Added

• Support using personal access token in the password field.#3866
• An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI.#5733
• New API endpointPUT /repos/:owner/:repo/contents/:pathfor creating and update repository contents.#5967
• New configuration option[git.timeout] DIFFfor customizing operation timeout ofgit diff.#6315
• New configuration option[server] SSH_SERVER_MACSfor setting list of accepted MACs for connections to builtin SSH server.#6434
• New configuration option[repository] DEFAULT_BRANCHfor setting default branch name for new repositories.#7291
• New configuration option[server] SSH_SERVER_ALGORITHMSfor specifying the list of accepted key exchange algorithms for connections to builtin SSH server.#7345
• Support specifying custom schema for PostgreSQL.#6695
• Support rendering Mermaid diagrams in Markdown.#6776
• Docker: Allow passing extra arguments to thebackupcommand.#7060
• New languages support: Mongolian, Romanian.#6510#7082

Changed

• The default branch has been changed tomain.#6285
• MSSQL as database backend is deprecated, installation page no longer shows it as an option. Existing installations and manually craft configuration file continue to work.#6295
• UseTaskas the build tool.#6297
• The required Go version to compile source code changed to 1.18.
• Access tokens are now stored using their SHA256 hashes instead of raw values.#7008

Fixed

• Unable to use LDAP authentication on ARM machines.#6761
• Unable to choose "Lookup Avatar by mail" in user settings without deleting custom avatar.#7267
• Mistakenly include the "data" directory under the custom directory in the Docker setup.#7343
• Unable to start after data recovery with an outdated migration version.#7125

Removed

• ⚠️Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
• Configuration section[mailer]is no longer used, please use[email].
• Configuration section[service]is no longer used, please use[auth].
• Configuration optionAPP_NAMEis no longer used, please useBRAND_NAME.
• Configuration option[security] REVERSE_PROXY_AUTHENTICATION_USERis no longer used, please use[auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration option[auth] ACTIVE_CODE_LIVE_MINUTESis no longer used, please use[auth] ACTIVATE_CODE_LIVES.
• Configuration option[auth] RESET_PASSWD_CODE_LIVE_MINUTESis no longer used, please use[auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option[auth] ENABLE_CAPTCHAis no longer used, please use[auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option[auth] ENABLE_NOTIFY_MAILis no longer used, please use[user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option[auth] REGISTER_EMAIL_CONFIRMis no longer used, please use[auth] REQUIRE_EMAIL_CONFIRMATION.
• Configuration option[session] GC_INTERVAL_TIMEis no longer used, please use[session] GC_INTERVAL.
• Configuration option[session] SESSION_LIFE_TIMEis no longer used, please use[session] MAX_LIFE_TIME.
• Configuration option[server] ROOT_URLis no longer used, please use[server] EXTERNAL_URL.
• Configuration option[server] LANDING_PAGEis no longer used, please use[server] LANDING_URL.
• Configuration option[database] DB_TYPEis no longer used, please use[database] TYPE.
• Configuration option[database] PASSWDis no longer used, please use[database] PASSWORD.
• Remove option to use Makefile as the build tool.#6980

This is a release candidate for the 0.13.0 minor release.

Fixed

• Security:Stored XSS for issue assignees.#7145
• Security:OS Command Injection in repo editor on case-insensitive file systems.#7030
• Unable to render repository pages with implicit submodules (e.g.get submodule "REDACTED": revision does not exist).#6436

This is a release candidate for the 0.12.11 patch release.

ℹ️ Heads up! There is a new patch release0.12.11available, we recommend directly installing or upgrading to that version.

Changed

• Support using[security] LOCAL_NETWORK_ALLOWLIST = *to allow all hostnames.#7111

Fixed

• Unable to send webhooks to local network addresses after configured[security] LOCAL_NETWORK_ALLOWLIST.#7074

This is a release candidate for the 0.12.10 patch release.

ℹ️ Heads up! There is a new patch release0.12.11available, we recommend directly installing or upgrading to that version.

Fixed

• Security:OS Command Injection in file editor.#7000
• Security:SanitizeDisplayNamein repository issue list.#7009
• Security:Path Traversal in file editor on Windows.#7001
• Security:Path Traversal in Git HTTP endpoints.#7002
• Unable to init repository during creation on Windows.#6967
• Mysterious panic onValue not found for type *repo.HTTPContext.#6963

0.12.8

Changed

• All users (including admins) need to use the configuration option[security] LOCAL_NETWORK_ALLOWLISTto allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames.#6988

Fixed

• Security:SSRF in webhook.#6901
• Security:XSS in cookies.#6953
• Security:OS Command Injection in file uploading.#6968
• Security:Remote Command Execution in file editing.#6555

0.12.7

Fixed

• Security:Stored XSS in issues.#6919
• Invalid character inAccess-Control-Allow-Credentialsresponse header.#4983
• Mysteriousssh: overflow reading version stringerrors from builtin SSH server.#6882

0.12.6

Fixed

• Security:Remote command execution in file uploading.#6833
• Regression:Unable to migrate repository from other local Git hosting. Added a new configuration option[security] LOCAL_NETWORK_ALLOWLIST,which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network.#6841
• Slow start of Docker containers using NAS devices.#6554

0.12.5

Fixed

• Security:Potential SSRF in repository migration.#6754
• Security:Improper PAM authorization handling.#6810

0.12.4

Fixed

• Security:Potential SSRF attack by CRLF injection via repository migration.#6413
• Regression:Fixed smart links for issues stops rendering.#6506
• AddedX-Frame-Optionsheader to prevent Clickjacking.#6409

0.12.3

Fixed

• Regression:When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined".#6316
• Auto-linked commit SHAs now have correct links.#6300
• Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP HeaderContent-Typeto beapplication/octet-stream.The server now tells the LFS client to always useContent-Type: application/octet-streamwhen upload files.

0.12.2

Fixed

• Regression:Pages are correctly rendered when requesting?go-get=1 for subdirectories.#6314
• Regression:Submodule with a relative path is linked correctly.#6319
• Backup can be processed when --target is specified on Windows.#6339
• Commit message contains keywords look like an issue reference no longer fails the push entirely.#6289

0.12.1

Fixed

• Theupdated_atfield is now correctly updated when updates an issue.#6209
• Fixed a regression which createdlogin_source.cfgcolumn to haveVARCHAR(255)instead ofTEXTin MySQL.#6280

0.12.0

Added

• Support for Git LFS, you can read documentation for bothuserandadmin.#1322
• Allow admin to remove observers from the repository.#5803
• UseLast-ModifiedHTTP header for raw files.#5811
• Support syntax highlighting for SAS code files (i.e..r,.sas,.tex,.yaml).#5856
• Able to fill in pull request title with a template.#5901
• Able to override static files underpublic/directory, please refer todocumentationfor usage.#5920
• New API endpointGET /admin/teams/:teamid/membersto list members of a team.#5877
• Support backup with retention policy for Docker deployments.#6140

Changed

• The organization profile page has changed to display at most 12 members.#5506
• The required Go version to compile source code changed to 1.14.
• All assets are now embedded into binary and served from memory by default. Set[server] LOAD_ASSETS_FROM_DISK = trueto load them from disk.#5920
• Application and Go versions are removed from page footer and only show in the admin dashboard.
• Build tag for running as Windows Service has been changed fromminiwinsvctominwinsvc.
• Configuration optionAPP_NAMEis deprecated and will end support in 0.13.0, please start usingBRAND_NAME.
• Configuration option[server] ROOT_URLis deprecated and will end support in 0.13.0, please start using[server] EXTERNAL_URL.
• Configuration option[server] LANDING_PAGEis deprecated and will end support in 0.13.0, please start using[server] LANDING_URL.
• Configuration option[database] DB_TYPEis deprecated and will end support in 0.13.0, please start using[database] TYPE.
• Configuration option[database] PASSWDis deprecated and will end support in 0.13.0, please start using[database] PASSWORD.
• Configuration option[security] REVERSE_PROXY_AUTHENTICATION_USERis deprecated and will end support in 0.13.0, please start using[auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration section[mailer]is deprecated and will end support in 0.13.0, please start using[email].
• Configuration section[service]is deprecated and will end support in 0.13.0, please start using[auth].
• Configuration option[auth] ACTIVE_CODE_LIVE_MINUTESis deprecated and will end support in 0.13.0, please start using[auth] ACTIVATE_CODE_LIVES.
• Configuration option[auth] RESET_PASSWD_CODE_LIVE_MINUTESis deprecated and will end support in 0.13.0, please start using[auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option[auth] ENABLE_CAPTCHAis deprecated and will end support in 0.13.0, please start using[auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option[auth] ENABLE_NOTIFY_MAILis deprecated and will end support in 0.13.0, please start using[user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option[session] GC_INTERVAL_TIMEis deprecated and will end support in 0.13.0, please start using[session] GC_INTERVAL.
• Configuration option[session] SESSION_LIFE_TIMEis deprecated and will end support in 0.13.0, please start using[session] MAX_LIFE_TIME.
• The name-is reserved and cannot be used for users or organizations.

Fixed

• [Security] Potential open redirection with i18n.
• [Security] Potential ability to delete files outside a repository.
• [Security] Potential ability to set primary email on others' behalf from their verified emails.
• [Security] Potential XSS attack via.ipynb.#5170
• [Security] Potential SSRF attack via webhooks.#5366
• [Security] Potential CSRF attack in admin panel.#5367
• [Security] Potential stored XSS attack in some browsers.#5397
• [Security] Potential RCE on mirror repositories.#5767
• [Security] Potential XSS attack with raw markdown API.#5907
• File both modified and renamed within a commit treated as separate files.#5056
• Unable to restore the database backup to MySQL 8.0 with syntax error.#5602
• Open/close milestone redirects to a 404 page.#5677
• Disallow multiple tokens with same name.#5587#5820
• Enable Federated Avatar Lookup could cause server to crash.#5848
• Private repositories are hidden in the organization's view.#5869
• Users have access to base repository cannot view commits in forks.#5878
• Server error when changing email address in user settings page. [#5899](h...

This is a release candidate for the 0.12.9 patch release.

ℹ️ Heads up! There is a new patch release0.12.11available, we recommend directly installing or upgrading to that version.

Changed

• All users (including admins) need to use the configuration option[security] LOCAL_NETWORK_ALLOWLISTto allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames.#6988

Fixed

• Security:SSRF in webhook.#6901
• Security:XSS in cookies.#6953
• Security:OS Command Injection in file uploading.#6968
• Security:Remote Command Execution in file editing.#6555

0.12.7

Fixed

• Security:Stored XSS in issues.#6919
• Invalid character inAccess-Control-Allow-Credentialsresponse header.#4983
• Mysteriousssh: overflow reading version stringerrors from builtin SSH server.#6882

0.12.6

Fixed

• Security:Remote command execution in file uploading.#6833
• Regression:Unable to migrate repository from other local Git hosting. Added a new configuration option[security] LOCAL_NETWORK_ALLOWLIST,which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network.#6841
• Slow start of Docker containers using NAS devices.#6554

0.12.5

Fixed

• Security:Potential SSRF in repository migration.#6754
• Security:Improper PAM authorization handling.#6810

0.12.4

Fixed

• Security:Potential SSRF attack by CRLF injection via repository migration.#6413
• Regression:Fixed smart links for issues stops rendering.#6506
• AddedX-Frame-Optionsheader to prevent Clickjacking.#6409

0.12.3

Fixed

• Regression:When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined".#6316
• Auto-linked commit SHAs now have correct links.#6300
• Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP HeaderContent-Typeto beapplication/octet-stream.The server now tells the LFS client to always useContent-Type: application/octet-streamwhen upload files.

0.12.2

Fixed

• Regression:Pages are correctly rendered when requesting?go-get=1 for subdirectories.#6314
• Regression:Submodule with a relative path is linked correctly.#6319
• Backup can be processed when --target is specified on Windows.#6339
• Commit message contains keywords look like an issue reference no longer fails the push entirely.#6289

0.12.1

Fixed

• Theupdated_atfield is now correctly updated when updates an issue.#6209
• Fixed a regression which createdlogin_source.cfgcolumn to haveVARCHAR(255)instead ofTEXTin MySQL.#6280

0.12.0

Added

• Support for Git LFS, you can read documentation for bothuserandadmin.#1322
• Allow admin to remove observers from the repository.#5803
• UseLast-ModifiedHTTP header for raw files.#5811
• Support syntax highlighting for SAS code files (i.e..r,.sas,.tex,.yaml).#5856
• Able to fill in pull request title with a template.#5901
• Able to override static files underpublic/directory, please refer todocumentationfor usage.#5920
• New API endpointGET /admin/teams/:teamid/membersto list members of a team.#5877
• Support backup with retention policy for Docker deployments.#6140

Changed

• The organization profile page has changed to display at most 12 members.#5506
• The required Go version to compile source code changed to 1.14.
• All assets are now embedded into binary and served from memory by default. Set[server] LOAD_ASSETS_FROM_DISK = trueto load them from disk.#5920
• Application and Go versions are removed from page footer and only show in the admin dashboard.
• Build tag for running as Windows Service has been changed fromminiwinsvctominwinsvc.
• Configuration optionAPP_NAMEis deprecated and will end support in 0.13.0, please start usingBRAND_NAME.
• Configuration option[server] ROOT_URLis deprecated and will end support in 0.13.0, please start using[server] EXTERNAL_URL.
• Configuration option[server] LANDING_PAGEis deprecated and will end support in 0.13.0, please start using[server] LANDING_URL.
• Configuration option[database] DB_TYPEis deprecated and will end support in 0.13.0, please start using[database] TYPE.
• Configuration option[database] PASSWDis deprecated and will end support in 0.13.0, please start using[database] PASSWORD.
• Configuration option[security] REVERSE_PROXY_AUTHENTICATION_USERis deprecated and will end support in 0.13.0, please start using[auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
• Configuration section[mailer]is deprecated and will end support in 0.13.0, please start using[email].
• Configuration section[service]is deprecated and will end support in 0.13.0, please start using[auth].
• Configuration option[auth] ACTIVE_CODE_LIVE_MINUTESis deprecated and will end support in 0.13.0, please start using[auth] ACTIVATE_CODE_LIVES.
• Configuration option[auth] RESET_PASSWD_CODE_LIVE_MINUTESis deprecated and will end support in 0.13.0, please start using[auth] RESET_PASSWORD_CODE_LIVES.
• Configuration option[auth] ENABLE_CAPTCHAis deprecated and will end support in 0.13.0, please start using[auth] ENABLE_REGISTRATION_CAPTCHA.
• Configuration option[auth] ENABLE_NOTIFY_MAILis deprecated and will end support in 0.13.0, please start using[user] ENABLE_EMAIL_NOTIFICATION.
• Configuration option[session] GC_INTERVAL_TIMEis deprecated and will end support in 0.13.0, please start using[session] GC_INTERVAL.
• Configuration option[session] SESSION_LIFE_TIMEis deprecated and will end support in 0.13.0, please start using[session] MAX_LIFE_TIME.
• The name-is reserved and cannot be used for users or organizations.

Fixed

• [Security] Potential open redirection with i18n.
• [Security] Potential ability to delete files outside a repository.
• [Security] Potential ability to set primary email on others' behalf from their verified emails.
• [Security] Potential XSS attack via.ipynb.#5170
• [Security] Potential SSRF attack via webhooks.#5366
• [Security] Potential CSRF attack in admin panel.#5367
• [Security] Potential stored XSS attack in some browsers.#5397
• [Security] Potential RCE on mirror repositories.#5767
• [Security] Potential XSS attack with raw markdown API.#5907
• File both modified and renamed within a commit treated as separate files.#5056
• Unable to restore the database backup to MySQL 8.0 with syntax error.#5602
• Open/close milestone redirects to a 404 page.#5677
• Disallow multiple tokens with same name.#5587#5820
• Enable Federated Avatar Lookup could cause server to crash.#5848
• Private repositories are hidden in the organization's view.#5869
• Users have access to base repository cannot view commits in forks.#5878
• Server error when changing email address in user settings page.#5899
• Fall back to use RFC 3339 as time layout when misconfigured.#6098
• Unable to update team with server error.#6185
• Webhooks are not fired after push when[service] REQUIRE_SIGNIN_VIEW = true.
• Files with identical content are randomly displayed one of them.

Removed

• Configuration option[other] SHOW_FOOTER_VERSION
• Configuration option[server] STATIC_ROOT_PATH
• Configuration option[repository] MIRROR_QUEUE_LENGTH
• Configuration option[repository] PULL_REQUEST_QUEUE_LENGTH
• Configuration option `[sessio...

This is a release candidate for the 0.12.8 patch release.