.Name)
 
 	req = NewRequestWithJSON(t, http.MethodPatch, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d?token=%s", owner10.Name, repo10.Name, pull.Index, token), &api.EditPullRequestOption{
 		Base:  "feature/1",
 		Title: "edit a this pr",
 	})
-	resp = session.MakeRequest(t, req, 201)
+	resp = session.MakeRequest(t, req, http.StatusCreated)
 	DecodeJSON(t, resp, pull)
 	assert.EqualValues(t, "feature/1", pull.Base.Name)
 
 	req = NewRequestWithJSON(t, http.MethodPatch, fmt.Sprintf("/api/v1/repos/%s/%s/pulls/%d?token=%s", owner10.Name, repo10.Name, pull.Index, token), &api.EditPullRequestOption{
 		Base: "not-exist",
 	})
-	session.MakeRequest(t, req, 404)
+	session.MakeRequest(t, req, http.StatusNotFound)
 }

integrations/api_repo_languages_test.go

@@ -33,7 +33,7 @@ func TestRepoLanguages(t *testing.T) {
 			"content":       "package main",
 			"commit_choice": "direct",
 		})
-		session.MakeRequest(t, req, http.StatusFound)
+		session.MakeRequest(t, req, http.StatusSeeOther)
 
 		// let gitea calculate language stats
 		time.Sleep(time.Second)

integrations/attachment_test.go

@@ -59,7 +59,7 @@ func createAttachment(t *testing.T, session *TestSession, repoURL, filename stri
 func TestCreateAnonymousAttachment(t *testing.T) {
 	defer prepareTestEnv(t)()
 	session := emptyTestSession(t)
-	createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusFound)
+	createAttachment(t, session, "user2/repo1", "image.png", generateImg(), http.StatusSeeOther)
 }
 
 func TestCreateIssueAttachment(t *testing.T) {
@@ -83,7 +83,7 @@ func TestCreateIssueAttachment(t *testing.T) {
 	}
 
 	req = NewRequestWithValues(t, "POST", link, postData)
-	resp = session.MakeRequest(t, req, http.StatusFound)
+	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	test.RedirectURL(resp) // check that redirect URL exists
 
 	// Validate that attachment is available

integrations/auth_ldap_test.go

@@ -135,7 +135,7 @@ func addAuthSourceLDAP(t *testing.T, sshKeyAttribute string, groupMapParams ...s
 		"group_team_map_removal":   groupTeamMapRemoval,
 		"user_uid":                 "DN",
 	})
-	session.MakeRequest(t, req, http.StatusFound)
+	session.MakeRequest(t, req, http.StatusSeeOther)
 }
 
 func TestLDAPUserSignin(t *testing.T) {
@@ -202,7 +202,7 @@ func TestLDAPAuthChange(t *testing.T) {
 		"is_sync_enabled":          "on",
 		"is_active":                "on",
 	})
-	session.MakeRequest(t, req, http.StatusFound)
+	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	req = NewRequest(t, "GET", href)
 	resp = session.MakeRequest(t, req, http.StatusOK)

integrations/change_default_branch_test.go

@@ -28,7 +28,7 @@ func TestChangeDefaultBranch(t *testing.T) {
 		"action": "default_branch",
 		"branch": "DefaultBranch",
 	})
-	session.MakeRequest(t, req, http.StatusFound)
+	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	csrf = GetCSRF(t, session, branchesURL)
 	req = NewRequestWithValues(t, "POST", branchesURL, map[string]string{

integrations/create_no_session_test.go

@@ -110,7 +110,7 @@ func TestSessionFileCreation(t *testing.T) {
 			"user_name": "user2",
 			"password":  userPassword,
 		})
-		resp = MakeRequest(t, req, http.StatusFound)
+		resp = MakeRequest(t, req, http.StatusSeeOther)
 		sessionID = getSessionID(t, resp)
 
 		assert.FileExists(t, sessionFile(tmpDir, sessionID))

integrations/delete_user_test.go

@@ -36,7 +36,7 @@ func TestUserDeleteAccount(t *testing.T) {
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"_csrf": csrf,
 	})
-	session.MakeRequest(t, req, http.StatusFound)
+	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	assertUserDeleted(t, 8)
 	unittest.CheckConsistencyFor(t, &user_model.User{})
@@ -51,7 +51,7 @@ func TestUserDeleteAccountStillOwnRepos(t *testing.T) {
 	req := NewRequestWithValues(t, "POST", urlStr, map[string]string{
 		"_csrf": csrf,
 	})
-	session.MakeRequest(t, req, http.StatusFound)
+	session.MakeRequest(t, req, http.StatusSeeOther)
 
 	// user should not have been deleted, because the user still owns repos
 	unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})

integrations/editor_test.go

@@ -34,7 +34,7 @@ func TestCreateFile(t *testing.T) {
 			"content":       "Content",
 			"commit_choice": "direct",
 		})
-		session.MakeRequest(t, req, http.StatusFound)
+		session.MakeRequest(t, req, http.StatusSeeOther)
 	})
 }
 
@@ -48,7 +48,7 @@ func TestCreateFileOnProtectedBranch(t *testing.T) {
 			"_csrf":     csrf,
 			"protected": "on",
 		})
-		session.MakeRequest(t, req, http.StatusFound)
+		session.MakeRequest(t, req, http.StatusSeeOther)
 		// Check if master branch has been locked successfully
 		flashCookie := session.GetCookie("macaron_flash")
 		assert.NotNil(t, flashCookie)
@@ -82,7 +82,7 @@ func TestCreateFileOnProtectedBranch(t *testing.T) {
 			"_csrf":     csrf,
 			"protected": "off",
 		})
-		resp = session.MakeRequest(t, req, http.StatusFound)
+		resp = session.MakeRequest(t, req, http.StatusSeeOther)
 		// Check if master branch has been locked successfully
 		flashCookie = session.GetCookie("macaron_flash")
 		assert.NotNil(t, flashCookie)
@@ -109,7 +109,7 @@ func testEditFile(t *testing.T, session *TestSession, user, repo, branch, filePa
 			"commit_choice": "direct",
 		},
 	)
-	resp = session.MakeRequest(t, req, http.StatusFound)
+	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 
 	// Verify the change
 	req = NewRequest(t, "GET", path.Join(user, repo, "raw/branch", branch, filePath))
@@ -139,7 +139,7 @@ func testEditFileToNewBranch(t *testing.T, session *TestSession, user, repo, bra
 			"new_branch_name": targetBranch,
 		},
 	)
-	resp = session.MakeRequest(t, req, http.StatusFound)
+	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 
 	// Verify the change
 	req = NewRequest(t, "GET", path.Join(user, repo, "raw/branch", targetBranch, filePath))

integrations/git_smart_http_test.go

@@ -24,31 +24,31 @@ func testGitSmartHTTP(t *testing.T, u *url.URL) {
 	}{
 		{
 			p:    "user2/repo1/info/refs",
-			code: 200,
+			code: http.StatusOK,
 		},
 		{
 			p:    "user2/repo1/HEAD",
-			code: 200,
+			code: http.StatusOK,
 		},
 		{
 			p:    "user2/repo1/objects/info/alternates",
-			code: 404,
+			code: http.StatusNotFound,
 		},
 		{
 			p:    "user2/repo1/objects/info/http-alternates",
-			code: 404,
+			code: http.StatusNotFound,
 		},
 		{
 			p:    "user2/repo1/../../custom/conf/app.ini",
-			code: 404,
+			code: http.StatusNotFound,
 		},
 		{
 			p:    "user2/repo1/objects/info/../../../../custom/conf/app.ini",
-			code: 404,
+			code: http.StatusNotFound,
 		},
 		{
 			p:    `user2/repo1/objects/info/..\..\..\..\custom\conf\app.ini`,
-			code: 400,
+			code: http.StatusBadRequest,
 		},
 	}
 

integrations/git_test.go

@@ -435,7 +435,7 @@ func doProtectBranch(ctx APITestContext, branch, userToWhitelist, unprotectedFil
 				"protected":                 "on",
 				"unprotected_file_patterns": unprotectedFilePatterns,
 			})
-			ctx.Session.MakeRequest(t, req, http.StatusFound)
+			ctx.Session.MakeRequest(t, req, http.StatusSeeOther)
 		} else {
 			user, err := user_model.GetUserByName(userToWhitelist)
 			assert.NoError(t, err)
@@ -448,7 +448,7 @@ func doProtectBranch(ctx APITestContext, branch, userToWhitelist, unprotectedFil
 				"whitelist_users":           strconv.FormatInt(user.ID, 10),
 				"unprotected_file_patterns": unprotectedFilePatterns,
 			})
-			ctx.Session.MakeRequest(t, req, http.StatusFound)
+			ctx.Session.MakeRequest(t, req, http.StatusSeeOther)
 		}
 		// Check if master branch has been locked successfully
 		flashCookie := ctx.Session.GetCookie("macaron_flash")

integrations/integration_test.go

@@ -380,7 +380,7 @@ func loginUserWithPassword(t testing.TB, userName, password string) *TestSession
 		"user_name": userName,
 		"password":  password,
 	})
-	resp = MakeRequest(t, req, http.StatusFound)
+	resp = MakeRequest(t, req, http.StatusSeeOther)
 
 	ch := http.Header{}
 	ch.Add("Cookie", strings.Join(resp.Header()["Set-Cookie"], ";"))
@@ -408,7 +408,7 @@ func getTokenForLoggedInUser(t testing.TB, session *TestSession) string {
 		"_csrf": doc.GetCSRF(),
 		"name":  fmt.Sprintf("api-testing-token-%d", tokenCounter),
 	})
-	resp = session.MakeRequest(t, req, http.StatusFound)
+	resp = session.MakeRequest(t, req, http.StatusSeeOther)
 	req = NewRequest(t, "GET", "/user/settings/applications")
 	resp = session.MakeRequest(t, req, http.StatusOK)
 	htmlDoc := NewHTMLParser(t, resp.Body)