Adding upstream version 9.0.0.HEADupstream/9.0.0upstreamdebian

Signed-off-by: Daniel Baumann <daniel@debian.org>

6 files changed, 239 insertions, 0 deletions

diff --git a/modules/public/mime_types.go b/modules/public/mime_types.go
new file mode 100644
index 0000000..32bdf3b
--- /dev/null
+++ b/modules/public/mime_types.go
@@ -0,0 +1,40 @@
+// Copyright 2022 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package public
+
+import "strings"
+
+// wellKnownMimeTypesLower comes from Golang's builtin mime package: `builtinTypesLower`, see the comment of detectWellKnownMimeType
+var wellKnownMimeTypesLower = map[string]string{
+	".avif": "image/avif",
+	".css":  "text/css; charset=utf-8",
+	".gif":  "image/gif",
+	".htm":  "text/html; charset=utf-8",
+	".html": "text/html; charset=utf-8",
+	".jpeg": "image/jpeg",
+	".jpg":  "image/jpeg",
+	".js":   "text/javascript; charset=utf-8",
+	".json": "application/json",
+	".mjs":  "text/javascript; charset=utf-8",
+	".pdf":  "application/pdf",
+	".png":  "image/png",
+	".svg":  "image/svg+xml",
+	".wasm": "application/wasm",
+	".webp": "image/webp",
+	".xml":  "text/xml; charset=utf-8",
+
+	// well, there are some types missing from the builtin list
+	".txt": "text/plain; charset=utf-8",
+}
+
+// detectWellKnownMimeType will return the mime-type for a well-known file ext name
+// The purpose of this function is to bypass the unstable behavior of Golang's mime.TypeByExtension
+// mime.TypeByExtension would use OS's mime-type config to overwrite the well-known types (see its document).
+// If the user's OS has incorrect mime-type config, it would make Gitea can not respond a correct Content-Type to browsers.
+// For example, if Gitea returns `text/plain` for a `.js` file, the browser couldn't run the JS due to security reasons.
+// detectWellKnownMimeType makes the Content-Type for well-known files stable.
+func detectWellKnownMimeType(ext string) string {
+	ext = strings.ToLower(ext)
+	return wellKnownMimeTypesLower[ext]
+}
diff --git a/modules/public/public.go b/modules/public/public.go
new file mode 100644
index 0000000..abc6b46
--- /dev/null
+++ b/modules/public/public.go
@@ -0,0 +1,118 @@
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package public
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+	"time"
+
+	"code.gitea.io/gitea/modules/assetfs"
+	"code.gitea.io/gitea/modules/container"
+	"code.gitea.io/gitea/modules/httpcache"
+	"code.gitea.io/gitea/modules/log"
+	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
+)
+
+func CustomAssets() *assetfs.Layer {
+	return assetfs.Local("custom", setting.CustomPath, "public")
+}
+
+func AssetFS() *assetfs.LayeredFS {
+	return assetfs.Layered(CustomAssets(), BuiltinAssets())
+}
+
+// FileHandlerFunc implements the static handler for serving files in "public" assets
+func FileHandlerFunc() http.HandlerFunc {
+	assetFS := AssetFS()
+	return func(resp http.ResponseWriter, req *http.Request) {
+		if req.Method != "GET" && req.Method != "HEAD" {
+			resp.WriteHeader(http.StatusMethodNotAllowed)
+			return
+		}
+		handleRequest(resp, req, assetFS, req.URL.Path)
+	}
+}
+
+// parseAcceptEncoding parse Accept-Encoding: deflate, gzip;q=1.0, *;q=0.5 as compress methods
+func parseAcceptEncoding(val string) container.Set[string] {
+	parts := strings.Split(val, ";")
+	types := make(container.Set[string])
+	for _, v := range strings.Split(parts[0], ",") {
+		types.Add(strings.TrimSpace(v))
+	}
+	return types
+}
+
+// setWellKnownContentType will set the Content-Type if the file is a well-known type.
+// See the comments of detectWellKnownMimeType
+func setWellKnownContentType(w http.ResponseWriter, file string) {
+	mimeType := detectWellKnownMimeType(path.Ext(file))
+	if mimeType != "" {
+		w.Header().Set("Content-Type", mimeType)
+	}
+}
+
+func handleRequest(w http.ResponseWriter, req *http.Request, fs http.FileSystem, file string) {
+	// actually, fs (http.FileSystem) is designed to be a safe interface, relative paths won't bypass its parent directory, it's also fine to do a clean here
+	f, err := fs.Open(util.PathJoinRelX(file))
+	if err != nil {
+		if os.IsNotExist(err) {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		w.WriteHeader(http.StatusInternalServerError)
+		log.Error("[Static] Open %q failed: %v", file, err)
+		return
+	}
+	defer f.Close()
+
+	fi, err := f.Stat()
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		log.Error("[Static] %q exists, but fails to open: %v", file, err)
+		return
+	}
+
+	// need to serve index file? (no at the moment)
+	if fi.IsDir() {
+		w.WriteHeader(http.StatusNotFound)
+		return
+	}
+
+	serveContent(w, req, fi, fi.ModTime(), f)
+}
+
+type GzipBytesProvider interface {
+	GzipBytes() []byte
+}
+
+// serveContent serve http content
+func serveContent(w http.ResponseWriter, req *http.Request, fi os.FileInfo, modtime time.Time, content io.ReadSeeker) {
+	setWellKnownContentType(w, fi.Name())
+
+	encodings := parseAcceptEncoding(req.Header.Get("Accept-Encoding"))
+	if encodings.Contains("gzip") {
+		// try to provide gzip content directly from bindata (provided by vfsgen۰CompressedFileInfo)
+		if compressed, ok := fi.(GzipBytesProvider); ok {
+			rdGzip := bytes.NewReader(compressed.GzipBytes())
+			// all gzipped static files (from bindata) are managed by Gitea, so we can make sure every file has the correct ext name
+			// then we can get the correct Content-Type, we do not need to do http.DetectContentType on the decompressed data
+			if w.Header().Get("Content-Type") == "" {
+				w.Header().Set("Content-Type", "application/octet-stream")
+			}
+			w.Header().Set("Content-Encoding", "gzip")
+			httpcache.ServeContentWithCacheControl(w, req, fi.Name(), modtime, rdGzip)
+			return
+		}
+	}
+
+	httpcache.ServeContentWithCacheControl(w, req, fi.Name(), modtime, content)
+	return
+}
diff --git a/modules/public/public_bindata.go b/modules/public/public_bindata.go
new file mode 100644
index 0000000..4878f88
--- /dev/null
+++ b/modules/public/public_bindata.go
@@ -0,0 +1,8 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build bindata
+
+package public
+
+//go:generate go run ../../build/generate-bindata.go ../../public public bindata.go true
diff --git a/modules/public/public_test.go b/modules/public/public_test.go
new file mode 100644
index 0000000..5e4bf5d
--- /dev/null
+++ b/modules/public/public_test.go
@@ -0,0 +1,34 @@
+// Copyright 2020 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package public
+
+import (
+	"testing"
+
+	"code.gitea.io/gitea/modules/container"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseAcceptEncoding(t *testing.T) {
+	kases := []struct {
+		Header   string
+		Expected container.Set[string]
+	}{
+		{
+			Header:   "deflate, gzip;q=1.0, *;q=0.5",
+			Expected: container.SetOf("deflate", "gzip"),
+		},
+		{
+			Header:   " gzip, deflate, br",
+			Expected: container.SetOf("deflate", "gzip", "br"),
+		},
+	}
+
+	for _, kase := range kases {
+		t.Run(kase.Header, func(t *testing.T) {
+			assert.EqualValues(t, kase.Expected, parseAcceptEncoding(kase.Header))
+		})
+	}
+}
diff --git a/modules/public/serve_dynamic.go b/modules/public/serve_dynamic.go
new file mode 100644
index 0000000..a668b17
--- /dev/null
+++ b/modules/public/serve_dynamic.go
@@ -0,0 +1,15 @@
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build !bindata
+
+package public
+
+import (
+	"code.gitea.io/gitea/modules/assetfs"
+	"code.gitea.io/gitea/modules/setting"
+)
+
+func BuiltinAssets() *assetfs.Layer {
+	return assetfs.Local("builtin(static)", setting.StaticRootPath, "public")
+}
diff --git a/modules/public/serve_static.go b/modules/public/serve_static.go
new file mode 100644
index 0000000..e790850
--- /dev/null
+++ b/modules/public/serve_static.go
@@ -0,0 +1,24 @@
+// Copyright 2016 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//go:build bindata
+
+package public
+
+import (
+	"time"
+
+	"code.gitea.io/gitea/modules/assetfs"
+	"code.gitea.io/gitea/modules/timeutil"
+)
+
+var _ GzipBytesProvider = (*vfsgen۰CompressedFileInfo)(nil)
+
+// GlobalModTime provide a global mod time for embedded asset files
+func GlobalModTime(filename string) time.Time {
+	return timeutil.GetExecutableModTime()
+}
+
+func BuiltinAssets() *assetfs.Layer {
+	return assetfs.Bindata("builtin(bindata)", Assets)
+}