You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Security: OS Command Injection in repo editor on case-insensitive file systems. #7030
Unable to render repository pages with implicit submodules (e.g. get submodule "REDACTED": revision does not exist). #6436
Previous patch releases
0.12.10
Changed
Support using [security] LOCAL_NETWORK_ALLOWLIST = * to allow all hostnames. #7111
Fixed
Unable to send webhooks to local network addresses after configured [security] LOCAL_NETWORK_ALLOWLIST. #7074
0.12.9
Fixed
Security: OS Command Injection in file editor. #7000
Security: Sanitize DisplayName in repository issue list. #7009
Security: Path Traversal in file editor on Windows. #7001
Security: Path Traversal in Git HTTP endpoints. #7002
Unable to init repository during creation on Windows. #6967
Mysterious panic on Value not found for type *repo.HTTPContext. #6963
0.12.8
Changed
All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988
Invalid character in Access-Control-Allow-Credentials response header. #4983
Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882
0.12.6
Fixed
Security: Remote command execution in file uploading. #6833
Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
Slow start of Docker containers using NAS devices. #6554
0.12.5
Fixed
Security: Potential SSRF in repository migration. #6754
Security: Improper PAM authorization handling. #6810
0.12.4
Fixed
Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409
0.12.3
Fixed
Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.
0.12.2
Fixed
Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289
0.12.1
Fixed
The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280
0.12.0
Added
Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140
Changed
The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.
Fixed
[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.