From f7ac5076711af3a260f3f98b2c1f8c19b32f6d09 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Sat, 7 Mar 2026 03:50:17 +0800
Subject: [PATCH] Fix dump release asset bug (#36799) (#36839)

Backport #36799 by @lunny

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
---
 services/migrations/dump.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/services/migrations/dump.go b/services/migrations/dump.go
index 385759800e..fb227f0864 100644
--- a/services/migrations/dump.go
+++ b/services/migrations/dump.go
@@ -288,12 +288,13 @@ func (g *RepositoryDumper) CreateLabels(_ context.Context, labels ...*base.Label
 func (g *RepositoryDumper) CreateReleases(_ context.Context, releases ...*base.Release) error {
 	if g.opts.ReleaseAssets {
 		for _, release := range releases {
-			attachDir := filepath.Join("release_assets", release.TagName)
+			attachDir := filepath.Join("release_assets", uuid.New().String())
 			if err := os.MkdirAll(filepath.Join(g.baseDir, attachDir), os.ModePerm); err != nil {
 				return err
 			}
 			for _, asset := range release.Assets {
-				attachLocalPath := filepath.Join(attachDir, asset.Name)
+				// we cannot use asset.Name because it might contains special characters.
+				attachLocalPath := filepath.Join(attachDir, uuid.New().String())
 
 				// SECURITY: We cannot check the DownloadURL and DownloadFunc are safe here
 				// ... we must assume that they are safe and simply download the attachment