github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-12 02:24:21 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Attachment extension upload works when no in ALLOWED_TYPES #11562

New Issue
Closed
opened 2025-11-02 09:41:07 -06:00 by GiteaMirror · 12 comments
GiteaMirror commented 2025-11-02 09:41:07 -06:00
Owner
Copy Link

Originally created by @ovisan on GitHub (Aug 30, 2023).

Description

I've set the ALLOWED_TYPES: "json,csv,xls,xlsx,sav,dta,por,sas,stata,geojson,gpkg". But still can upload something like a zip or mkv. Should not be allowed to upload this extensions.

Gitea Version

1.20.3

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Via the official helm chart in k8s

Database

PostgreSQL

Originally created by @ovisan on GitHub (Aug 30, 2023). ### Description I've set the ALLOWED_TYPES: "json,csv,xls,xlsx,sav,dta,por,sas,stata,geojson,gpkg". But still can upload something like a zip or mkv. Should not be allowed to upload this extensions. ### Gitea Version 1.20.3 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Via the official helm chart in k8s ### Database PostgreSQL
GiteaMirror added the issue/needs-feedback label 2025-11-02 09:41:07 -06:00
GiteaMirror commented 2025-11-02 09:41:08 -06:00
Author
Owner
Copy Link

@ovisan commented on GitHub (Aug 30, 2023):

tried also with ALLOWED_TYPES = .json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg

@ovisan commented on GitHub (Aug 30, 2023): tried also with ALLOWED_TYPES = .json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg
GiteaMirror commented 2025-11-02 09:41:08 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 30, 2023):

issue attachment or release attachment? what's your app.ini?

@wxiaoguang commented on GitHub (Aug 30, 2023): issue attachment or release attachment? what's your app.ini?
GiteaMirror commented 2025-11-02 09:41:08 -06:00
Author
Owner
Copy Link

@ovisan commented on GitHub (Aug 30, 2023):

@wxiaoguang below the full app.ini from the container

gitea-5898c6978c-xhgkg:/# cat /data/gitea/conf/app.ini
APP_NAME = SRE Gitea
WORK_PATH = /data

[indexer]
ISSUE_INDEXER_TYPE = db

[server]
LFS_JWT_SECRET = <REDACTED>
ROOT_URL = https://<REDACTED>
OFFLINE_MODE = true
ENABLE_PPROF = false
SSH_PORT = 22
APP_DATA_PATH = /data
SSH_LISTEN_PORT = 2222
PROTOCOL = http
HTTP_PORT = 3000
START_SSH_SERVER = true
DISABLE_SSH = true
SSH_DOMAIN = <REDACTED>
DOMAIN = <REDACTED>

[database]
NAME = gitea
SSL_MODE = require
DB_TYPE = postgres
HOST = gitea-postgres-primary.<REDACTED>.svc
USER = gitea
PASSWD = <REDACTED>
SCHEMA = public

[service]
DEFAULT_KEEP_EMAIL_PRIVATE = true
REQUIRE_SIGNIN_VIEW = true
DISABLE_REGISTRATION = true
DEFAULT_USER_IS_RESTRICTED = true
EXPLORE = map[DISABLE_USERS_PAGE:true REQUIRE_SIGNIN_VIEW:true]
DEFAULT_ORG_VISIBILITY = private
DEFAULT_USER_VISIBILITY = private
DEFAULT_ALLOW_CREATE_ORGANIZATION = false

[session]
PROVIDER_CONFIG = redis+cluster://:@gitea-redis-cluster-headless.<REDACTED>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
PROVIDER = redis-cluster
SESSION_LIFE_TIME = 1800
GC_INTERVAL_TIME = 1800
COOKIE_SECURE = true

[repository]
ROOT = ~/gitea-repositories
MAX_CREATION_LIMIT = 20
UPLOAD = map[ALLOWED_TYPES:.json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg ENABLED:true FILE_MAX_SIZE:1024 MAX_FILES:9999]

[cache]
HOST = redis+cluster://:@gitea-redis-cluster-headless.<REDACTED>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
ENABLED = true
ADAPTER = redis

[security]
INTERNAL_TOKEN = <REDACTED>
SECRET_KEY = <REDACTED>
INSTALL_LOCK = true

[openid]
ENABLE_OPENID_SIGNIN = true
ENABLE_OPENID_SIGNUP = true

[queue]
TYPE = redis
CONN_STR = redis+cluster://:@gitea-redis-cluster-headless.<REDACTED>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&

[admin]
DISABLE_REGULAR_ORG_CREATION = true

[ui]
SHOW_USER_EMAIL = false

[metrics]
ENABLED = true

[oauth2_client]
ENABLE_AUTO_REGISTRATION = true

[oauth2]
JWT_SECRET = <REDACTED>

[attachment]
ALLOWED_TYPES = .json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg
FILE_MAX_SIZE = 1024
MAX_FILES = 9999
ENABLED = true
@ovisan commented on GitHub (Aug 30, 2023): @wxiaoguang below the full app.ini from the container ``` gitea-5898c6978c-xhgkg:/# cat /data/gitea/conf/app.ini APP_NAME = SRE Gitea WORK_PATH = /data [indexer] ISSUE_INDEXER_TYPE = db [server] LFS_JWT_SECRET = <REDACTED> ROOT_URL = https://<REDACTED> OFFLINE_MODE = true ENABLE_PPROF = false SSH_PORT = 22 APP_DATA_PATH = /data SSH_LISTEN_PORT = 2222 PROTOCOL = http HTTP_PORT = 3000 START_SSH_SERVER = true DISABLE_SSH = true SSH_DOMAIN = <REDACTED> DOMAIN = <REDACTED> [database] NAME = gitea SSL_MODE = require DB_TYPE = postgres HOST = gitea-postgres-primary.<REDACTED>.svc USER = gitea PASSWD = <REDACTED> SCHEMA = public [service] DEFAULT_KEEP_EMAIL_PRIVATE = true REQUIRE_SIGNIN_VIEW = true DISABLE_REGISTRATION = true DEFAULT_USER_IS_RESTRICTED = true EXPLORE = map[DISABLE_USERS_PAGE:true REQUIRE_SIGNIN_VIEW:true] DEFAULT_ORG_VISIBILITY = private DEFAULT_USER_VISIBILITY = private DEFAULT_ALLOW_CREATE_ORGANIZATION = false [session] PROVIDER_CONFIG = redis+cluster://:@gitea-redis-cluster-headless.<REDACTED>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& PROVIDER = redis-cluster SESSION_LIFE_TIME = 1800 GC_INTERVAL_TIME = 1800 COOKIE_SECURE = true [repository] ROOT = ~/gitea-repositories MAX_CREATION_LIMIT = 20 UPLOAD = map[ALLOWED_TYPES:.json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg ENABLED:true FILE_MAX_SIZE:1024 MAX_FILES:9999] [cache] HOST = redis+cluster://:@gitea-redis-cluster-headless.<REDACTED>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& ENABLED = true ADAPTER = redis [security] INTERNAL_TOKEN = <REDACTED> SECRET_KEY = <REDACTED> INSTALL_LOCK = true [openid] ENABLE_OPENID_SIGNIN = true ENABLE_OPENID_SIGNUP = true [queue] TYPE = redis CONN_STR = redis+cluster://:@gitea-redis-cluster-headless.<REDACTED>.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s& [admin] DISABLE_REGULAR_ORG_CREATION = true [ui] SHOW_USER_EMAIL = false [metrics] ENABLED = true [oauth2_client] ENABLE_AUTO_REGISTRATION = true [oauth2] JWT_SECRET = <REDACTED> [attachment] ALLOWED_TYPES = .json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg FILE_MAX_SIZE = 1024 MAX_FILES = 9999 ENABLED = true
GiteaMirror commented 2025-11-02 09:41:09 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 30, 2023):

issue attachment or release attachment?

@wxiaoguang commented on GitHub (Aug 30, 2023): issue attachment or release attachment?
GiteaMirror commented 2025-11-02 09:41:09 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 30, 2023):

ps: the generated config is not right.

EXPLORE = map[DISABLE_USERS_PAGE:true REQUIRE_SIGNIN_VIEW:true]

...

UPLOAD = map[ALLOWED_TYPES:.json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg ENABLED:true FILE_MAX_SIZE:1024 MAX_FILES:9999]
@wxiaoguang commented on GitHub (Aug 30, 2023): ps: the generated config is not right. ``` EXPLORE = map[DISABLE_USERS_PAGE:true REQUIRE_SIGNIN_VIEW:true] ... UPLOAD = map[ALLOWED_TYPES:.json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg ENABLED:true FILE_MAX_SIZE:1024 MAX_FILES:9999] ```
GiteaMirror commented 2025-11-02 09:41:09 -06:00
Author
Owner
Copy Link

@ovisan commented on GitHub (Aug 30, 2023):

I am trying to commit the files, so neither issue or release

@ovisan commented on GitHub (Aug 30, 2023): I am trying to commit the files, so neither issue or release
GiteaMirror commented 2025-11-02 09:41:09 -06:00
Author
Owner
Copy Link

@ovisan commented on GitHub (Aug 30, 2023):

ps: the generated config is not right.

EXPLORE = map[DISABLE_USERS_PAGE:true REQUIRE_SIGNIN_VIEW:true]

...

UPLOAD = map[ALLOWED_TYPES:.json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg ENABLED:true FILE_MAX_SIZE:1024 MAX_FILES:9999]

That is generated from the helm chart. Should i open a bug there?

@ovisan commented on GitHub (Aug 30, 2023): > ps: the generated config is not right. > > ``` > EXPLORE = map[DISABLE_USERS_PAGE:true REQUIRE_SIGNIN_VIEW:true] > > ... > > UPLOAD = map[ALLOWED_TYPES:.json,.csv,.xls,.xlsx,.sav,.dta,.por,.sas,.stata,.geojson,.gpkg ENABLED:true FILE_MAX_SIZE:1024 MAX_FILES:9999] > ``` That is generated from the helm chart. Should i open a bug there?
GiteaMirror commented 2025-11-02 09:41:09 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 30, 2023):

That is generated from the helm chart. Should i open a bug there?

I think so.

And, there are 3 different "ALLOWED_TYPES":

See https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini

;[attachment]
;ALLOWED_TYPES
;[repository.upload]
;ALLOWED_TYPES =
;[repository.release]
;ALLOWED_TYPES =
@wxiaoguang commented on GitHub (Aug 30, 2023): > That is generated from the helm chart. Should i open a bug there? I think so. ---- And, there are 3 different "ALLOWED_TYPES": See https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini ``` ;[attachment] ;ALLOWED_TYPES ;[repository.upload] ;ALLOWED_TYPES = ;[repository.release] ;ALLOWED_TYPES = ```
GiteaMirror commented 2025-11-02 09:41:10 -06:00
Author
Owner
Copy Link

@ovisan commented on GitHub (Aug 30, 2023):

yes, i have entries for ALLOWED_TYPES in [attachment] and [repository.upload]. Normally i should not be able to upload any other files with the extension not in ALLOWED_TYPES, right?

@ovisan commented on GitHub (Aug 30, 2023): yes, i have entries for ALLOWED_TYPES in [attachment] and [repository.upload]. Normally i should not be able to upload any other files with the extension not in ALLOWED_TYPES, right?
GiteaMirror commented 2025-11-02 09:41:10 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 30, 2023):

If your config options are right and there is no bug and you are using the related "upload page", then the answer is yes.

But at the moment I have no idea what's your config content, or which page you are visiting, or whether there is a bug.

@wxiaoguang commented on GitHub (Aug 30, 2023): If your config options are right and there is no bug and you are using the related "upload page", then the answer is yes. But at the moment I have no idea what's your config content, or which page you are visiting, or whether there is a bug.
GiteaMirror commented 2025-11-02 09:41:10 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 30, 2023):

I am trying to commit the files, so neither issue or release

If you mean "git commit", it is never limited by these config.

@wxiaoguang commented on GitHub (Aug 30, 2023): > I am trying to commit the files, so neither issue or release If you mean "git commit", it is never limited by these config.
GiteaMirror commented 2025-11-02 09:41:10 -06:00
Author
Owner
Copy Link

@ovisan commented on GitHub (Aug 30, 2023):

yes, that's what i mean "git commit". Then this is not a bug.
Thanks.

@ovisan commented on GitHub (Aug 30, 2023): > yes, that's what i mean "git commit". Then this is not a bug. Thanks.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/needs-feedback
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#11562
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?