Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot create issue attachment via the API when using query parameter #30766

Open
Android-X13 opened this issue Apr 29, 2024 · 4 comments
Open

Cannot create issue attachment via the API when using query parameter #30766

Android-X13 opened this issue Apr 29, 2024 · 4 comments
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail type/bug

Comments

@Android-X13
Copy link

Description

In previous versions I used to be able to create issue attachments via the API like so (as per the docs):

curl -X 'POST' "http://host/api/v1/repos/$org/$repo/issues/$index/assets?name=Test" \
  -H "Accept: application/json" \
  -H "Authorization: token $TOKEN" \
  -H "Content-Type: multipart/form-data" \
  -F "attachment=@test.jpg;type=image/jpeg"

However now the server responds:

"This file extension or type is not allowed to be uploaded."

The attachment is created fine if the name query parameter is removed.

Gitea Version

1.21.11

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Binary download, systemd

Database

None
@KN4CK3R
Copy link
Member

KN4CK3R commented Apr 29, 2024

I don't think there was a relevant change. But with name=Test you prevent a check of the filename extension. If you remove the name parameter, the upload filename test.jpg is used.

@Android-X13
Copy link
Author

I'm pretty sure I could use it in older versions with no problem... I don't remember which version though.

This is how the attachment looks now:

attachment

When using the name parameter, instead of the filename test.jpg it would show the name provided.

What is the point of the name parameter in the API docs if it's never used?

@kemzeb kemzeb mentioned this issue Apr 30, 2024
Closed
@KN4CK3R
Copy link
Member

KN4CK3R commented Apr 30, 2024

It is used and overrides the upload filename. If you pass name=test2.jpg your upload is named test2.jpg.

@kemzeb
Copy link
Contributor

kemzeb commented May 8, 2024
edited

To add some clarification, the problem you are having is that when you pass name=Test we perform an extension check that honors what is provided in ALLOWED_TYPES in your app.ini's [attachment] section. If you don't explicitly define this key, we have a default that is used (see here for more details). Since Test doesn't have an extension that is known in this list, we will reject it.

You have a few options to solve this:

  • Use an extension that is allowed in your attachment name e.g Test.jpg
  • If you wish, you could allow all types by either giving the ALLOWED_TYPES key nothing or pass a */* (this is mentioned in the docs given above)

However, if you want to allow a file with no extension, this does not look possible currently given the code that I see. We don't accept empty entries in ALLOWED_TYPES and we always expect at least a . prefix when you pass an extension (e.g. we would allow .webp but ignore webp during verification).

@kemzeb kemzeb added the issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail label May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
issue/needs-feedback For bugs, we need more details. For features, the feature must be described in more detail type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Properly handle the name query param in create issue attachment API kemzeb/gitea
3 participants
@KN4CK3R @kemzeb @Android-X13