fix attachment file size limit in server backend

[a1012112796]

fix #35512

[techknowlogick]

CI fail is related:

--- FAIL: TestCreateIssueAttachment (0.49s)
    testlogger.go:61: 2025/09/22 14:12:32 modules/storage/local.go:33:NewLocalStorage() [I] Creating new Local Storage at /home/runner/work/gitea/gitea/tests/gitea-lfs-meta
    testlogger.go:61: 2025/09/22 14:12:32 HTTPRequest [I] router: completed GET /user/login for test-mock:12345, 200 OK in 2.1ms @ auth/auth.go:184(auth.SignIn)
    testlogger.go:61: 2025/09/22 14:12:32 HTTPRequest [I] router: completed POST /user/login for test-mock:12345, 303 See Other in 5.8ms @ auth/auth.go:197(auth.SignInPost)
    testlogger.go:61: 2025/09/22 14:12:32 HTTPRequest [I] router: completed POST /user2/repo1/issues/attachments for test-mock:12345, 500 Internal Server Error in 85.8ms @ repo/attachment.go:25(repo.UploadIssueAttachment)
    attachment_test.go:47: Response:  NewAttachment: attachment size 2147483648 exceed limit 104
        
    attachment_test.go:47: 
        	Error Trace:	/home/runner/work/gitea/gitea/tests/integration/integration_test.go:354
        	            				/home/runner/work/gitea/gitea/tests/integration/integration_test.go:160
        	            				/home/runner/work/gitea/gitea/tests/integration/attachment_test.go:47
        	            				/home/runner/work/gitea/gitea/tests/integration/attachment_test.go:67
        	Error:      	Not equal: 
        	            	expected: 200
        	            	actual  : 500
        	Test:       	TestCreateIssueAttachment
        	Messages:   	Request: POST /user2/repo1/issues/attachments

Also, it's probably better to have a status 413 returned if the size is too large

[wxiaoguang]

There are at least 2 "attachment max size" config options.

If you always use setting.Attachment.MaxSize, at least one is wrong

[a1012112796]

why? looks they are all same in curent design. hasn't found anything like setting.Repository.Release.MaxSize.

ref:

gitea/services/context/upload/upload.go

Lines 90 to 114 in 0b706b0

	// AddUploadContext renders template values for dropzone
	func AddUploadContext(ctx *context.Context, uploadType string) {
	switch uploadType {
	case "release":
	ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
	ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"
	ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
	ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")
	ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
	ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
	case "comment":
	ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
	ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"
	if len(ctx.PathParam("index")) > 0 {
	ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.PathParam("index")) + "/attachments"
	} else {
	ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
	}
	ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")
	ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
	ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
	default:
	setting.PanicInDevOrTesting("Invalid upload type: %s", uploadType)
	}
	}

[wxiaoguang]

Oh you are right, release upload shares the same attachment max size with comment attachment, but doesn't share some other settings .....

It seems to be another (unrelated) legacy problem.

[wxiaoguang]

Update: the problem I mentioned "There are at least 2 "attachment max size" config options." is still there. See my latest comment for UploadFileToServer, there is no limit check either.

• fix attachment file size limit in server backend #35519 (comment)

[lunny]

last call @go-gitea/technical-oversight-committee

[6543]

@a1012112796 -> a1012112796#13

[wxiaoguang]

I try to write a prove of concept

@6543 any proof? If no, revert

[wxiaoguang]

I try to write a prove of concept

@6543 any proof? If no, revert

@6543 any proof? If no, revert

[6543]

I'll revert it for now as i did not have time to write one jet to test stuff

[wxiaoguang]

as i did not have time to write one jet to test stuff

Even if you have 100 years, there will be no proof. Golang HTTP packages's FormFile guarantees that the head.Size is the real uploaded size, you can spend a few minutes to read the code, no need to spend 100 years to try.

[6543]

well did not know/read that docu jet but I should ...
... anyway better save than sorry

[wxiaoguang]

There are still problems:

1. CreateReleaseAttachment: when the body is used as the upload stream, it should use http.MaxBytesReader to limit the size (fixed)
2. ctx.Req.ParseMultipartForm(setting.Attachment.MaxSize << 20) is not right, it will make Gitea OOM (fixed)
3. UploadFileToServer doesn't check the size limit either, I just left a FIXME and didn't make more changes in this PR
   • Feel free to properly fix it

dismiss

[6543]

errors.Is dont work now

creating custom errors is fine and all but we should work with golangs error handling system witch means that we should cover unwrap and is interface

[wxiaoguang]

errors.Is dont work now (just revert commit looked at jet)

What do you mean by "errors.Is dont work now"?

[6543]

i will have time tomorrow, review via mobule is horrible

[wxiaoguang]

creating custom errors is fine and all but we should work with golangs error handling system witch means that we should cover unwrap and is interface

Isn't it what I have done? I don't see any problem.