From 790a27f38ae7acd693829aee7015f60dab7681c9 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Fri, 23 Feb 2024 00:42:14 +0800
Subject: [PATCH 1/9] Fix SSPI user creation (#28948) (#29323)

Fixes #28945
Backport #28948

Setting the avatar is wrong and creating a random password is equal to
leave it empty.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 7ea2ffaf166780b7786291f7ff022e3f5b49e8c2)
---
 services/auth/sspi.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/services/auth/sspi.go b/services/auth/sspi.go
index d4f7e3ec60..0ec1bc2998 100644
--- a/services/auth/sspi.go
+++ b/services/auth/sspi.go
@@ -11,7 +11,6 @@ import (
 	"sync"
 
 	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/models/avatars"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/base"
 	gitea_context "code.gitea.io/gitea/modules/context"
@@ -163,12 +162,9 @@ func (s *SSPI) shouldAuthenticate(req *http.Request) (shouldAuth bool) {
 func (s *SSPI) newUser(ctx context.Context, username string, cfg *sspi.Source) (*user_model.User, error) {
 	email := gouuid.New().String() + "@localhost.localdomain"
 	user := &user_model.User{
-		Name:            username,
-		Email:           email,
-		Passwd:          gouuid.New().String(),
-		Language:        cfg.DefaultLanguage,
-		UseCustomAvatar: true,
-		Avatar:          avatars.DefaultAvatarLink(),
+		Name:     username,
+		Email:    email,
+		Language: cfg.DefaultLanguage,
 	}
 	emailNotificationPreference := user_model.EmailNotificationsDisabled
 	overwriteDefault := &user_model.CreateUserOverwriteOptions{

From c4ac72e6a0c1e77e5ab0a12c4f9e244a6f10ceda Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Fri, 23 Feb 2024 03:52:54 +0800
Subject: [PATCH 2/9] Only log error when tag sync fails (#29295) (#29327)

Backport #29295 by @lunny

Fix #28843

This PR will bypass the pushUpdateTag to database failure when
syncAllTags. An error log will be recorded.

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
(cherry picked from commit b78f5fc60f510a58d58535af77c5b424a8b5a660)
---
 modules/repository/repo.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/modules/repository/repo.go b/modules/repository/repo.go
index d06d75fa9c..1387cee66d 100644
--- a/modules/repository/repo.go
+++ b/modules/repository/repo.go
@@ -334,7 +334,9 @@ func SyncReleasesWithTags(ctx context.Context, repo *repo_model.Repository, gitR
 		}
 
 		if err := PushUpdateAddTag(ctx, repo, gitRepo, tagName, sha1, refname); err != nil {
-			return fmt.Errorf("unable to PushUpdateAddTag: %q to Repo[%d:%s/%s]: %w", tagName, repo.ID, repo.OwnerName, repo.Name, err)
+			// sometimes, some tags will be sync failed. i.e. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tag/?h=v2.6.11
+			// this is a tree object, not a tag object which created before git
+			log.Error("unable to PushUpdateAddTag: %q to Repo[%d:%s/%s]: %v", tagName, repo.ID, repo.OwnerName, repo.Name, err)
 		}
 
 		return nil

From 9da608abad3ea8a409e208c3e907fc0d2d821c01 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Fri, 23 Feb 2024 05:49:07 +0800
Subject: [PATCH 3/9] Don't show third-party JS errors in production builds
 (#29303) (#29333)

Backport #29303 by @silverwind

So we don't get issues like
https://github.com/go-gitea/gitea/issues/29080 and
https://github.com/go-gitea/gitea/issues/29273 any more. Only active in
[production
builds](https://webpack.js.org/guides/production/#specify-the-mode), in
non-production the errors will still show.

Co-authored-by: silverwind <me@silverwind.io>
(cherry picked from commit 6ca8cb590d510c98610031675e0a316f95efaf61)
---
 web_src/js/bootstrap.js | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/web_src/js/bootstrap.js b/web_src/js/bootstrap.js
index f8d0c0cac0..e46c91e5e6 100644
--- a/web_src/js/bootstrap.js
+++ b/web_src/js/bootstrap.js
@@ -29,17 +29,26 @@ export function showGlobalErrorMessage(msg) {
  * @param {ErrorEvent} e
  */
 function processWindowErrorEvent(e) {
+  const err = e.error ?? e.reason;
+  const assetBaseUrl = String(new URL(__webpack_public_path__, window.location.origin));
+
+  // error is likely from browser extension or inline script. Do not show these in production builds.
+  if (!err.stack?.includes(assetBaseUrl) && window.config?.runModeIsProd) return;
+
+  let message;
   if (e.type === 'unhandledrejection') {
-    showGlobalErrorMessage(`JavaScript promise rejection: ${e.reason}. Open browser console to see more details.`);
-    return;
+    message = `JavaScript promise rejection: ${err.message}.`;
+  } else {
+    message = `JavaScript error: ${e.message} (${e.filename} @ ${e.lineno}:${e.colno}).`;
   }
+
   if (!e.error && e.lineno === 0 && e.colno === 0 && e.filename === '' && window.navigator.userAgent.includes('FxiOS/')) {
     // At the moment, Firefox (iOS) (10x) has an engine bug. See https://github.com/go-gitea/gitea/issues/20240
     // If a script inserts a newly created (and content changed) element into DOM, there will be a nonsense error event reporting: Script error: line 0, col 0.
     return; // ignore such nonsense error event
   }
 
-  showGlobalErrorMessage(`JavaScript error: ${e.message} (${e.filename} @ ${e.lineno}:${e.colno}). Open browser console to see more details.`);
+  showGlobalErrorMessage(`${message} Open browser console to see more details.`);
 }
 
 function initGlobalErrorHandler() {

From 8e2c991b35de8c94899ad053e89339cea4538589 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Sat, 24 Feb 2024 06:47:11 +0800
Subject: [PATCH 4/9] Fix tarball/zipball download bug (#29342) (#29352)

Backport #29342 by @Zettat123

Fix #29249

~~Use the `/repos/{owner}/{repo}/archive/{archive}` API to download.~~

Apply #26430 to archive download URLs.

Co-authored-by: Zettat123 <zettat123@gmail.com>
(cherry picked from commit 829b807a91f9895e3f4b262f688a8d0d9a44caf6)
---
 services/auth/auth.go   | 5 +++++
 services/auth/oauth2.go | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/services/auth/auth.go b/services/auth/auth.go
index 4adf549204..6dc0327531 100644
--- a/services/auth/auth.go
+++ b/services/auth/auth.go
@@ -38,6 +38,7 @@ func isContainerPath(req *http.Request) bool {
 var (
 	gitRawOrAttachPathRe = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/(?:(?:git-(?:(?:upload)|(?:receive))-pack$)|(?:info/refs$)|(?:HEAD$)|(?:objects/)|(?:raw/)|(?:releases/download/)|(?:attachments/))`)
 	lfsPathRe            = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/info/lfs/`)
+	archivePathRe        = regexp.MustCompile(`^/[a-zA-Z0-9_.-]+/[a-zA-Z0-9_.-]+/archive/`)
 )
 
 func isGitRawOrAttachPath(req *http.Request) bool {
@@ -54,6 +55,10 @@ func isGitRawOrAttachOrLFSPath(req *http.Request) bool {
 	return false
 }
 
+func isArchivePath(req *http.Request) bool {
+	return archivePathRe.MatchString(req.URL.Path)
+}
+
 // handleSignIn clears existing session variables and stores new ones for the specified user object
 func handleSignIn(resp http.ResponseWriter, req *http.Request, sess SessionStore, user *user_model.User) {
 	// We need to regenerate the session...
diff --git a/services/auth/oauth2.go b/services/auth/oauth2.go
index 08a2a05539..3b9b7def37 100644
--- a/services/auth/oauth2.go
+++ b/services/auth/oauth2.go
@@ -127,7 +127,7 @@ func (o *OAuth2) userIDFromToken(ctx context.Context, tokenSHA string, store Dat
 func (o *OAuth2) Verify(req *http.Request, w http.ResponseWriter, store DataStore, sess SessionStore) (*user_model.User, error) {
 	// These paths are not API paths, but we still want to check for tokens because they maybe in the API returned URLs
 	if !middleware.IsAPIPath(req) && !isAttachmentDownload(req) && !isAuthenticatedTokenRequest(req) &&
-		!isGitRawOrAttachPath(req) {
+		!isGitRawOrAttachPath(req) && !isArchivePath(req) {
 		return nil, nil
 	}
 

From e4d30671387157c71b7157451a87e1836c9a40af Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 24 Feb 2024 15:58:43 +0800
Subject: [PATCH 5/9] Fix project counter in organization/individual profile
 (#28068) (#29361)

Fix #28052
Backport #28068
Before:

![image](https://github.com/go-gitea/gitea/assets/18380374/5f299983-4b38-4d68-ac0e-4be3c62c0558)

![image](https://github.com/go-gitea/gitea/assets/18380374/f0e12afd-483b-4882-80e9-0261beb3fe0c)

After:

![image](https://github.com/go-gitea/gitea/assets/18380374/47cccb7b-bb35-4a7d-9c5b-83133be0323a)

![image](https://github.com/go-gitea/gitea/assets/18380374/77825c0c-4bf2-4762-83a2-1a5a173cc22d)

Co-authored-by: yp05327 <576951401@qq.com>
(cherry picked from commit 5043ad54c7a0d1dc6bf5f1caf21b4646ec9344d3)
---
 routers/web/shared/user/header.go   | 17 +++++++++++++++++
 templates/org/menu.tmpl             |  3 +++
 templates/user/overview/header.tmpl |  3 +++
 3 files changed, 23 insertions(+)

diff --git a/routers/web/shared/user/header.go b/routers/web/shared/user/header.go
index 24f8f88976..1d4ef4d649 100644
--- a/routers/web/shared/user/header.go
+++ b/routers/web/shared/user/header.go
@@ -6,6 +6,7 @@ package user
 import (
 	"code.gitea.io/gitea/models/db"
 	"code.gitea.io/gitea/models/organization"
+	project_model "code.gitea.io/gitea/models/project"
 	repo_model "code.gitea.io/gitea/models/repo"
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/context"
@@ -126,5 +127,21 @@ func LoadHeaderCount(ctx *context.Context) error {
 	}
 	ctx.Data["RepoCount"] = repoCount
 
+	var projectType project_model.Type
+	if ctx.ContextUser.IsOrganization() {
+		projectType = project_model.TypeOrganization
+	} else {
+		projectType = project_model.TypeIndividual
+	}
+	projectCount, err := project_model.CountProjects(ctx, project_model.SearchOptions{
+		OwnerID:  ctx.ContextUser.ID,
+		IsClosed: util.OptionalBoolOf(false),
+		Type:     projectType,
+	})
+	if err != nil {
+		return err
+	}
+	ctx.Data["ProjectCount"] = projectCount
+
 	return nil
 }
diff --git a/templates/org/menu.tmpl b/templates/org/menu.tmpl
index c3ec142e9c..8a97711ce2 100644
--- a/templates/org/menu.tmpl
+++ b/templates/org/menu.tmpl
@@ -9,6 +9,9 @@
 		{{if .CanReadProjects}}
 		<a class="{{if .PageIsViewProjects}}active {{end}}item" href="{{$.Org.HomeLink}}/-/projects">
 			{{svg "octicon-project-symlink"}} {{ctx.Locale.Tr "user.projects"}}
+			{{if .ProjectCount}}
+				<div class="ui small label">{{.ProjectCount}}</div>
+			{{end}}
 		</a>
 		{{end}}
 		{{if and .IsPackageEnabled .CanReadPackages}}
diff --git a/templates/user/overview/header.tmpl b/templates/user/overview/header.tmpl
index 69a4e9a856..e27c9a981e 100644
--- a/templates/user/overview/header.tmpl
+++ b/templates/user/overview/header.tmpl
@@ -13,6 +13,9 @@
 	{{if or .ContextUser.IsIndividual (and .ContextUser.IsOrganization .CanReadProjects)}}
 	<a href="{{.ContextUser.HomeLink}}/-/projects" class="{{if .PageIsViewProjects}}active {{end}}item">
 		{{svg "octicon-project-symlink"}} {{ctx.Locale.Tr "user.projects"}}
+		{{if .ProjectCount}}
+			<div class="ui small label">{{.ProjectCount}}</div>
+		{{end}}
 	</a>
 	{{end}}
 	{{if and .IsPackageEnabled (or .ContextUser.IsIndividual (and .ContextUser.IsOrganization .CanReadPackages))}}

From a28d6686faab354b5478ab523afcdfd962e1fb77 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Sat, 24 Feb 2024 16:23:21 +0800
Subject: [PATCH 6/9] Fix validity of the FROM email address not being checked
 (#29347) (#29360)

Backport #29347 by @carlosfelgueiras

Fixes #27188.
Introduces a check on the installation that tries to parse the FROM
address. If it fails, shows a new error message to the user.

Co-authored-by: Carlos Felgueiras <carlosfelgueiras@tecnico.ulisboa.pt>
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 35db5a373babd9af157fd63eeb20d6da53320b73)
---
 options/locales/gitea_en-US.ini | 1 +
 routers/install/install.go      | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/options/locales/gitea_en-US.ini b/options/locales/gitea_en-US.ini
index 0116fa08df..562d409016 100644
--- a/options/locales/gitea_en-US.ini
+++ b/options/locales/gitea_en-US.ini
@@ -246,6 +246,7 @@ email_title = Email Settings
 smtp_addr = SMTP Host
 smtp_port = SMTP Port
 smtp_from = Send Email As
+smtp_from_invalid = The "Send Email As" address is invalid
 smtp_from_helper = Email address Gitea will use. Enter a plain email address or use the "Name" <email@example.com> format.
 mailer_user = SMTP Username
 mailer_password = SMTP Password
diff --git a/routers/install/install.go b/routers/install/install.go
index 648425df3b..ec0f4fd80a 100644
--- a/routers/install/install.go
+++ b/routers/install/install.go
@@ -7,6 +7,7 @@ package install
 import (
 	"fmt"
 	"net/http"
+	"net/mail"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -423,6 +424,11 @@ func SubmitInstall(ctx *context.Context) {
 	}
 
 	if len(strings.TrimSpace(form.SMTPAddr)) > 0 {
+		if _, err := mail.ParseAddress(form.SMTPFrom); err != nil {
+			ctx.RenderWithErr(ctx.Tr("install.smtp_from_invalid"), tplInstall, &form)
+			return
+		}
+
 		cfg.Section("mailer").Key("ENABLED").SetValue("true")
 		cfg.Section("mailer").Key("SMTP_ADDR").SetValue(form.SMTPAddr)
 		cfg.Section("mailer").Key("SMTP_PORT").SetValue(form.SMTPPort)

From 2c802fc8f090e60ed446d4979c9d9527d6ebefb1 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sat, 24 Feb 2024 19:01:18 +0800
Subject: [PATCH 7/9] Display friendly error message (#29105) (#29363)

Backport #29105

`ctx.Error` only displays the text but `ctx.ServerError` renders the
usual error page.

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit a1c0b3a02e54e5fe879dabccb71fba9498b64051)
---
 routers/web/repo/actions/actions.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/routers/web/repo/actions/actions.go b/routers/web/repo/actions/actions.go
index 9f787f5125..6e635ab43d 100644
--- a/routers/web/repo/actions/actions.go
+++ b/routers/web/repo/actions/actions.go
@@ -61,17 +61,17 @@ func List(ctx *context.Context) {
 
 	var workflows []Workflow
 	if empty, err := ctx.Repo.GitRepo.IsEmpty(); err != nil {
-		ctx.Error(http.StatusInternalServerError, err.Error())
+		ctx.ServerError("IsEmpty", err)
 		return
 	} else if !empty {
 		commit, err := ctx.Repo.GitRepo.GetBranchCommit(ctx.Repo.Repository.DefaultBranch)
 		if err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
+			ctx.ServerError("GetBranchCommit", err)
 			return
 		}
 		entries, err := actions.ListWorkflows(commit)
 		if err != nil {
-			ctx.Error(http.StatusInternalServerError, err.Error())
+			ctx.ServerError("ListWorkflows", err)
 			return
 		}
 
@@ -96,7 +96,7 @@ func List(ctx *context.Context) {
 			workflow := Workflow{Entry: *entry}
 			content, err := actions.GetContentFromEntry(entry)
 			if err != nil {
-				ctx.Error(http.StatusInternalServerError, err.Error())
+				ctx.ServerError("GetContentFromEntry", err)
 				return
 			}
 			wf, err := model.ReadWorkflow(bytes.NewReader(content))
@@ -173,7 +173,7 @@ func List(ctx *context.Context) {
 
 	runs, total, err := actions_model.FindRuns(ctx, opts)
 	if err != nil {
-		ctx.Error(http.StatusInternalServerError, err.Error())
+		ctx.ServerError("FindAndCount", err)
 		return
 	}
 
@@ -182,7 +182,7 @@ func List(ctx *context.Context) {
 	}
 
 	if err := runs.LoadTriggerUser(ctx); err != nil {
-		ctx.Error(http.StatusInternalServerError, err.Error())
+		ctx.ServerError("LoadTriggerUser", err)
 		return
 	}
 
@@ -190,7 +190,7 @@ func List(ctx *context.Context) {
 
 	actors, err := actions_model.GetActors(ctx, ctx.Repo.Repository.ID)
 	if err != nil {
-		ctx.Error(http.StatusInternalServerError, err.Error())
+		ctx.ServerError("GetActors", err)
 		return
 	}
 	ctx.Data["Actors"] = repo.MakeSelfOnTop(ctx.Doer, actors)

From 40c3a1d2ea6dc15ad11f35fdd0c170fbf9cf66cd Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Sun, 25 Feb 2024 22:56:44 +0800
Subject: [PATCH 8/9] enforce maxlength in frontend (#29389) (#29396)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport #29389 by @zokkis

Set maxlength attribute in frontend

to long file-name

![image](https://github.com/go-gitea/gitea/assets/72873130/15111614-55ab-4583-acb2-15c25997601d)

![image](https://github.com/go-gitea/gitea/assets/72873130/4105ddd8-4973-4da8-b3ab-4cfae1b45554)
(same for branch-name and commit-summary)

Co-authored-by: Tim-Niclas Oelschläger <72873130+zokkis@users.noreply.github.com>
(cherry picked from commit 0b3d6c399c88e42e827f422dc4c8458f0d20c613)
---
 templates/repo/editor/commit_form.tmpl | 4 ++--
 templates/repo/editor/edit.tmpl        | 2 +-
 templates/repo/editor/patch.tmpl       | 2 +-
 templates/repo/editor/upload.tmpl      | 2 +-
 web_src/js/utils.js                    | 7 ++++---
 5 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/templates/repo/editor/commit_form.tmpl b/templates/repo/editor/commit_form.tmpl
index 34dde576a1..c8f7befcf0 100644
--- a/templates/repo/editor/commit_form.tmpl
+++ b/templates/repo/editor/commit_form.tmpl
@@ -9,7 +9,7 @@
 			{{ctx.Locale.Tr "repo.editor.commit_changes"}}
 		{{- end}}</h3>
 		<div class="field">
-			<input name="commit_summary" placeholder="{{if .PageIsDelete}}{{ctx.Locale.Tr "repo.editor.delete" .TreePath}}{{else if .PageIsUpload}}{{ctx.Locale.Tr "repo.editor.upload_files_to_dir" .TreePath}}{{else if .IsNewFile}}{{ctx.Locale.Tr "repo.editor.add_tmpl"}}{{else if .PageIsPatch}}{{ctx.Locale.Tr "repo.editor.patch"}}{{else}}{{ctx.Locale.Tr "repo.editor.update" .TreePath}}{{end}}" value="{{.commit_summary}}" autofocus>
+			<input name="commit_summary" maxlength="100" placeholder="{{if .PageIsDelete}}{{ctx.Locale.Tr "repo.editor.delete" .TreePath}}{{else if .PageIsUpload}}{{ctx.Locale.Tr "repo.editor.upload_files_to_dir" .TreePath}}{{else if .IsNewFile}}{{ctx.Locale.Tr "repo.editor.add_tmpl"}}{{else if .PageIsPatch}}{{ctx.Locale.Tr "repo.editor.patch"}}{{else}}{{ctx.Locale.Tr "repo.editor.update" .TreePath}}{{end}}" value="{{.commit_summary}}" autofocus>
 		</div>
 		<div class="field">
 			<textarea name="commit_message" placeholder="{{ctx.Locale.Tr "repo.editor.commit_message_desc"}}" rows="5">{{.commit_message}}</textarea>
@@ -60,7 +60,7 @@
 			<div class="quick-pull-branch-name {{if not (eq .commit_choice "commit-to-new-branch")}}gt-hidden{{end}}">
 				<div class="new-branch-name-input field {{if .Err_NewBranchName}}error{{end}}">
 					{{svg "octicon-git-branch"}}
-					<input type="text" name="new_branch_name" value="{{.new_branch_name}}" class="input-contrast gt-mr-2 js-quick-pull-new-branch-name" placeholder="{{ctx.Locale.Tr "repo.editor.new_branch_name_desc"}}" {{if eq .commit_choice "commit-to-new-branch"}}required{{end}} title="{{ctx.Locale.Tr "repo.editor.new_branch_name"}}">
+					<input type="text" name="new_branch_name" maxlength="100" value="{{.new_branch_name}}" class="input-contrast gt-mr-2 js-quick-pull-new-branch-name" placeholder="{{ctx.Locale.Tr "repo.editor.new_branch_name_desc"}}" {{if eq .commit_choice "commit-to-new-branch"}}required{{end}} title="{{ctx.Locale.Tr "repo.editor.new_branch_name"}}">
 					<span class="text-muted js-quick-pull-normalization-info"></span>
 				</div>
 			</div>
diff --git a/templates/repo/editor/edit.tmpl b/templates/repo/editor/edit.tmpl
index cfc266731b..a6dce81c08 100644
--- a/templates/repo/editor/edit.tmpl
+++ b/templates/repo/editor/edit.tmpl
@@ -15,7 +15,7 @@
 					{{range $i, $v := .TreeNames}}
 						<div class="breadcrumb-divider">/</div>
 						{{if eq $i $l}}
-							<input id="file-name" value="{{$v}}" placeholder="{{ctx.Locale.Tr "repo.editor.name_your_file"}}" data-editorconfig="{{$.EditorconfigJson}}" required autofocus>
+							<input id="file-name" maxlength="500" value="{{$v}}" placeholder="{{ctx.Locale.Tr "repo.editor.name_your_file"}}" data-editorconfig="{{$.EditorconfigJson}}" required autofocus>
 							<span data-tooltip-content="{{ctx.Locale.Tr "repo.editor.filename_help"}}">{{svg "octicon-info"}}</span>
 						{{else}}
 							<span class="section"><a href="{{$.BranchLink}}/{{index $.TreePaths $i | PathEscapeSegments}}">{{$v}}</a></span>
diff --git a/templates/repo/editor/patch.tmpl b/templates/repo/editor/patch.tmpl
index 44c30bd5f9..c9a78cc35f 100644
--- a/templates/repo/editor/patch.tmpl
+++ b/templates/repo/editor/patch.tmpl
@@ -15,7 +15,7 @@
 					<a class="section" href="{{$.BranchLink}}">{{.BranchName}}</a>
 					<span>{{ctx.Locale.Tr "repo.editor.or"}} <a href="{{$.BranchLink}}">{{ctx.Locale.Tr "repo.editor.cancel_lower"}}</a></span>
 					<input type="hidden" id="tree_path" name="tree_path" value="" required>
-					<input id="file-name" type="hidden" value="diff.patch">
+					<input id="file-name" maxlength="500" type="hidden" value="diff.patch">
 				</div>
 			</div>
 			<div class="field">
diff --git a/templates/repo/editor/upload.tmpl b/templates/repo/editor/upload.tmpl
index d362a5602a..0a7c49dae3 100644
--- a/templates/repo/editor/upload.tmpl
+++ b/templates/repo/editor/upload.tmpl
@@ -13,7 +13,7 @@
 					{{range $i, $v := .TreeNames}}
 						<div class="breadcrumb-divider">/</div>
 						{{if eq $i $l}}
-							<input type="text" id="file-name" value="{{$v}}" placeholder="{{ctx.Locale.Tr "repo.editor.add_subdir"}}" autofocus>
+							<input type="text" id="file-name" maxlength="500" value="{{$v}}" placeholder="{{ctx.Locale.Tr "repo.editor.add_subdir"}}" autofocus>
 							<span data-tooltip-content="{{ctx.Locale.Tr "repo.editor.filename_help"}}">{{svg "octicon-info"}}</span>
 						{{else}}
 							<span class="section"><a href="{{$.BranchLink}}/{{index $.TreePaths $i | PathEscapeSegments}}">{{$v}}</a></span>
diff --git a/web_src/js/utils.js b/web_src/js/utils.js
index c82e42d349..980354d3ea 100644
--- a/web_src/js/utils.js
+++ b/web_src/js/utils.js
@@ -2,13 +2,14 @@ import {encode, decode} from 'uint8-to-base64';
 
 // transform /path/to/file.ext to file.ext
 export function basename(path = '') {
-  return path ? path.replace(/^.*\//, '') : '';
+  const lastSlashIndex = path.lastIndexOf('/');
+  return lastSlashIndex < 0 ? path : path.substring(lastSlashIndex + 1);
 }
 
 // transform /path/to/file.ext to .ext
 export function extname(path = '') {
-  const [_, ext] = /.+(\.[^.]+)$/.exec(path) || [];
-  return ext || '';
+  const lastPointIndex = path.lastIndexOf('.');
+  return lastPointIndex < 0 ? '' : path.substring(lastPointIndex);
 }
 
 // test whether a variable is an object

From 91a2d3ecc477a0e80b67a1acf2c1877c1fe41fb7 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Mon, 26 Feb 2024 00:08:44 +0800
Subject: [PATCH 9/9] Add missing space (#29393) (#29399)

Backport #29393 by @KN4CK3R

Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
(cherry picked from commit 0f35cb5a2a9ad3b1d78f9547148b594adc4bdabf)
---
 templates/repo/diff/options_dropdown.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/repo/diff/options_dropdown.tmpl b/templates/repo/diff/options_dropdown.tmpl
index 3bcb877cc6..b7c46dd846 100644
--- a/templates/repo/diff/options_dropdown.tmpl
+++ b/templates/repo/diff/options_dropdown.tmpl
@@ -13,7 +13,7 @@
 			<a class="item" href="{{$.RepoLink}}/commit/{{PathEscape .Commit.ID.String}}.diff" download="{{ShortSha .Commit.ID.String}}.diff">{{ctx.Locale.Tr "repo.diff.download_diff"}}</a>
 		{{end}}
 		<a id="expand-files-btn" class="item">{{ctx.Locale.Tr "repo.pulls.expand_files"}}</a>
-		<a id="collapse-files-btn"class="item">{{ctx.Locale.Tr "repo.pulls.collapse_files"}}</a>
+		<a id="collapse-files-btn" class="item">{{ctx.Locale.Tr "repo.pulls.collapse_files"}}</a>
 		{{if .Issue.Index}}
 			{{if .ShowOutdatedComments}}
 				<a class="item" href="?style={{if $.IsSplitStyle}}split{{else}}unified{{end}}&whitespace={{$.WhitespaceBehavior}}&show-outdated=false">