Gogs Versions Save

Added

• Support using personal access token in the password field. #3866
• An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. #5733
• New API endpoint PUT /repos/:owner/:repo/contents/:path for creating and update repository contents. #5967
• New configuration option [git.timeout] DIFF for customizing operation timeout of git diff. #6315
• New configuration option [server] SSH_SERVER_MACS for setting list of accepted MACs for connections to builtin SSH server. #6434
• New configuration option [repository] DEFAULT_BRANCH for setting default branch name for new repositories. #7291
• New configuration option [server] SSH_SERVER_ALGORITHMS for specifying the list of accepted key exchange algorithms for connections to builtin SSH server. #7345
• Support specifying custom schema for PostgreSQL. #6695
• Support rendering Mermaid diagrams in Markdown. #6776
• Docker: Allow passing extra arguments to the backup command. #7060
• New languages support: Mongolian, Romanian. #6510 #7082

Changed

• The default branch has been changed to main. #6285
• MSSQL as database backend is deprecated, installation page no longer shows it as an option. Existing installations and manually craft configuration file continue to work. #6295
• Use Task as the build tool. #6297
• The required Go version to compile source code changed to 1.18.
• Access tokens are now stored using their SHA256 hashes instead of raw values. #7008

Fixed

• Unable to use LDAP authentication on ARM machines. #6761
• Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar. #7267
• Mistakenly include the "data" directory under the custom directory in the Docker setup. #7343
• Unable to start after data recovery with an outdated migration version. #7125

Removed

• ⚠️ Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
• Configuration section [mailer] is no longer used, please use [email].
• Configuration section [service] is no longer used, please use [auth].
• Configuration option APP_NAME is no longer used, please use BRAND_NAME.
• Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is no longer used, please use [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is no longer used, please use [auth] ACTIVATE_CODE_LIVES.
• Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is no longer used, please use [auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option [auth] ENABLE_CAPTCHA is no longer used, please use [auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option [auth] ENABLE_NOTIFY_MAIL is no longer used, please use [user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option [auth] REGISTER_EMAIL_CONFIRM is no longer used, please use [auth] REQUIRE_EMAIL_CONFIRMATION.
• Configuration option [session] GC_INTERVAL_TIME is no longer used, please use [session] GC_INTERVAL.
• Configuration option [session] SESSION_LIFE_TIME is no longer used, please use [session] MAX_LIFE_TIME.
• Configuration option [server] ROOT_URL is no longer used, please use [server] EXTERNAL_URL.
• Configuration option [server] LANDING_PAGE is no longer used, please use [server] LANDING_URL.
• Configuration option [database] DB_TYPE is no longer used, please use [database] TYPE.
• Configuration option [database] PASSWD is no longer used, please use [database] PASSWORD.
• Remove option to use Makefile as the build tool. #6980

This is a release candidate for the 0.13.0 minor release.

Fixed

• Security: Stored XSS for issue assignees. #7145
• Security: OS Command Injection in repo editor on case-insensitive file systems. #7030
• Unable to render repository pages with implicit submodules (e.g. get submodule "REDACTED": revision does not exist). #6436

Previous patch releases

0.12.10

Changed

• Support using [security] LOCAL_NETWORK_ALLOWLIST = * to allow all hostnames. #7111

Fixed

• Unable to send webhooks to local network addresses after configured [security] LOCAL_NETWORK_ALLOWLIST. #7074

0.12.9

Fixed

• Security: OS Command Injection in file editor. #7000
• Security: Sanitize DisplayName in repository issue list. #7009
• Security: Path Traversal in file editor on Windows. #7001
• Security: Path Traversal in Git HTTP endpoints. #7002
• Unable to init repository during creation on Windows. #6967
• Mysterious panic on Value not found for type *repo.HTTPContext. #6963

0.12.8

Changed

• All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

• Security: SSRF in webhook. #6901
• Security: XSS in cookies. #6953
• Security: OS Command Injection in file uploading. #6968
• Security: Remote Command Execution in file editing. #6555

0.12.7

Fixed

• Security: Stored XSS in issues. #6919
• Invalid character in Access-Control-Allow-Credentials response header. #4983
• Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

• Security: Remote command execution in file uploading. #6833
• Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
• Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

• Security: Potential SSRF in repository migration. #6754
• Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

• Security: Potential SSRF attack by CRLF injection via repository migration. #6413
• Regression: Fixed smart links for issues stops rendering. #6506
• Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

• Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
• Auto-linked commit SHAs now have correct links. #6300
• Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

• Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
• Regression: Submodule with a relative path is linked correctly. #6319
• Backup can be processed when --target is specified on Windows. #6339
• Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

• The updated_at field is now correctly updated when updates an issue. #6209
• Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

• Support for Git LFS, you can read documentation for both user and admin. #1322
• Allow admin to remove observers from the repository. #5803
• Use Last-Modified HTTP header for raw files. #5811
• Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
• Able to fill in pull request title with a template. #5901
• Able to override static files under public/ directory, please refer to documentation for usage. #5920
• New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
• Support backup with retention policy for Docker deployments. #6140

Changed

• The organization profile page has changed to display at most 12 members. #5506
• The required Go version to compile source code changed to 1.14.
• All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
• Application and Go versions are removed from page footer and only show in the admin dashboard.
• Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
• Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
• Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
• Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
• Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
• Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
• Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
• Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
• Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
• Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
• Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
• The name - is reserved and cannot be used for users or organizations.

Fixed

• [Security] Potential open redirection with i18n.
• [Security] Potential ability to delete files outside a repository.
• [Security] Potential ability to set primary email on others' behalf from their verified emails.
• [Security] Potential XSS attack via .ipynb. #5170
• [Security] Potential SSRF attack via webhooks. #5366
• [Security] Potential CSRF attack in admin panel. #5367
• [Security] Potential stored XSS attack in some browsers. #5397
• [Security] Potential RCE on mirror repositories. #5767
• [Security] Potential XSS attack with raw markdown API. #5907
• File both modified and renamed within a commit treated as separate files. #5056
• Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
• Open/close milestone redirects to a 404 page. #5677
• Disallow multiple tokens with same name. #5587 #5820
• Enable Federated Avatar Lookup could cause server to crash. #5848
• Private repositories are hidden in the organization's view. #5869
• Users have access to base repository cannot view commits in forks. #5878
• Server error when changing email address in user settings page. #5899
• Fall back to use RFC 3339 as time layout when misconfigured. #6098
• Unable to update team with server error. #6185
• Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
• Files with identical content are randomly displayed one of them.

Removed

• Configuration option [other] SHOW_FOOTER_VERSION
• Configuration option [server] STATIC_ROOT_PATH
• Configuration option [repository] MIRROR_QUEUE_LENGTH
• Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
• Configuration option [session] ENABLE_SET_COOKIE
• Configuration option [release.attachment] PATH
• Configuration option [webhook] QUEUE_LENGTH
• Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.11 patch release.

ℹ️ Heads up! There is a new patch release 0.12.11 available, we recommend directly installing or upgrading to that version.

---

Changed

• Support using [security] LOCAL_NETWORK_ALLOWLIST = * to allow all hostnames. #7111

Fixed

• Unable to send webhooks to local network addresses after configured [security] LOCAL_NETWORK_ALLOWLIST. #7074

Previous patch releases

0.12.9

Fixed

• Security: OS Command Injection in file editor. #7000
• Security: Sanitize DisplayName in repository issue list. #7009
• Security: Path Traversal in file editor on Windows. #7001
• Security: Path Traversal in Git HTTP endpoints. #7002
• Unable to init repository during creation on Windows. #6967
• Mysterious panic on Value not found for type *repo.HTTPContext. #6963

0.12.8

Changed

• All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

• Security: SSRF in webhook. #6901
• Security: XSS in cookies. #6953
• Security: OS Command Injection in file uploading. #6968
• Security: Remote Command Execution in file editing. #6555

0.12.7

Fixed

• Security: Stored XSS in issues. #6919
• Invalid character in Access-Control-Allow-Credentials response header. #4983
• Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

• Security: Remote command execution in file uploading. #6833
• Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
• Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

• Security: Potential SSRF in repository migration. #6754
• Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

• Security: Potential SSRF attack by CRLF injection via repository migration. #6413
• Regression: Fixed smart links for issues stops rendering. #6506
• Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

• Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
• Auto-linked commit SHAs now have correct links. #6300
• Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

• Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
• Regression: Submodule with a relative path is linked correctly. #6319
• Backup can be processed when --target is specified on Windows. #6339
• Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

• The updated_at field is now correctly updated when updates an issue. #6209
• Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

• Support for Git LFS, you can read documentation for both user and admin. #1322
• Allow admin to remove observers from the repository. #5803
• Use Last-Modified HTTP header for raw files. #5811
• Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
• Able to fill in pull request title with a template. #5901
• Able to override static files under public/ directory, please refer to documentation for usage. #5920
• New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
• Support backup with retention policy for Docker deployments. #6140

Changed

• The organization profile page has changed to display at most 12 members. #5506
• The required Go version to compile source code changed to 1.14.
• All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
• Application and Go versions are removed from page footer and only show in the admin dashboard.
• Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
• Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
• Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
• Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
• Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
• Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
• Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
• Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
• Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
• Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
• Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
• The name - is reserved and cannot be used for users or organizations.

Fixed

• [Security] Potential open redirection with i18n.
• [Security] Potential ability to delete files outside a repository.
• [Security] Potential ability to set primary email on others' behalf from their verified emails.
• [Security] Potential XSS attack via .ipynb. #5170
• [Security] Potential SSRF attack via webhooks. #5366
• [Security] Potential CSRF attack in admin panel. #5367
• [Security] Potential stored XSS attack in some browsers. #5397
• [Security] Potential RCE on mirror repositories. #5767
• [Security] Potential XSS attack with raw markdown API. #5907
• File both modified and renamed within a commit treated as separate files. #5056
• Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
• Open/close milestone redirects to a 404 page. #5677
• Disallow multiple tokens with same name. #5587 #5820
• Enable Federated Avatar Lookup could cause server to crash. #5848
• Private repositories are hidden in the organization's view. #5869
• Users have access to base repository cannot view commits in forks. #5878
• Server error when changing email address in user settings page. #5899
• Fall back to use RFC 3339 as time layout when misconfigured. #6098
• Unable to update team with server error. #6185
• Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
• Files with identical content are randomly displayed one of them.

Removed

• Configuration option [other] SHOW_FOOTER_VERSION
• Configuration option [server] STATIC_ROOT_PATH
• Configuration option [repository] MIRROR_QUEUE_LENGTH
• Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
• Configuration option [session] ENABLE_SET_COOKIE
• Configuration option [release.attachment] PATH
• Configuration option [webhook] QUEUE_LENGTH
• Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.10 patch release.

ℹ️ Heads up! There is a new patch release 0.12.11 available, we recommend directly installing or upgrading to that version.

---

Fixed

• Security: OS Command Injection in file editor. #7000
• Security: Sanitize DisplayName in repository issue list. #7009
• Security: Path Traversal in file editor on Windows. #7001
• Security: Path Traversal in Git HTTP endpoints. #7002
• Unable to init repository during creation on Windows. #6967
• Mysterious panic on Value not found for type *repo.HTTPContext. #6963

---

0.12.8

Changed

• All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

• Security: SSRF in webhook. #6901
• Security: XSS in cookies. #6953
• Security: OS Command Injection in file uploading. #6968
• Security: Remote Command Execution in file editing. #6555

0.12.7

Fixed

• Security: Stored XSS in issues. #6919
• Invalid character in Access-Control-Allow-Credentials response header. #4983
• Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

• Security: Remote command execution in file uploading. #6833
• Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
• Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

• Security: Potential SSRF in repository migration. #6754
• Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

• Security: Potential SSRF attack by CRLF injection via repository migration. #6413
• Regression: Fixed smart links for issues stops rendering. #6506
• Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

• Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
• Auto-linked commit SHAs now have correct links. #6300
• Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

• Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
• Regression: Submodule with a relative path is linked correctly. #6319
• Backup can be processed when --target is specified on Windows. #6339
• Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

• The updated_at field is now correctly updated when updates an issue. #6209
• Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

• Support for Git LFS, you can read documentation for both user and admin. #1322
• Allow admin to remove observers from the repository. #5803
• Use Last-Modified HTTP header for raw files. #5811
• Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
• Able to fill in pull request title with a template. #5901
• Able to override static files under public/ directory, please refer to documentation for usage. #5920
• New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
• Support backup with retention policy for Docker deployments. #6140

Changed

• The organization profile page has changed to display at most 12 members. #5506
• The required Go version to compile source code changed to 1.14.
• All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
• Application and Go versions are removed from page footer and only show in the admin dashboard.
• Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
• Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
• Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
• Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
• Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
• Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
• Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
• Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
• Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
• Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
• Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
• The name - is reserved and cannot be used for users or organizations.

Fixed

• [Security] Potential open redirection with i18n.
• [Security] Potential ability to delete files outside a repository.
• [Security] Potential ability to set primary email on others' behalf from their verified emails.
• [Security] Potential XSS attack via .ipynb. #5170
• [Security] Potential SSRF attack via webhooks. #5366
• [Security] Potential CSRF attack in admin panel. #5367
• [Security] Potential stored XSS attack in some browsers. #5397
• [Security] Potential RCE on mirror repositories. #5767
• [Security] Potential XSS attack with raw markdown API. #5907
• File both modified and renamed within a commit treated as separate files. #5056
• Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
• Open/close milestone redirects to a 404 page. #5677
• Disallow multiple tokens with same name. #5587 #5820
• Enable Federated Avatar Lookup could cause server to crash. #5848
• Private repositories are hidden in the organization's view. #5869
• Users have access to base repository cannot view commits in forks. #5878
• Server error when changing email address in user settings page. #5899
• Fall back to use RFC 3339 as time layout when misconfigured. #6098
• Unable to update team with server error. #6185
• Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
• Files with identical content are randomly displayed one of them.

Removed

• Configuration option [other] SHOW_FOOTER_VERSION
• Configuration option [server] STATIC_ROOT_PATH
• Configuration option [repository] MIRROR_QUEUE_LENGTH
• Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
• Configuration option [session] ENABLE_SET_COOKIE
• Configuration option [release.attachment] PATH
• Configuration option [webhook] QUEUE_LENGTH
• Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.9 patch release.

ℹ️ Heads up! There is a new patch release 0.12.11 available, we recommend directly installing or upgrading to that version.

---

Changed

• All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

• Security: SSRF in webhook. #6901
• Security: XSS in cookies. #6953
• Security: OS Command Injection in file uploading. #6968
• Security: Remote Command Execution in file editing. #6555

---

0.12.7

Fixed

• Security: Stored XSS in issues. #6919
• Invalid character in Access-Control-Allow-Credentials response header. #4983
• Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

• Security: Remote command execution in file uploading. #6833
• Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
• Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

• Security: Potential SSRF in repository migration. #6754
• Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

• Security: Potential SSRF attack by CRLF injection via repository migration. #6413
• Regression: Fixed smart links for issues stops rendering. #6506
• Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

• Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
• Auto-linked commit SHAs now have correct links. #6300
• Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

• Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
• Regression: Submodule with a relative path is linked correctly. #6319
• Backup can be processed when --target is specified on Windows. #6339
• Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

• The updated_at field is now correctly updated when updates an issue. #6209
• Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

• Support for Git LFS, you can read documentation for both user and admin. #1322
• Allow admin to remove observers from the repository. #5803
• Use Last-Modified HTTP header for raw files. #5811
• Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
• Able to fill in pull request title with a template. #5901
• Able to override static files under public/ directory, please refer to documentation for usage. #5920
• New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
• Support backup with retention policy for Docker deployments. #6140

Changed

• The organization profile page has changed to display at most 12 members. #5506
• The required Go version to compile source code changed to 1.14.
• All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
• Application and Go versions are removed from page footer and only show in the admin dashboard.
• Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
• Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
• Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
• Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
• Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
• Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
• Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
• Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
• Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
• Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
• Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
• The name - is reserved and cannot be used for users or organizations.

Fixed

• [Security] Potential open redirection with i18n.
• [Security] Potential ability to delete files outside a repository.
• [Security] Potential ability to set primary email on others' behalf from their verified emails.
• [Security] Potential XSS attack via .ipynb. #5170
• [Security] Potential SSRF attack via webhooks. #5366
• [Security] Potential CSRF attack in admin panel. #5367
• [Security] Potential stored XSS attack in some browsers. #5397
• [Security] Potential RCE on mirror repositories. #5767
• [Security] Potential XSS attack with raw markdown API. #5907
• File both modified and renamed within a commit treated as separate files. #5056
• Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
• Open/close milestone redirects to a 404 page. #5677
• Disallow multiple tokens with same name. #5587 #5820
• Enable Federated Avatar Lookup could cause server to crash. #5848
• Private repositories are hidden in the organization's view. #5869
• Users have access to base repository cannot view commits in forks. #5878
• Server error when changing email address in user settings page. #5899
• Fall back to use RFC 3339 as time layout when misconfigured. #6098
• Unable to update team with server error. #6185
• Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
• Files with identical content are randomly displayed one of them.

Removed

• Configuration option [other] SHOW_FOOTER_VERSION
• Configuration option [server] STATIC_ROOT_PATH
• Configuration option [repository] MIRROR_QUEUE_LENGTH
• Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
• Configuration option [session] ENABLE_SET_COOKIE
• Configuration option [release.attachment] PATH
• Configuration option [webhook] QUEUE_LENGTH
• Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.8 patch release.