mirror of
https://github.com/go-gitea/gitea.git
synced 2026-07-04 15:07:42 +00:00
e4ef995f2a
This fixes the web release edit flow so renamed release attachments are validated against `[repository.release] ALLOWED_TYPES`. Previously, the API attachment edit endpoint already enforced release attachment type restrictions, but the web release edit form passed `attachment-edit-*` values into `release_service.UpdateRelease`, which updated attachment names directly without validating the new filename against `setting.Repository.Release.AllowedTypes`. As a result, a user with repository write access could rename an existing release attachment to a disallowed extension through the web UI. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>