fix truncate utf8 string

[palytoxin]

I removed the truncate operation before updating because it goes through the form validation before updating again. the truncate operation is redundant.

And I fixed the problem of truncating utf8 strings, in special cases, the truncation operation would cause the database storage to fail to detect the encoding

[palytoxin]

Test case:
visit '/org/[org_name]/settings' and fill in the description input box with

aa見直去以立第空白找，片傳裡身信不響，三月以人，機能東的增。他部樂腦帶呢空條也，是還法地身生務在富臺是重重起爸那，聲什這手學王媽可類外賽務物快突品。父認結期以元心方身！  團草一吃們北好創皮因了兩狀了聽高各當親心用視、友一識結笑適。辦子長底究舉語遊事童落分他所為是員？動一小魚平過步整大常內上頭素好兩走時人品醫見面最李坐校只多特臺說雖；看運須就那學運弟了我熱小關，能水與然何主政阿之，動成唱，只把望！

then update settings

[codecov-commenter]

Codecov Report

Merging #15828 (37f36fc) into main (2dc3e4e) will increase coverage by 0.07%.
The diff coverage is 52.38%.

@@            Coverage Diff             @@
##             main   #15828      +/-   ##
==========================================
+ Coverage   43.92%   44.00%   +0.07%     
==========================================
  Files         681      681              
  Lines       82228    82239      +11     
==========================================
+ Hits        36120    36190      +70     
+ Misses      40205    40143      -62     
- Partials     5903     5906       +3     

Impacted Files	Coverage Δ
cmd/web_letsencrypt.go	0.00% <0.00%> (ø)
models/issue_xref.go	60.60% <0.00%> (-0.62%)	⬇️
models/user.go	53.15% <ø> (ø)
modules/queue/manager.go	62.71% <50.00%> (+1.34%)	⬆️
modules/base/tool.go	94.25% <100.00%> (ø)
modules/git/commit_reader.go	98.52% <100.00%> (+0.04%)	⬆️
modules/git/tag.go	80.39% <100.00%> (+0.39%)	⬆️
models/unit.go	46.57% <0.00%> (-2.74%)	⬇️
modules/git/repo_commit.go	40.00% <0.00%> (-0.87%)	⬇️
routers/repo/view.go	40.66% <0.00%> (-0.59%)	⬇️
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6d2a333...37f36fc. Read the comment docs.

[a1012112796]

And I fixed the problem of truncating utf8 strings, in special cases, the truncation operation would cause the database storage to fail to detect the encoding

Suggest move this change to a new pull request, Thanks.

[6543]

I dont think we need a sec pull for this nit. Throu when backporting we should only backport the fix

[zeripath]

blocked

[zeripath]

I think we need to be careful allowing arbitary length descriptions, websites and locations for users. These fields are often read in and the user objects passed around.

Realistically these fields should be dropped from the user table itself and only read in when they're actually needed but as this stands this PR represents a serious threat to the stability of Gitea on large installs.

[6543]

ok as of state of this pull now, @palytoxin the best way is to splitt it so we can discust on both things seperatly

[palytoxin]

I modified this pr so that it's only changed the truncation func in tools.go.

resolved

[zeripath]

Sorry about that @palytoxin - it would be fine to make it a config option with the current default but realistically these fields shouldn't be in models.User. They need to be in some other table models.Settings or Config or UserConfig. Most of the time we're loading the user object we do not want or care about the contents of the location or description attributes and it's fine to load them if they're small but if you're allowing them to get big well ... Then we need to move them off of user.

[palytoxin]

yes, I got. bug move them off of user may need to be modified by someone who knows more about this project, otherwise it makes new bugs.

---

But these columns have been validated before saving(in form valid ).

gitea/services/forms/org.go

Line 54 in dd81c29

return middleware.Validate(errs, ctx.Data, f, ctx.Locale)

There won't be too long a string here, and this code is redundant (#15838)

[6543]

@palytoxin please "update" this pull or allow maintainer to do so :)

[palytoxin]

@6543 Please check it ;D

[lunny]

@palytoxin Please send backport to v1.14

[zeripath]

I've sent the backport for you @palytoxin . If you would rather have the PR under your name please feel free to send another backport PR and we can close the one I've opened.

[palytoxin]

@zeripath It's all right.