Backport #36502 by @lunny
Fix#28479
When scrolling inside the editor and the editor has already reached the
end of its scroll area, the browser does not continue scrolling. This is
inconvenient because users must move the cursor out of the editor to
scroll the page further.
This PR enables automatic switching between the editor’s scroll and the
browser’s scroll, allowing seamless continuous scrolling.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36480 by @ZPascal
## Overview
This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for
the Gitea project.
## Changes
### Toolchain Update
- **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6`
This is a minor toolchain version bump that ensures the project uses the
latest patch release of Go 1.25.
## Security Improvements
While this PR primarily addresses the toolchain update, the project
maintains a strong security posture through:
### Current Security Measures
```log
Vulnerability #1: GO-2026-4342
Excessive CPU consumption when building archive index in archive/zip
More info: https://pkg.go.dev/vuln/GO-2026-4342
Standard library
Found in: archive/zip@go1.25.5
Fixed in: archive/zip@go1.25.6
Example traces found:
#1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open
Vulnerability #2: GO-2026-4341
Memory exhaustion in query parameter parsing in net/url
More info: https://pkg.go.dev/vuln/GO-2026-4341
Standard library
Found in: net/url@go1.25.5
Fixed in: net/url@go1.25.6
Example traces found:
#1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery
#2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query
Vulnerability #3: GO-2026-4340
Handshake messages may be processed at the incorrect encryption level in
crypto/tls
More info: https://pkg.go.dev/vuln/GO-2026-4340
Standard library
Found in: crypto/tls@go1.25.5
Fixed in: crypto/tls@go1.25.6
Example traces found:
#1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake
#2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext
#3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read
#4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write
#5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial
#6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer
#7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext
```
Co-authored-by: Pascal Zimmermann <pascal.zimmermann@theiotstudio.com>
This PR fixes missed repo_id on the migration of attachments to Gitea.
It also provides a doctor check to fix the dirty data on the database.
Backport #36389
Backport #36339 by @lunny
When a user has been revoked permission to access a repository, the
related notification could still be visited. But the repository's
information should not be leaked any more.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Partially backport #36336
1. correctly parse git protocol's "OldCommit NewCommit RefName" line, it
should be explicitly split by space
2. trim space for the "commit status context name" to follow the same
behavior of git_model.NewCommitStatus
Backport of https://github.com/go-gitea/gitea/pull/36219
Fixes: https://github.com/go-gitea/gitea/issues/36216
Now `detectWebAuthnSupport` returns the error type and lets the caller
decide whether they call `webAuthnError` and show the error. It no
longer shows the error during page load when the user has not even
interacted with the feature.
The bug affects all users on HTTP, so I think a quick fix release for
this might be good.
Backport #36117 by @schinkelg
Changed a small typo in an English error message and code comments. Very
small PR.
Co-authored-by: Ger Schinkel <schinkelg@users.noreply.github.com>
Backport #36039 by @lunny
Fix#36026
The redirect should be checked when original user/repo doesn't exist.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36055 by @lunny
Replace #36032Fix#36030
This PR use `net/smtp` instead of gomail's smtp. Now
github.com/wneessen/go-mail will be used only for generating email
message body.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Backport #36068 by @lunny
Follow #36058 for API edit user bug when editing email.
- The Admin Edit User API includes a breaking change. Previously, when
updating a user with an email from an unallowed domain, the request
would succeed but return a warning in the response headers. Now, the
request will fail and return an error in the response body instead.
- Removed `AdminAddOrSetPrimaryEmailAddress` because it will not be used
any where.
Fix https://github.com/go-gitea/gitea/pull/36058#issuecomment-3600005186
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
