mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-05 01:37:30 +02:00
Backport #38314 by @lunny This fixes the web release edit flow so renamed release attachments are validated against `[repository.release] ALLOWED_TYPES`. Previously, the API attachment edit endpoint already enforced release attachment type restrictions, but the web release edit form passed `attachment-edit-*` values into `release_service.UpdateRelease`, which updated attachment names directly without validating the new filename against `setting.Repository.Release.AllowedTypes`. As a result, a user with repository write access could rename an existing release attachment to a disallowed extension through the web UI. - validate edited release attachment names in `release_service.UpdateRelease` - reject forbidden attachment renames using `setting.Repository.Release.AllowedTypes` - re-render the web release edit page with a validation error instead of returning an internal server error - add regression coverage for both the service layer and the web flow Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>