github-starred/gitea
2
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-03-09 04:25:18 -05:00
Code Issues 2.6k Packages Projects Releases 100 Wiki Activity

404 when clicking on composer package #9440

New Issue
Closed
opened 2025-11-02 08:38:51 -06:00 by GiteaMirror · 16 comments
GiteaMirror commented 2025-11-02 08:38:51 -06:00
Owner
Copy Link

Originally created by @mbretter on GitHub (Aug 21, 2022).

Description

I have uploaded a composer package:

curl --user "xxx:aaa" --upload-file simpko-micropayment.zip  https://gitea.xxx.at/api/packages/xxx/composer?version=1.0.2

This worked, the package is shown in the packages list.
But when clicking on the package I am getting a 404:
https://gitea.xxx.at/xxx/-/packages/composer/simpko%2Fmicropayment/1.0.2

The logs are showing:

router: completed GET /xxx/-/packages/composer/simpko/micropayment/1.0.2 for 192.168.7.5:57914, 404 Not Found in 5.4ms @ web/goget.go:21(web.goGet)

The upload log:

router: completed PUT /api/packages/xxx/composer?version=1.0.2 for 192.168.7.5:57250, 201 Created in 38.9ms @ composer/composer.go:189(composer.UploadPackage)

Gitea Version

1.17.1

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

ubuntu

How are you running Gitea?

I am running the gitea-1.17.1-linux-amd64 binary

Database

MySQL

Originally created by @mbretter on GitHub (Aug 21, 2022). ### Description I have uploaded a composer package: ``` curl --user "xxx:aaa" --upload-file simpko-micropayment.zip https://gitea.xxx.at/api/packages/xxx/composer?version=1.0.2 ``` This worked, the package is shown in the packages list. But when clicking on the package I am getting a 404: https://gitea.xxx.at/xxx/-/packages/composer/simpko%2Fmicropayment/1.0.2 The logs are showing: ``` router: completed GET /xxx/-/packages/composer/simpko/micropayment/1.0.2 for 192.168.7.5:57914, 404 Not Found in 5.4ms @ web/goget.go:21(web.goGet) ``` The upload log: ``` router: completed PUT /api/packages/xxx/composer?version=1.0.2 for 192.168.7.5:57250, 201 Created in 38.9ms @ composer/composer.go:189(composer.UploadPackage) ``` ### Gitea Version 1.17.1 ### Can you reproduce the bug on the Gitea demo site? No ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System ubuntu ### How are you running Gitea? I am running the gitea-1.17.1-linux-amd64 binary ### Database MySQL
GiteaMirror added the topic/packagestype/bug labels 2025-11-02 08:38:51 -06:00
GiteaMirror commented 2025-11-02 08:38:52 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

I could delete the packages using /admin/packages, I tried to upload them from scratch, with the same result.
Some database contents:

MariaDB [gitea]> select * from package;
+----+----------+---------+----------+---------------------+---------------------+-------------------+
| id | owner_id | repo_id | type     | name                | lower_name          | semver_compatible |
+----+----------+---------+----------+---------------------+---------------------+-------------------+
|  3 |        1 |       0 | composer | simpko/micropayment | simpko/micropayment |                 1 |
+----+----------+---------+----------+---------------------+---------------------+-------------------+
1 row in set (0.000 sec)

MariaDB [gitea]> select * from package_property;
+----+----------+--------+---------------+---------+
| id | ref_type | ref_id | name          | value   |
+----+----------+--------+---------------+---------+
|  5 |        0 |      5 | composer.type | library |
+----+----------+--------+---------------+---------+
1 row in set (0.000 sec)

MariaDB [gitea]> select * from package_file;
+----+------------+---------+-------------------------------+-------------------------------+---------------+---------+--------------+
| id | version_id | blob_id | name                          | lower_name                    | composite_key | is_lead | created_unix |
+----+------------+---------+-------------------------------+-------------------------------+---------------+---------+--------------+
|  5 |          5 |       2 | simpko-micropayment.1.0.0.zip | simpko-micropayment.1.0.0.zip |               |       1 |   1661089314 |
+----+------------+---------+-------------------------------+-------------------------------+---------------+---------+------


MariaDB [gitea]> select * from package_version\G
*************************** 1. row ***************************
            id: 5
    package_id: 3
    creator_id: 1
       version: 1.0.0
 lower_version: 1.0.0
  created_unix: 1661089314
   is_internal: 0
 metadata_json: {"description":"Micropayment","autoload":{"psr-4":{"SimpKo\\":"src/SimpKo"}},"autoload-dev":{"psr-4":{"SimpKoTest\\":"test/SimpKo"}},"require":{"guzzlehttp/guzzle":"^7","mbretter/stk-di":"^2","mbretter/stk-immutable":"^2","php":"\u003e=8.1","pimple/pimple":"^3.5","psr/log":"^2|^3"},"require-dev":{"friendsofphp/php-cs-fixer":"^v2.19.3","php-mock/php-mock-phpunit":"^2.6.0","phpstan/phpstan":"^1.5.3","phpunit/phpunit":"^9.5.20"}}

MariaDB [gitea]> select * from package_blob\G
*************************** 1. row ***************************
          id: 2
        size: 218108
    hash_md5: eb2370e78ef79c3f25df477606727b5d
   hash_sha1: dc546077218e28b15752fd23adf79b04d779297d
 hash_sha256: 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f
 hash_sha512: 6e8a94f188cac180521ee30f752e8b3eef984f53b6b4cad6c564e861a632e4ddfeab38725fd6d79c0a474fc364b2f4c49fbb3416b08b01796adcec0e46d42432
created_unix: 1661089314

Forgot to mention that this works on try.gitea.io, this must be installation specific.
I have recently upgraded from 1.16.x

@mbretter commented on GitHub (Aug 22, 2022): I could delete the packages using /admin/packages, I tried to upload them from scratch, with the same result. Some database contents: ``` MariaDB [gitea]> select * from package; +----+----------+---------+----------+---------------------+---------------------+-------------------+ | id | owner_id | repo_id | type | name | lower_name | semver_compatible | +----+----------+---------+----------+---------------------+---------------------+-------------------+ | 3 | 1 | 0 | composer | simpko/micropayment | simpko/micropayment | 1 | +----+----------+---------+----------+---------------------+---------------------+-------------------+ 1 row in set (0.000 sec) MariaDB [gitea]> select * from package_property; +----+----------+--------+---------------+---------+ | id | ref_type | ref_id | name | value | +----+----------+--------+---------------+---------+ | 5 | 0 | 5 | composer.type | library | +----+----------+--------+---------------+---------+ 1 row in set (0.000 sec) MariaDB [gitea]> select * from package_file; +----+------------+---------+-------------------------------+-------------------------------+---------------+---------+--------------+ | id | version_id | blob_id | name | lower_name | composite_key | is_lead | created_unix | +----+------------+---------+-------------------------------+-------------------------------+---------------+---------+--------------+ | 5 | 5 | 2 | simpko-micropayment.1.0.0.zip | simpko-micropayment.1.0.0.zip | | 1 | 1661089314 | +----+------------+---------+-------------------------------+-------------------------------+---------------+---------+------ MariaDB [gitea]> select * from package_version\G *************************** 1. row *************************** id: 5 package_id: 3 creator_id: 1 version: 1.0.0 lower_version: 1.0.0 created_unix: 1661089314 is_internal: 0 metadata_json: {"description":"Micropayment","autoload":{"psr-4":{"SimpKo\\":"src/SimpKo"}},"autoload-dev":{"psr-4":{"SimpKoTest\\":"test/SimpKo"}},"require":{"guzzlehttp/guzzle":"^7","mbretter/stk-di":"^2","mbretter/stk-immutable":"^2","php":"\u003e=8.1","pimple/pimple":"^3.5","psr/log":"^2|^3"},"require-dev":{"friendsofphp/php-cs-fixer":"^v2.19.3","php-mock/php-mock-phpunit":"^2.6.0","phpstan/phpstan":"^1.5.3","phpunit/phpunit":"^9.5.20"}} MariaDB [gitea]> select * from package_blob\G *************************** 1. row *************************** id: 2 size: 218108 hash_md5: eb2370e78ef79c3f25df477606727b5d hash_sha1: dc546077218e28b15752fd23adf79b04d779297d hash_sha256: 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f hash_sha512: 6e8a94f188cac180521ee30f752e8b3eef984f53b6b4cad6c564e861a632e4ddfeab38725fd6d79c0a474fc364b2f4c49fbb3416b08b01796adcec0e46d42432 created_unix: 1661089314 ``` Forgot to mention that this works on try.gitea.io, this must be installation specific. I have recently upgraded from 1.16.x
GiteaMirror commented 2025-11-02 08:38:53 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Aug 22, 2022):

The db shows that the uploaded version is 1.0.0 and not 1.0.2.

@KN4CK3R commented on GitHub (Aug 22, 2022): The db shows that the uploaded version is 1.0.0 and not 1.0.2.
GiteaMirror commented 2025-11-02 08:38:53 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

The db shows that the uploaded version is 1.0.0 and not 1.0.2.

yep, because I have removed all existing packages and reuploaded the package with version 1.0.0

router log for v 1.0.0

GET /mbretter/-/packages/composer/simpko/micropayment/1.0.0 for 192.168.7.5:50164, 404 Not Found in 6.3ms @ web/goget.go:21(web.goGet)
@mbretter commented on GitHub (Aug 22, 2022): > The db shows that the uploaded version is 1.0.0 and not 1.0.2. yep, because I have removed all existing packages and reuploaded the package with version 1.0.0 router log for v 1.0.0 ``` GET /mbretter/-/packages/composer/simpko/micropayment/1.0.0 for 192.168.7.5:50164, 404 Not Found in 6.3ms @ web/goget.go:21(web.goGet) ```
GiteaMirror commented 2025-11-02 08:38:53 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

the corresponding package is on the file system, filename matches the hash_sha256 in the package_blob table:

-rw------- 1 git git 218108 Aug 21 15:41 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f
root@dev:/var/lib/gitea/data/packages/6f/2e# file 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f 
6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f: Zip archive data, at least v1.0 to extract
@mbretter commented on GitHub (Aug 22, 2022): the corresponding package is on the file system, filename matches the hash_sha256 in the package_blob table: ``` -rw------- 1 git git 218108 Aug 21 15:41 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f root@dev:/var/lib/gitea/data/packages/6f/2e# file 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f 6f2e9134a42224f7b24480125774d52e12c2b40d31f447ff4f7c81d296b7454f: Zip archive data, at least v1.0 to extract ```
GiteaMirror commented 2025-11-02 08:38:54 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Aug 22, 2022):

Does requesting /xxx/-/packages/composer/simpko%2Fmicropayment/1.0.2 work?

@KN4CK3R commented on GitHub (Aug 22, 2022): Does requesting `/xxx/-/packages/composer/simpko%2Fmicropayment/1.0.2` work?
GiteaMirror commented 2025-11-02 08:38:54 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

Does requesting /xxx/-/packages/composer/simpko%2Fmicropayment/1.0.2 work?

currently it would be:
https://gitea.xxx.at/mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0

nope, causes 404

@mbretter commented on GitHub (Aug 22, 2022): > Does requesting `/xxx/-/packages/composer/simpko%2Fmicropayment/1.0.2` work? currently it would be: ```https://gitea.xxx.at/mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0``` nope, causes 404
GiteaMirror commented 2025-11-02 08:38:54 -06:00
Author
Owner
Copy Link

@KN4CK3R commented on GitHub (Aug 22, 2022):

Does your browser really use the %2F escaped slash? I have tested it with a package and got no errors.

grafik

@KN4CK3R commented on GitHub (Aug 22, 2022): Does your browser really use the %2F escaped slash? I have tested it with a package and got no errors. ![grafik](https://user-images.githubusercontent.com/1666336/185912782-d2bfd23a-c9b6-4b10-8579-337d7595abac.png)
GiteaMirror commented 2025-11-02 08:38:55 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

yes it does, this is the exact url, which is appearing in the browser

https://gitea.xxx.at/mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0

in the router log, there is a slash (not urlencoded):

2022/08/22 14:29:05 [63037691] router: started   GET /mbretter/-/packages/composer/simpko/micropayment/1.0.0 for 192.168.7.5:52734
2022/08/22 14:29:05 [63037691] router: completed GET /mbretter/-/packages/composer/simpko/micropayment/1.0.0 for 192.168.7.5:52734, 404 Not Found in 6.1ms @ web/goget.go:21(web.goGet)
@mbretter commented on GitHub (Aug 22, 2022): yes it does, this is the exact url, which is appearing in the browser ``` https://gitea.xxx.at/mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0 ``` in the router log, there is a slash (not urlencoded): ``` 2022/08/22 14:29:05 [63037691] router: started GET /mbretter/-/packages/composer/simpko/micropayment/1.0.0 for 192.168.7.5:52734 2022/08/22 14:29:05 [63037691] router: completed GET /mbretter/-/packages/composer/simpko/micropayment/1.0.0 for 192.168.7.5:52734, 404 Not Found in 6.1ms @ web/goget.go:21(web.goGet) ```
GiteaMirror commented 2025-11-02 08:38:55 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Aug 22, 2022):

Just a guess, are you using a reverse-proxy? They would do some path escaping.

@wxiaoguang commented on GitHub (Aug 22, 2022): Just a guess, are you using a reverse-proxy? They would do some path escaping.
GiteaMirror commented 2025-11-02 08:38:56 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

Just a guess, are you using a reverse-proxy? They would do some path escaping.

great, this was a good one!

I am using nginx, my proxy_pass directive looked like this:

proxy_pass http://192.168.7.32:3000/

the slash at the end caused nginx to make url normalization, after changing this to:

proxy_pass http://192.168.7.32:3000

it started working!

definitely not a gitea issue, though some kind of a documentation hint would help.

sorry for wasting your time ;)

@mbretter commented on GitHub (Aug 22, 2022): > Just a guess, are you using a reverse-proxy? They would do some path escaping. great, this was a good one! I am using nginx, my proxy_pass directive looked like this: ``` proxy_pass http://192.168.7.32:3000/ ``` the slash at the end caused nginx to make url normalization, after changing this to: ``` proxy_pass http://192.168.7.32:3000 ``` it started working! definitely not a gitea issue, though some kind of a documentation hint would help. sorry for wasting your time ;)
GiteaMirror commented 2025-11-02 08:38:56 -06:00
Author
Owner
Copy Link

@mbretter commented on GitHub (Aug 22, 2022):

the router log shows now the %2F and not the slash:

router: started   GET /mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0 for 192.168.7.5:53782
router: completed GET /mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0 for 192.168.7.5:53782, 200 OK in 15.2ms @ user/package.go:152(user.ViewPackageVersion)
@mbretter commented on GitHub (Aug 22, 2022): the router log shows now the %2F and not the slash: ``` router: started GET /mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0 for 192.168.7.5:53782 router: completed GET /mbretter/-/packages/composer/simpko%2Fmicropayment/1.0.0 for 192.168.7.5:53782, 200 OK in 15.2ms @ user/package.go:152(user.ViewPackageVersion) ```
GiteaMirror commented 2025-11-02 08:38:56 -06:00
Author
Owner
Copy Link

@ghnp5 commented on GitHub (Mar 25, 2023):

Just a guess, are you using a reverse-proxy? They would do some path escaping.

great, this was a good one!

I am using nginx, my proxy_pass directive looked like this:

proxy_pass http://192.168.7.32:3000/

the slash at the end caused nginx to make url normalization, after changing this to:

proxy_pass http://192.168.7.32:3000

it started working!

Hey

I'm getting the same problem, with the 404 if there is a slash in the name of the package, but the thing is that if I remove the "/" at the end of proxy_pass, the whole Gitea will give me 404 for all pages!

In the access logs (with the "/" in proxy_pass), I do see the escaped slash (just like it appears in the browser URL):

/packages/container/actions%2Frsync-ssh/latest

Not sure how to fix this one! :)

@ghnp5 commented on GitHub (Mar 25, 2023): > > Just a guess, are you using a reverse-proxy? They would do some path escaping. > > great, this was a good one! > > I am using nginx, my proxy_pass directive looked like this: > > ``` > proxy_pass http://192.168.7.32:3000/ > ``` > > the slash at the end caused nginx to make url normalization, after changing this to: > > ``` > proxy_pass http://192.168.7.32:3000 > ``` > > it started working! Hey I'm getting the same problem, with the 404 if there is a slash in the name of the package, but the thing is that if I remove the "/" at the end of `proxy_pass`, the whole Gitea will give me 404 for all pages! In the access logs (with the "/" in proxy_pass), I do see the escaped slash (just like it appears in the browser URL): > /packages/container/actions%2Frsync-ssh/latest Not sure how to fix this one! :)
GiteaMirror commented 2025-11-02 08:38:57 -06:00
Author
Owner
Copy Link

@ghnp5 commented on GitHub (Mar 25, 2023):

Alright... fixed it.
It's because I'm using a subpath:

	location /gitea/ {
		# this hack prevents URL encoding, which can break the Packages area, for package names with slashes
		rewrite ^ $request_uri;
		rewrite ^/gitea(/.*) $1 break;
		return 400; # if the second rewrite won't match
		proxy_pass http://127.0.0.1:1234$uri;

More info: https://stackoverflow.com/questions/28684300/nginx-pass-proxy-subdirectory-without-url-decoding/37584637#37584637

@ghnp5 commented on GitHub (Mar 25, 2023): Alright... fixed it. It's because I'm using a subpath: location /gitea/ { # this hack prevents URL encoding, which can break the Packages area, for package names with slashes rewrite ^ $request_uri; rewrite ^/gitea(/.*) $1 break; return 400; # if the second rewrite won't match proxy_pass http://127.0.0.1:1234$uri; More info: https://stackoverflow.com/questions/28684300/nginx-pass-proxy-subdirectory-without-url-decoding/37584637#37584637
GiteaMirror commented 2025-11-02 08:38:57 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Mar 26, 2023):

It's also documented by Gitea document:

https://docs.gitea.io/en-us/reverse-proxies/#nginx-with-a-sub-path

# Note: Trailing slash

If it's not clear, feel free to propose a PR to improve it.

@wxiaoguang commented on GitHub (Mar 26, 2023): It's also documented by Gitea document: https://docs.gitea.io/en-us/reverse-proxies/#nginx-with-a-sub-path `# Note: Trailing slash` If it's not clear, feel free to propose a PR to improve it.
GiteaMirror commented 2025-11-02 08:38:57 -06:00
Author
Owner
Copy Link

@ghnp5 commented on GitHub (Mar 26, 2023):

@wxiaoguang - That's how I had it originally, but it won't work for URLs of packages with slashes. That section of the documentation doesn't mention this and doesn't provide a solution like what we had to do to fix the issue in this thread.

@ghnp5 commented on GitHub (Mar 26, 2023): @wxiaoguang - That's how I had it originally, but it won't work for URLs of packages with slashes. That section of the documentation doesn't mention this and doesn't provide a solution like what we had to do to fix the issue in this thread.
GiteaMirror commented 2025-11-02 08:38:58 -06:00
Author
Owner
Copy Link

@wxiaoguang commented on GitHub (Mar 26, 2023):

I see, the document is incompatible with sub-path escaping. I will open a new issue for it.

@wxiaoguang commented on GitHub (Mar 26, 2023): I see, the document is incompatible with sub-path escaping. I will open a new issue for it.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
$20
$250
$50
$500
backport/done
💎 Bounty
docs-update-needed
good first issue
hacktoberfest
issue/bounty
issue/confirmed
issue/critical
issue/duplicate
issue/needs-feedback
issue/not-a-bug
issue/regression
issue/stale
issue/workaround
lgtm/need 2
modifies/api
modifies/translation
outdated/backport/v1.18
outdated/theme/markdown
outdated/theme/timetracker
performance/bigrepo
performance/cpu
performance/memory
performance/speed
pr/breaking
proposal/accepted
proposal/rejected
pr/wip
pull-request
Mirrored from GitHub Pull Request
 reviewed/wontfix
💰 Rewarded
skip-changelog
status/blocked
topic/accessibility
topic/api
topic/authentication
topic/build
topic/code-linting
topic/commit-signing
topic/content-rendering
topic/deployment
topic/distribution
topic/federation
topic/gitea-actions
topic/issues
topic/lfs
topic/mobile
topic/moderation
topic/packages
topic/pr
topic/projects
topic/repo
topic/repo-migration
topic/security
topic/theme
topic/ui
topic/ui-interaction
topic/ux
topic/webhooks
topic/wiki
type/bug
type/deprecation
type/docs
type/enhancement
type/feature
type/miscellaneous
type/proposal
type/question
type/refactoring
type/summary
type/testing
type/upstream
No Label topic/packages type/bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/gitea#9440
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?