github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-11 17:46:29 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

Cannot create issue attachment via the API when using query parameter #12936

New Issue
Closed
opened 2025-11-02 10:25:36 -06:00 by GiteaMirror · 6 comments
GiteaMirror commented 2025-11-02 10:25:36 -06:00
Owner
Copy Link

Originally created by @Android-X13 on GitHub (Apr 29, 2024).

Description

In previous versions I used to be able to create issue attachments via the API like so (as per the docs):

curl -X 'POST' "http://host/api/v1/repos/$org/$repo/issues/$index/assets?name=Test" \
  -H "Accept: application/json" \
  -H "Authorization: token $TOKEN" \
  -H "Content-Type: multipart/form-data" \
  -F "attachment=@test.jpg;type=image/jpeg"

However now the server responds:

"This file extension or type is not allowed to be uploaded."

The attachment is created fine if the name query parameter is removed.

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Binary download, systemd

Database

None

Originally created by @Android-X13 on GitHub (Apr 29, 2024). ### Description In previous versions I used to be able to create issue attachments via the API like so (as per the docs): ``` curl -X 'POST' "http://host/api/v1/repos/$org/$repo/issues/$index/assets?name=Test" \ -H "Accept: application/json" \ -H "Authorization: token $TOKEN" \ -H "Content-Type: multipart/form-data" \ -F "attachment=@test.jpg;type=image/jpeg" ``` However now the server responds: > "This file extension or type is not allowed to be uploaded." The attachment is created fine if the name query parameter is removed. ### Gitea Version 1.21.11 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System _No response_ ### How are you running Gitea? Binary download, systemd ### Database None
GiteaMirror added the type/bugissue/needs-feedback labels 2025-11-02 10:25:36 -06:00
GiteaMirror commented 2025-11-02 10:25:37 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Apr 29, 2024):

I don't think there was a relevant change. But with name=Test you prevent a check of the filename extension. If you remove the name parameter, the upload filename test.jpg is used.

@KN4CK3R commented on GitHub (Apr 29, 2024): I don't think there was a relevant change. But with `name=Test` you prevent a check of the filename extension. If you remove the `name` parameter, the upload filename `test.jpg` is used.
GiteaMirror commented 2025-11-02 10:25:37 -06:00
Author
Owner
Copy Link

@Android-X13 commented on GitHub (Apr 30, 2024):

I'm pretty sure I could use it in older versions with no problem... I don't remember which version though.

This is how the attachment looks now:

attachment

When using the name parameter, instead of the filename test.jpg it would show the name provided.

What is the point of the name parameter in the API docs if it's never used?

@Android-X13 commented on GitHub (Apr 30, 2024): I'm pretty sure I could use it in older versions with no problem... I don't remember which version though. This is how the attachment looks now: ![attachment](https://github.com/go-gitea/gitea/assets/76814540/028aad2b-78de-480e-9af8-4e8edf88e48c) When using the `name` parameter, instead of the filename `test.jpg` it would show the name provided. What is the point of the name parameter in the API docs if it's never used?
GiteaMirror commented 2025-11-02 10:25:38 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Apr 30, 2024):

It is used and overrides the upload filename. If you pass name=test2.jpg your upload is named test2.jpg.

@KN4CK3R commented on GitHub (Apr 30, 2024): It is used and overrides the upload filename. If you pass `name=test2.jpg` your upload is named `test2.jpg`.
GiteaMirror commented 2025-11-02 10:25:38 -06:00
Author
Owner
Copy Link

@kemzeb commented on GitHub (May 8, 2024):

To add some clarification, the problem you are having is that when you pass name=Test we perform an extension check that honors what is provided in ALLOWED_TYPES in your app.ini's [attachment] section. If you don't explicitly define this key, we have a default that is used (see here for more details). Since Test doesn't have an extension that is known in this list, we will reject it.

You have a few options to solve this:

  • Use an extension that is allowed in your attachment name e.g Test.jpg
  • If you wish, you could allow all types by either giving the ALLOWED_TYPES key nothing or pass a */* (this is mentioned in the docs given above)

However, if you want to allow a file with no extension, this does not look possible currently given the code that I see. We don't accept empty entries in ALLOWED_TYPES and we always expect at least a . prefix when you pass an extension (e.g. we would allow .webp but ignore webp during verification).

@kemzeb commented on GitHub (May 8, 2024): To add some clarification, the problem you are having is that when you pass `name=Test` we perform an extension check that honors what is provided in `ALLOWED_TYPES` in your `app.ini`'s `[attachment]` section. If you don't explicitly define this key, we have a default that is used (see [here](https://docs.gitea.com/next/administration/config-cheat-sheet#issue-and-pull-request-attachments-attachment) for more details). Since `Test` doesn't have an extension that is known in this list, we will reject it. You have a few options to solve this: - Use an extension that is allowed in your attachment name e.g `Test.jpg` - If you wish, you could allow all types by either giving the `ALLOWED_TYPES` key nothing or pass a `*/*` (this is mentioned in the docs given above) However, if you want to allow a file with no extension, this does not look possible currently given the [code](https://github.com/go-gitea/gitea/blob/f7d2f695a4c57b245830a526e77fa62e99e00254/services/context/upload/upload.go#L37) that I see. We don't accept empty entries in `ALLOWED_TYPES` and we always expect at least a `.` prefix when you pass an extension (e.g. we would allow `.webp` but ignore `webp` during verification).
GiteaMirror commented 2025-11-02 10:25:38 -06:00
Author
Owner
Copy Link

@Android-X13 commented on GitHub (May 26, 2024):

@kemzeb thanks for the info.

My intention was not to add a file with no extension. As I've already said above I thought that the name parameter just names the attachment in the web interface. I recall that this was the case in a previous version, but if I'm terribly mistaken then I guess the issue can be closed?

@Android-X13 commented on GitHub (May 26, 2024): @kemzeb thanks for the info. My intention was not to add a file with no extension. As I've already said [above ](https://github.com/go-gitea/gitea/issues/30766#issuecomment-2083951005)I thought that the `name` parameter just names the attachment in the web interface. I recall that this was the case in a previous version, but if I'm terribly mistaken then I guess the issue can be closed?
GiteaMirror commented 2025-11-02 10:25:38 -06:00
Author
Owner
Copy Link

@kemzeb commented on GitHub (May 26, 2024):

No problem.

After exploring the following commits:

  • This introduced the issue attachment POST API (2 years ago)
  • This introduced the function that the POST endpoint uses which performs the file extension check (3 years ago)
  • This introduced file extension checks to that function (4 years ago)

To me it looks like we have been performing these checks on the name query param every since the APIs inception.

@kemzeb commented on GitHub (May 26, 2024): No problem. After exploring the following commits: - [This](https://github.com/go-gitea/gitea/commit/3c59d31bc605bbefc6636e9b0a93e90ad2696ed9#diff-3e5b39ebf37ce325f4384e1932c111a53cc0a1d9fe7dc3005bafb6ec36d7f758) introduced the issue attachment POST API (2 years ago) - [This](https://github.com/go-gitea/gitea/commit/ddc709ff7f94bd627ac05209a16ea5a5e24b7413#diff-bf2b3a3d889c292791f2eebd48b488404703bd4e6a470b8901dfd7cd06fd6af5) introduced the function that the POST endpoint uses which performs the file extension check (3 years ago) - [This](https://github.com/go-gitea/gitea/commit/cda44750cbdc7a8460666a4f0ac7f652d84a3964#diff-e942a98dd83b9f21c2cc7de4d879f0e09fe601d2c930091718b58388f49de478) introduced file extension checks to that function (4 years ago) To me it looks like we have been performing these checks on the `name` query param every since the APIs inception.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label issue/needs-feedback type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#12936
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?