Gogs is a painless self-hosted Git service

Gogs - A painless self-hosted Git service

🔮 Vision

The Gogs (/gɑgz/) project aims to build a simple, stable and extensible self-hosted Git service that can be setup in the most painless way. With Go, this can be done with an independent binary distribution across ALL platforms that Go supports, including Linux, macOS, Windows and ARM.

📡 Overview

Please visit our home page for user documentation.
Please refer to CHANGELOG.md for list of changes in each releases.
Want to try it before doing anything else? Do it online!
Having trouble? Help yourself with troubleshooting or ask questions on user forum.
Want to help with localization? Check out the localization documentation.
Ready to get hands dirty? Read our guide to set up your development environment.
Hmm... What about APIs? We have experimental support with documentation.

💌 Features

User dashboard, user profile and activity timeline.
Access repositories via SSH, HTTP and HTTPS protocols.
User, organization and repository management.
Repository and organization webhooks, including Slack, Discord and Dingtalk.
Repository Git hooks, deploy keys and Git LFS.
Repository issues, pull requests, wiki, protected branches and collaboration.
Migrate and mirror repositories with wiki from other code hosts.
Web editor for quick editing repository files and wiki.
Jupyter Notebook and PDF rendering.
Authentication via SMTP, LDAP, reverse proxy, GitHub.com and GitHub Enterprise with 2FA.
Customize HTML templates, static files and many others.
Rich database backend, including PostgreSQL, MySQL, SQLite3 and TiDB.
Have localization over 30 languages.

💾 Hardware requirements

A Raspberry Pi or $5 Digital Ocean Droplet is more than enough to get you started. Some even use 64MB RAM Docker CaaS.
2 CPU cores and 512MB RAM would be the baseline for teamwork.
Increase CPU cores when your team size gets significantly larger, memory footprint remains low.

💻 Browser support

Please see Semantic UI for specific versions of supported browsers.
The smallest resolution officially supported is 1024*768, however the UI may still look right in smaller resolutions, but no promises or fixes.

📜 Installation

Make sure you install the prerequisites first.

There are 6 ways to install Gogs:

Deploy to cloud

Tutorials

📦 Software, service and product support

Fabric8 (DevOps)
Jenkins (CI)
Taiga (Project Management)
Puppet (IT)
GitPitch (Markdown Presentations)
Synology (Docker)
Syncloud (App Store)

🙇‍♂️ Acknowledgments

Thanks Egon Elbre for designing the original version of the logo.
Thanks Crowdin for sponsoring open source translation plan.
Thanks DigitalOcean, VPSServer, Hosted.nl, MonoVM and BitLaunch for sponsoring VPS services.
Thanks KeyCDN for sponsoring CDN service.
Thanks Buildkite for sponsoring open source CI/CD plan.

👋 Contributors

See contributors page for top 100 contributors.
See TRANSLATORS for public list of translators.

⚖️ License

This project is under the MIT License. See the LICENSE file for the full license text.

using 0.6.5 Beta, mysql 5.5.43, git 1.7.9.5, Ubuntu 12.04

the time in the log is right, and both the client, the server have the time zone at Asia/Shanghai, and mysql db use the system time zone

but the display time on the web page(timelines, issues and comments, etc) is 8 hours late than the Asia/Shanghai's time

I've checked the issues, doesn't found a familiar one,so where's problem probably by?

💊 bug

The problem is strange……I am using a cubieboard as my gogs server host. These commit push with ssh is not lost,but these commits didn't make the webui update until you use https protocol to push once.Everything back to normal.

status: needs reproduce status: needs feedback

On v0.8.10 I get a 500 error whenever I want to open a repo with more than one file. I can access the other tabs (Issues/commits etc.), but the Code tab always results in an error.

[Macaron] Started GET /floorish/test for 77.*.*.*
2016/01/22 16:30:14 [...routers/repo/view.go:134 Home()] [E] GetCommitsInfo: GetCommitByPath (/readme.md): fork/exec /usr/bin/git: cannot allocate memory
[Macaron] Completed /floorish/test 500 Internal Server Error in 88.956623ms

Just a simple test repository with a single readme.md works fine, but when I add another file I can't view the Code tab anymore.

Gogs works perfectly fine on v0.8.0 using the exact same config.

Actual memory usage looks fine as well: screen shot 2016-01-22 at 17 12 02

screen shot 2016-01-22 at 17 12 18

💊 bug status: needs reproduce 🙇‍♂️ help wanted

Reference https://about.gitlab.com/2014/09/29/gitlab-flow/ Reference https://code.google.com/p/gerrit/

Gogs should have a feature of protected branch. Let say master is a protected branch, then:

Nobody can push directly to master
Everybody* can checkout/fork from master
Everybody* submit a merge request / code review request for his/her new branch (features/fixes)
Everybody* can comment/discuss the diff, preferable line-by-line
Only those with "Reviewer" or "Supervisor" or "Senior" privilege can vote up/down on a merge request / code review
A merge request can only be eligible to be merged to master when having at least [a number] 2 of up votes. This parameter should be defined in a config file, environment variable, or runtime argument, so that nobody, even master or supreme admin can bypass code review process by setting it to 1 and self-review their code.

*Everybody is any user with sufficient authorization to read a project master and write to their own name space.

🎯 feature status: needs feedback status: assigned to maintainer

The module SSH is just not working, sorry but with this code: https://github.com/gogits/gogs/blob/master/modules/ssh/ssh.go#L109 and this line https://github.com/gogits/gogs/blob/master/modules/ssh/ssh.go#L59 . How can it work?

Or I don't understand your ssh module.

won't fix status: needs feedback

In some organizations or setups, users are managed separately by systems that does not support oauth.

Usually these setups handle user authentication with an reverse proxy and the user ids are then passed to the downstream systems via a request header.

I happen to work for such an orginazation and with some pointers and guidance, I would like to help implement this feature.

🎯 feature

It would be nice to have support for LFS repositories. It is GitHub tool to manage large files inside repository (like assets in web apps).

It isn't urgent, but I'm adding it here as I remember about it.

🎯 feature

If I open an issue in a new tab from the issues page. Sometimes when I go to add a comment, I get the message "invalid csrf token". I assume this is because I have tabbed from a page that hasn't been refreshed for a while.

When I open a new issue, does the CSRF token need to be re-set or updated?

💊 bug status: needs feedback

Hi, I found a strange message error when entering the /admin/config path. Instead of returning the config dump, after the last update it returns:

template: admin/config:105:50: executing "admin/config" at <.Webhook.QueueLength>: QueueLength is not a field of struct type interface {}

version is Version: 0.6.4.0809 Beta Go version is 1.4.2

Is is a bug?

Gogs version (or commit ref): Gogs Version: 0.9.100.1119
Git version: 2.10.2
Operating system: Centos 6 (uname -r): 2.6.32-642.6.2.el6.x86_64
Database (use [x]):
- [ ] PostgreSQL
- [x] MySQL
- [ ] SQLite
Can you reproduce the bug at https://try.gogs.io:
- [ ] Yes (provide example URL)
- [x] No
- [ ] Not relevant
Log gist:

Description

I am trying to create a repository for an Organisation. I get a 500 error. The log file looks like this:

2016/11/24 20:38:33 [...routers/repo/repo.go:101 handleCreateError()] [E] CreatePost: addRepository: getMembers: get team-users: Error 1054: Unknown column 'team_id' in 'where clause'

best regards roland

💊 bug status: needs feedback

Fixes #3105

The code would be better cleaned up by someone else. There's a duplication (which was already in the code before my intervention) between modules/base/tools.go and modules/user.go

The libravatar module is my first module. Not so big so it could eventually be included, if needed.

status: needs feedback

Gogs version

0.12.10

Git version

Gogs 0.12.10 Git 2.25.1 Go go1.18.1

Operating system

Ubuntu 20.04

Database

SQLite 3

Describe the bug

web page show 500

To reproduce

Synology enables nfs sharing ubuntu mount nfs share gogs sets the data storage directory to a folder in the nfs shared directory Start the gogs service web report 500 error

Expected behavior

I used to mount the nfs directory of qnap on the virtual machine as the data storage directory, and it was used normally. I recently migrated to Synology, and found that it kept reporting 500 errors. Switching back to qnap or the local directory was normal. I tried to use it in docker today, and found that I couldn’t use Synology’s nfs to mount the directory

Additional context

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

💊 bug

Describe the feature

Add option for an administrator to add custom CSS style site-wide.

Describe the solution you'd like

A page in the Admin panel whith a text box/area where one could past a CSS style which (for ids/classes that match) overrides the default one.

Describe alternatives you've considered

Add a custom.css file somewhere in the root directory, the contents of which override the default CSS style.

Additional context

The reason I'm bringing this up is the lack of a dark mode in Gogs. I love Gogs and I'd rather stick with it and I also thought asking you to implement a dark mode on your own would be too much. Besides, people might complain that this is not exactly the dark mode they had in mind, hence this compromise.

But, if you were interested in adding a dark mode, I've stumbled upon this user script, which could turn out to be a good stepping stone.

Code of Conduct

[X] I agree to follow this project's Code of Conduct

🎯 feature

Sell My House Fast for Cash Nationwide USA. We Buy Houses. Fair Cash Offers. We Buy Houses Baltimore. Any Location, Houses & Land: Residential, Commercial, Industrial, Agricultural. Sell My House for Cash Baltimore.

Sell My House Baltimore

How To Turn A Vacant House Into Cash Fast in Baltimore Maryland Nationwide USA

Do you have a fixer-upper or vacant house? Figure out how to turn your house into cash the fast and simple way! Inside our latest post, we will explore why more and more people are looking to a quick sale for their area homes.

Sell My House As Is in Baltimore

Stop Foreclosure in Baltimore

Baltimore City

21201 21202 21204 21205 21206 21207 21208 21209 21210 21211 21212 21213 21214 21215 21216 21217 21218 21219 21220 21221 21222 21223 21224 21225 21226 21227 21228 21229 21230 21231 21233 21234 21236 21237 21239 21240 21244 21286 21287

Baltimore County and surrounding areas (Howard County, Anne Arundel County, Harford, Frederick, Carroll County etc.)

Nationwide USA

Worldwide

Afghanistan, Aland Islands, Albania, Algeria, American Samoa, Andorra, Angola, Anguilla, Antarctica, Antigua and Barbuda, Armenia, Aruba, Australia, Austria, Azerbaijan, Bahamas, Bahrain, Bangladesh, Barbados, Belarus, Belgium, Belize, Benin, Bermuda, Bhutan, Bolivia, Plurinational State of Bonaire, Sint Eustatius and Saba, Bosnia and Herzegovina, Botswana, Bouvet Island, British Indian Ocean Territory, Brunei Darussalam, Bulgaria, Burkina Faso, Burundi, Cabo Verde, Cambodia, Cameroon, Canada, Cayman Islands, Central African Republic, Chad, Chile, China, Christmas Island, Cocos (Keeling) Islands, Colombia, Comoros, Congo, Congo, The Democratic Republic of The Cook Islands, Costa Rica, Cote D'ivoire, Croatia, Cuba, Curacao, Cyprus, Czech Republic, Denmark, Djibouti, Dominica, Dominican Republic, Ecuador, Egypt, El Salvador, Equatorial Guinea, Eritrea, Estonia, Ethiopia, Falkland Islands (Malvinas), Faroe Islands, Fiji, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Gambia, Georgia, Germany, Ghana, Gibraltar, Greece, Greenland, Grenada, Guadeloupe, Guam, Guatemala, Guernsey, Guinea, Guinea-Bissau, Guyana, Haiti, Heard Island and Mcdonald Islands, Holy See, Honduras, Hong Kong, Hungary, Iceland, India, Indonesia, Iran, Islamic Republic of Iraq, Ireland, Isle of Man, Israel, Italy, Jamaica, Japan, Jersey, Jordan, Kazakhstan, Kenya, Kiribati, Korea, Democratic People's Republic of Korea, Republic of Kuwait, Kyrgyzstan, Lao People's Democratic Republic, Latvia, Lebanon, Lesotho, Liberia, Libya, Liechtenstein, Lithuania, Luxembourg, Macao, Macedonia, The Former Yugoslav Republic of Madagascar, Malawi, Malaysia, Maldives, Mali, Malta, Marshall Islands, Martinique, Mauritania, Mauritius, Mayotte, Mexico, Micronesia, Federated States of Moldova, Republic of Monaco, Mongolia, Montenegro, Montserrat, Morocco, Mozambique, Myanmar, Namibia, Nauru, Nepal, Netherlands, New Caledonia, New Zealand, Nicaragua, Niger, Nigeria, Niue, Norfolk Island, Northern Mariana Islands, Norway, Oman, Pakistan, Palau, Palestine, State of Panama, Papua New Guinea, Paraguay, Peru, Philippines, Pitcairn, Poland, Portugal, Puerto Rico, Qatar, Reunion, Romania, Russian Federation, Rwanda, Saint Barthelemy, Saint Helena, Ascension and Tristan Da Cunha, Saint Kitts and Nevis, Saint Lucia, Saint Martin (French Part), Saint Pierre and Miquelon, Saint Vincent and The Grenadines, Samoa, San Marino, Sao Tome and Principe, Saudi Arabia, Senegal, Serbia, Seychelles, Sierra Leone, Singapore, Sint Maarten (Dutch Part), Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Georgia and The South Sandwich Islands, South Sudan, Spain, Sri Lanka, Sudan, Suriname, Svalbard and Jan Mayen, Swaziland, Sweden, Switzerland, Syrian Arab Republic, Taiwan, Province of China, Tajikistan, Tanzania, United Republic of Thailand, Timor-Leste, Togo, Tokelau, Tonga, Trinidad and Tobago, Tunisia, Turkey, Turkmenistan, Turks and Caicos Islands, Tuvalu, Uganda, Ukraine, United Arab Emirates, United Kingdom of Great Britain and Northern Ireland, United States Minor Outlying Islands, United States of America, Uruguay, Uzbekistan, Vanuatu, Venezuela, Bolivarian Republic of Vietnam, Virgin Islands, British, Virgin Islands, U.S., Wallis and Futuna, Western Sahara, Yemen, Zambia, Zimbabwe

Getting The Right Buyer – Turn Your House into Cash

If the house needs major remodeling, is in a bad neighborhood, or has other less than ideal traits, discovering the right buyer for your house may prove to be more difficult than you initially thought. Yet, when you work with a direct buyer, such as selling my house fast Baltimore MD & nationwide USA, you won’t have to deal with the most common hassles you’d experience in a traditional sale. By selling your house to a local buyer directly, it will be possible to sell your house, get your money and move on quickly! Once you decide to work with us, we will handle everything from the repairs to the paperwork. If you choose to list your property on the market, you typically have to handle much of this yourself.

Getting An Offer

Not necessarily all home buyers are the same! When you choose to work with we buy ugly houses Baltimore & nationwide USA, getting an offer is easy. We will make an appointment to view your home right away, then quickly do our homework help to make you a fair cash offer fast. Whether you determine to sell to us or not is completely up to you. Either way, by giving our team a call, you will gain valuable insight regarding your property and the local market! Some professional buyers will hassle you into a sale. This will not be the case with us. We want to help you by providing information so you can make the best decision possible about selling your house for cash.

The Time frame

With a direct sale, things happen quickly! Once you call us or send us a message telling us about your house Nationwide USA or land for sale, we will immediately make an appointment with you to come and see it. We will make you an offer and if you accept, we can typically close escrow in 7 to 10 days. You can sell your house fast. We can close fast because we have the cash available now. If you work with a buyer that is using traditional financing, you will need to wait much longer for the sale to go through. You will also likely need multiple inspections done. This is not the case with us, we buy properties as is, giving you a fast closing and turning your house into cash quickly.

Sell House Fast in Baltimore | Sell House Fast in Maryland

The Closing Process

Closing is simple. Once you have accepted our offer, we will work with you and your time frame to close on the day that is the most convenient for you. You will always understand what is happening and when. With a direct sale, you won’t find yourself in the dark, not knowing when the house will sell or how much you will get for it. By knowing these things up front, you will be able to plan ahead, which provides peace of mind.

Describe the feature

Obtain the member information of organizations and code repository through the api interface

Describe the solution you'd like

no

Describe alternatives you've considered

no

Additional context

No response

Code of Conduct

[X] I agree to follow this project's Code of Conduct

🎯 feature

This PR adds a new configuration parameter DEFAULT_BRANCH_NAME which can be used to set the name of the default branch globally instead of changing the it for every repository. It defaults to "master" in order to remain backwards compatible. For new installs, it can be configured on the install page.

When creating a new repo, the bare repository will be initialized with the global default branch name. The commands on the bare repo page will display the correct branch name.

Relates to/Fixes #6296

Checklist

[x] I agree to follow the Code of Conduct by submitting this pull request.
[x] I have read and acknowledge the Contributing guide.
[ ] I have added test cases to cover the new code.

Changed

Support using [security] LOCAL_NETWORK_ALLOWLIST = * to allow all hostnames. #7111

Fixed

Unable to send webhooks to local network addresses after configured [security] LOCAL_NETWORK_ALLOWLIST. #7074

Previous patch releases

0.12.9

Fixed

Security: OS Command Injection in file editor. #7000
Security: Sanitize DisplayName in repository issue list. #7009
Security: Path Traversal in file editor on Windows. #7001
Security: Path Traversal in Git HTTP endpoints. #7002
Unable to init repository during creation on Windows. #6967
Mysterious panic on Value not found for type *repo.HTTPContext. #6963

0.12.8

Changed

All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

Security: SSRF in webhook. #6901
Security: XSS in cookies. #6953
Security: OS Command Injection in file uploading. #6968
Security: Remote Command Execution in file editing. #6555

0.12.7

Fixed

Security: Stored XSS in issues. #6919
Invalid character in Access-Control-Allow-Credentials response header. #4983
Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

Security: Remote command execution in file uploading. #6833
Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

Security: Potential SSRF in repository migration. #6754
Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.10 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Security: OS Command Injection in file editor. #7000
Security: Sanitize DisplayName in repository issue list. #7009
Security: Path Traversal in file editor on Windows. #7001
Security: Path Traversal in Git HTTP endpoints. #7002
Unable to init repository during creation on Windows. #6967
Mysterious panic on Value not found for type *repo.HTTPContext. #6963

0.12.8

Changed

All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

Security: SSRF in webhook. #6901
Security: XSS in cookies. #6953
Security: OS Command Injection in file uploading. #6968
Security: Remote Command Execution in file editing. #6555

0.12.7

Fixed

Security: Stored XSS in issues. #6919
Invalid character in Access-Control-Allow-Credentials response header. #4983
Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

Security: Remote command execution in file uploading. #6833
Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

Security: Potential SSRF in repository migration. #6754
Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.9 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Changed

All users (including admins) need to use the configuration option [security] LOCAL_NETWORK_ALLOWLIST to allow repository migration and webhooks to be able to access local network addresses, which is a comma separated list of hostnames. #6988

Fixed

Security: SSRF in webhook. #6901
Security: XSS in cookies. #6953
Security: OS Command Injection in file uploading. #6968
Security: Remote Command Execution in file editing. #6555

0.12.7

Fixed

Security: Stored XSS in issues. #6919
Invalid character in Access-Control-Allow-Credentials response header. #4983
Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882

0.12.6

Fixed

Security: Remote command execution in file uploading. #6833
Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

Security: Potential SSRF in repository migration. #6754
Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.8 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Security: Stored XSS in issues. #6919 by @unknwon
Invalid character in Access-Control-Allow-Credentials response header. #4983 by @wuhan005
Mysterious ssh: overflow reading version string errors from builtin SSH server. #6882 by @unknwon

0.12.6

Fixed

Security: Remote command execution in file uploading. #6833
Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841
Slow start of Docker containers using NAS devices. #6554

0.12.5

Fixed

Security: Potential SSRF in repository migration. #6754
Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.7 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Security: Remote command execution in file uploading. #6833 by @unknwon
Regression: Unable to migrate repository from other local Git hosting. Added a new configuration option [security] LOCAL_NETWORK_ALLOWLIST, which is a comma separated list of hostnames that are explicitly allowed to be accessed within the local network. #6841 by @unknwon
Slow start of Docker containers using NAS devices. #6554 by @druppy

0.12.5

Fixed

Security: Potential SSRF in repository migration. #6754
Security: Improper PAM authorization handling. #6810

0.12.4

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.6 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Security: Potential SSRF in repository migration. #6754 by @michaellrowley
Security: Improper PAM authorization handling. #6810 by @ysf

0.12.4

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413
Regression: Fixed smart links for issues stops rendering. #6506
Added X-Frame-Options header to prevent Clickjacking. #6409

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.5 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Security: Potential SSRF attack by CRLF injection via repository migration. #6413 by @stypr
Regression: Fixed smart links for issues stops rendering. #6506 by @unknwon
Added X-Frame-Options header to prevent Clickjacking. #6409 by @matheusmosca

0.12.3

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

This is a release candidate for the 0.12.4 patch release.

Source code(tar.gz)
Source code(zip)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Regression: When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". #6316
Auto-linked commit SHAs now have correct links. #6300
Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header Content-Type to be application/octet-stream. The server now tells the LFS client to always use Content-Type: application/octet-stream when upload files.

0.12.2

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

Source code(tar.gz)
Source code(zip)
gogs_0.12.3_darwin_amd64.zip(29.47 MB)
gogs_0.12.3_linux_386.tar.gz(25.47 MB)
gogs_0.12.3_linux_386.zip(25.47 MB)
gogs_0.12.3_linux_amd64.tar.gz(26.22 MB)
gogs_0.12.3_linux_amd64.zip(26.22 MB)
gogs_0.12.3_linux_armv7.tar.gz(25.00 MB)
gogs_0.12.3_linux_armv7.zip(25.00 MB)
gogs_0.12.3_linux_armv8.tar.gz(25.50 MB)
gogs_0.12.3_linux_armv8.zip(25.50 MB)
gogs_0.12.3_windows_amd64.zip(27.92 MB)
gogs_0.12.3_windows_amd64_mws.zip(27.95 MB)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

Regression: Pages are correctly rendered when requesting ?go-get=1 for subdirectories. #6314
Regression: Submodule with a relative path is linked correctly. #6319
Backup can be processed when --target is specified on Windows. #6339
Commit message contains keywords look like an issue reference no longer fails the push entirely. #6289

0.12.1

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

Source code(tar.gz)
Source code(zip)
gogs_0.12.2_darwin_amd64.zip(29.47 MB)
gogs_0.12.2_linux_386.tar.gz(25.46 MB)
gogs_0.12.2_linux_386.zip(25.47 MB)
gogs_0.12.2_linux_amd64.tar.gz(26.21 MB)
gogs_0.12.2_linux_amd64.zip(26.22 MB)
gogs_0.12.2_linux_armv7.tar.gz(25.00 MB)
gogs_0.12.2_linux_armv7.zip(25.00 MB)
gogs_0.12.2_windows_amd64.zip(27.92 MB)
gogs_0.12.2_windows_amd64_mws.zip(27.95 MB)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Fixed

The updated_at field is now correctly updated when updates an issue. #6209
Fixed a regression which created login_source.cfg column to have VARCHAR(255) instead of TEXT in MySQL. #6280

0.12.0

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

Source code(tar.gz)
Source code(zip)
gogs_0.12.1_darwin_amd64.zip(29.37 MB)
gogs_0.12.1_linux_386.tar.gz(25.46 MB)
gogs_0.12.1_linux_386.zip(25.47 MB)
gogs_0.12.1_linux_amd64.tar.gz(26.21 MB)
gogs_0.12.1_linux_amd64.zip(26.22 MB)
gogs_0.12.1_linux_armv7.tar.gz(25.00 MB)
gogs_0.12.1_linux_armv7.zip(25.00 MB)
gogs_0.12.1_windows_amd64.zip(27.92 MB)
gogs_0.12.1_windows_amd64_mws.zip(27.95 MB)

ℹ️ Heads up! There is a new patch release 0.12.10 available, we recommend directly installing or upgrading to that version.

Added

Support for Git LFS, you can read documentation for both user and admin. #1322
Allow admin to remove observers from the repository. #5803
Use Last-Modified HTTP header for raw files. #5811
Support syntax highlighting for SAS code files (i.e. .r, .sas, .tex, .yaml). #5856
Able to fill in pull request title with a template. #5901
Able to override static files under public/ directory, please refer to documentation for usage. #5920
New API endpoint GET /admin/teams/:teamid/members to list members of a team. #5877
Support backup with retention policy for Docker deployments. #6140

Changed

The organization profile page has changed to display at most 12 members. #5506
The required Go version to compile source code changed to 1.14.
All assets are now embedded into binary and served from memory by default. Set [server] LOAD_ASSETS_FROM_DISK = true to load them from disk. #5920
Application and Go versions are removed from page footer and only show in the admin dashboard.
Build tag for running as Windows Service has been changed from miniwinsvc to minwinsvc.
Configuration option APP_NAME is deprecated and will end support in 0.13.0, please start using BRAND_NAME.
Configuration option [server] ROOT_URL is deprecated and will end support in 0.13.0, please start using [server] EXTERNAL_URL.
Configuration option [server] LANDING_PAGE is deprecated and will end support in 0.13.0, please start using [server] LANDING_URL.
Configuration option [database] DB_TYPE is deprecated and will end support in 0.13.0, please start using [database] TYPE.
Configuration option [database] PASSWD is deprecated and will end support in 0.13.0, please start using [database] PASSWORD.
Configuration option [security] REVERSE_PROXY_AUTHENTICATION_USER is deprecated and will end support in 0.13.0, please start using [auth] REVERSE_PROXY_AUTHENTICATION_HEADER.
Configuration section [mailer] is deprecated and will end support in 0.13.0, please start using [email].
Configuration section [service] is deprecated and will end support in 0.13.0, please start using [auth].
Configuration option [auth] ACTIVE_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] ACTIVATE_CODE_LIVES.
Configuration option [auth] RESET_PASSWD_CODE_LIVE_MINUTES is deprecated and will end support in 0.13.0, please start using [auth] RESET_PASSWORD_CODE_LIVES.
Configuration option [auth] ENABLE_CAPTCHA is deprecated and will end support in 0.13.0, please start using [auth] ENABLE_REGISTRATION_CAPTCHA.
Configuration option [auth] ENABLE_NOTIFY_MAIL is deprecated and will end support in 0.13.0, please start using [user] ENABLE_EMAIL_NOTIFICATION.
Configuration option [session] GC_INTERVAL_TIME is deprecated and will end support in 0.13.0, please start using [session] GC_INTERVAL.
Configuration option [session] SESSION_LIFE_TIME is deprecated and will end support in 0.13.0, please start using [session] MAX_LIFE_TIME.
The name - is reserved and cannot be used for users or organizations.

Fixed

[Security] Potential open redirection with i18n.
[Security] Potential ability to delete files outside a repository.
[Security] Potential ability to set primary email on others' behalf from their verified emails.
[Security] Potential XSS attack via .ipynb. #5170
[Security] Potential SSRF attack via webhooks. #5366
[Security] Potential CSRF attack in admin panel. #5367
[Security] Potential stored XSS attack in some browsers. #5397
[Security] Potential RCE on mirror repositories. #5767
[Security] Potential XSS attack with raw markdown API. #5907
File both modified and renamed within a commit treated as separate files. #5056
Unable to restore the database backup to MySQL 8.0 with syntax error. #5602
Open/close milestone redirects to a 404 page. #5677
Disallow multiple tokens with same name. #5587 #5820
Enable Federated Avatar Lookup could cause server to crash. #5848
Private repositories are hidden in the organization's view. #5869
Users have access to base repository cannot view commits in forks. #5878
Server error when changing email address in user settings page. #5899
Fall back to use RFC 3339 as time layout when misconfigured. #6098
Unable to update team with server error. #6185
Webhooks are not fired after push when [service] REQUIRE_SIGNIN_VIEW = true.
Files with identical content are randomly displayed one of them.

Removed

Configuration option [other] SHOW_FOOTER_VERSION
Configuration option [server] STATIC_ROOT_PATH
Configuration option [repository] MIRROR_QUEUE_LENGTH
Configuration option [repository] PULL_REQUEST_QUEUE_LENGTH
Configuration option [session] ENABLE_SET_COOKIE
Configuration option [release.attachment] PATH
Configuration option [webhook] QUEUE_LENGTH
Build tag sqlite, which means CGO is now required.

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(29.37 MB)
linux_386.tar.gz(25.46 MB)
linux_386.zip(25.47 MB)
linux_amd64.tar.gz(26.21 MB)
linux_amd64.zip(26.22 MB)
linux_armv7.tar.gz(25.00 MB)
linux_armv7.zip(25.00 MB)
windows_amd64.zip(27.92 MB)
windows_amd64_mws.zip(27.95 MB)

Bug fixes

MySQL: invalid connection #5532
Docker: Deprecation Notice OpenSSH #5647
Copyright is behind the times #5674
[Security] Incorrect API access control #5764

Improvements

Assignee receives email updates of issue thread #4220
Render Markdown in emails #4552
Add rsync to the Docker image #5773

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(27.59 MB)
linux_386.tar.gz(24.20 MB)
linux_386.zip(24.71 MB)
linux_amd64.tar.gz(24.50 MB)
linux_amd64.zip(25.09 MB)
linux_armv5.zip(22.86 MB)
linux_armv6.zip(22.85 MB)
raspi_armv7.tar.gz(19.15 MB)
raspi_armv7.zip(19.61 MB)
windows_386.zip(20.07 MB)
windows_386_mws.zip(20.13 MB)
windows_amd64.zip(25.34 MB)
windows_amd64_mws.zip(25.42 MB)

Bug fixes

Layout misalignment in Firefox for Linux #5299
Unexpected issue index parsing error while using external issue tracker #5551
[Security] Remote Code execution or/and Denial of Service #5558

Features

Support GitHub (Enterprise) authentication source #5340
Add API endpoint to get commit details by SHA #5546

Others

Add new languages support: Portuguese

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(25.79 MB)
linux_386.tar.gz(19.78 MB)
linux_386.zip(20.28 MB)
linux_amd64.tar.gz(19.89 MB)
linux_amd64.zip(20.43 MB)
linux_armv5.zip(21.34 MB)
raspi2_armv6.zip(19.60 MB)
windows_386.zip(20.07 MB)
windows_386_mws.zip(20.13 MB)
windows_amd64.zip(20.73 MB)
windows_amd64_mws.zip(20.80 MB)

Bug fixes

LDAP group verification doesn't work when using 'dn' as user attribute #4684
LDAP group verification fails #4792
Emoji's do not work in wiki #4869
Log level not applied from configuration #5007
Not able to go get a repository with non-80 port #5305
Fix critical CSRF vulnerabilities on API routes #5355
Wrong redirect after updated protect branch setting whose name contains # #5442
Clear labels not working #5445
[Security] Remote command execution #5469
Push event webhook is not triggered when new branch fetched to mirror repository #5473
Large issue comment exceeds dashboard section #5502
List collaborator API does not contain permission information #5538
[Security] Log out only deletes browser cookies #5540
[Security] Some routes need to be POST #5541
[Security] Stored XSS in external issue tracker URL format #5545

Improvements

Support prefilling the title and body of new issues using query parameters #5302
Support data URL of base64 encoded images in Markdown #5391
Allow non logged in users to call repository information API /repos/:username/:reponame #5475

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(25.15 MB)
linux_386.tar.gz(19.37 MB)
linux_386.zip(19.86 MB)
linux_amd64.tar.gz(19.47 MB)
linux_amd64.zip(20.00 MB)
linux_armv5.zip(20.82 MB)
raspi2_armv6.zip(19.20 MB)
windows_386.zip(19.64 MB)
windows_386_mws.zip(19.70 MB)
windows_amd64.zip(20.28 MB)
windows_amd64_mws.zip(20.35 MB)

Bug fixes

Web editor doesn't execute hooks after commit #4338
Release attachments are deleted when delete any random comment #4627
Private repository with public wiki or issue does not show in search result #4973
Cannot start with MySQL 8.0 #5187
Webhook and its tasks are not cleaned up when delete repository #5229
Time set to current after restored from backup #5264
Delete branch after merged pull request does no trigger webhook #5331
Fork repository does not check of the limit of users #5345
Unable to delete user with PostgreSQL #5376

Features

Able to add avatar for repository #2340
Add basic Go runtime metrics provided by Prometheus #4141

Improvements

Ignore configuration inline comment by default
Add deletion of an empty line at the end of file in file view #5270
Able to set default authentication method for login #5274
Able to add custom merge commit description #5276

Others

Security fixes

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(25.13 MB)
linux_386.tar.gz(19.35 MB)
linux_386.zip(19.85 MB)
linux_amd64.tar.gz(19.46 MB)
linux_amd64.zip(19.99 MB)
linux_armv5.zip(17.75 MB)
raspi2_armv6.zip(19.19 MB)
windows_386.zip(19.63 MB)
windows_386_mws.zip(19.69 MB)
windows_amd64.zip(20.27 MB)
windows_amd64_mws.zip(20.34 MB)

Bug fixes

The branch name contains '#' not work correctly #4601
Issue mention does not render with square brackets #4706
500 when merge branch when the base branch is not the default branch #5138
Gravatar URLs are badly generated #5157
Able to reuse two factor passcode
Config option [git] GC_ARGS does not take effect

Features

Show mirror updates in activity timeline #2017
Support authentication source config file #3142
Trigger webhook after mirror sync #4528

Others

Changed import path from "gogits/gogs" to "gogs/gogs"
Security fixes
Add new languages support: Vietnamese

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(20.77 MB)
linux_386.tar.gz(18.11 MB)
linux_386.zip(18.56 MB)
linux_amd64.tar.gz(18.42 MB)
linux_amd64.zip(18.88 MB)
linux_armv5.zip(16.93 MB)
raspi2_armv6.zip(18.37 MB)
windows_386.zip(18.74 MB)
windows_386_mws.zip(18.80 MB)
windows_amd64.zip(19.10 MB)
windows_amd64_mws.zip(19.15 MB)

Bug fixes

Protected branch can be deleted from the web after merge request #4514
Does not recognise SYSNAME datatype in MSSQL #4642
Quick guide is only showed for repository admin #4646
Wrong branch URL for name contains # in branches view #4874
Commits not merged after accepting pull request using rebase #5051
Once branch was protected "Lock" icon will never be removed #5053
SVG support in IPython notebook #5077

Improvements

Support HTTP HEAD requests #2857
Add option to rewrite authorized_keys file at start #4435
Add option to prepend global prefix to the email subject #4524
Disable federated avatar lookup by default #5126

Others

Add new languages support: Indonesian, Persian

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(20.81 MB)
linux_386.tar.gz(18.21 MB)
linux_386.zip(18.67 MB)
linux_amd64.tar.gz(18.32 MB)
linux_amd64.zip(18.81 MB)
linux_armv5.zip(16.65 MB)
raspi2_armv6.zip(17.56 MB)
windows_386.zip(18.48 MB)
windows_386_mws.zip(18.53 MB)
windows_amd64.zip(19.09 MB)
windows_amd64_mws.zip(19.16 MB)

Bug fixes

Regression: Pull request is not working between different repositories #4890

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(18.63 MB)
linux_386.tar.gz(17.54 MB)
linux_386.zip(18.01 MB)
linux_amd64.tar.gz(17.82 MB)
linux_amd64.zip(18.32 MB)
linux_armv5.zip(16.05 MB)
raspi2_armv6.zip(17.47 MB)
windows_386.zip(17.85 MB)
windows_386_mws.zip(17.90 MB)
windows_amd64.zip(18.56 MB)
windows_amd64_mws.zip(18.62 MB)

Bug fixes

Some security fixes
Wrong commit ID in webhook payload after merging pull request #4442
Meta tag go-import does not response correct value #4832

Features

Add Dingtalk webhook support #4773
Allow rebase and merge pull request #4798

Improvements

Add placeholder '%s' for username in LDAP BindDN #2526
Allow UID for git user in Docker container to be specified via ENV variable #3520
Add repository setting to ignore whitespace when check pull request conflict #4834

Others

Add new language support: Slovak

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(18.63 MB)
linux_386.tar.gz(17.54 MB)
linux_386.zip(18.01 MB)
linux_amd64.tar.gz(17.82 MB)
linux_amd64.zip(18.32 MB)
linux_armv5.zip(16.05 MB)
raspi2_armv6.zip(17.47 MB)
windows_386.zip(17.85 MB)
windows_386_mws.zip(17.90 MB)
windows_amd64.zip(18.56 MB)
windows_amd64_mws.zip(18.61 MB)

Bug fixes

Private repository activity shown in "Public activity" tab, if the repository was once public #4414
Webhooks refuse IPv6 URLs as invalid #4428
No email notification if issue closed by commit #4430
Explore page incorrect paging #4441
/api/v1/repos/search returns empty values #4522
Panic after created a pull request #4572

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(18.48 MB)
linux_386.tar.gz(17.39 MB)
linux_386.zip(17.85 MB)
linux_amd64.tar.gz(17.68 MB)
linux_amd64.zip(18.19 MB)
linux_armv5.zip(16.03 MB)
raspi2_armv6.zip(17.45 MB)
windows_386.zip(16.11 MB)
windows_386_mws.zip(16.15 MB)
windows_amd64.zip(16.81 MB)
windows_amd64_mws.zip(16.85 MB)

Bug fixes

Unable to go get subpkg #1878
Does not set as admin after first LDAP login #2855
Panic when login via PAM #4216
Unique constraint violation after backup restored for PostgreSQL #4357
Images in IPython notebook are not displayed #4366
Broken relative path for image link in edit file preview #4368
Emoji not rendered on commits view #4439
High CPU when view single commit contains file mode change #4475
Cannot change permissions of collaborators #4512

Features

Support two-factor authentication #945
Support filter by group membership for LDAP #4398

Improvements

Installation checks port for SMTP host #2243
Remain updated time unchanged if no new commits fetched for mirrors #4341
Support IPython notebook as README #4367
Configurable TLS Support #4450

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(18.47 MB)
linux_386.tar.gz(17.38 MB)
linux_386.zip(17.84 MB)
linux_amd64.tar.gz(17.68 MB)
linux_amd64.zip(18.18 MB)
linux_armv5.zip(16.02 MB)
raspi2_armv6.zip(17.45 MB)
windows_386.zip(16.11 MB)
windows_386_mws.zip(16.15 MB)
windows_amd64.zip(16.81 MB)
windows_amd64_mws.zip(16.85 MB)

Bug fixes

Client is not informed to provide credentials during HTTP/HTTPS push/pull
Mirror credentials are not URL encoded #4014
Create pull request buttons are showed on branches page when pull request is disabled #4377
Panic if user has validation error on installation #4383

Source code(tar.gz)
Source code(zip)
darwin_amd64.zip(15.09 MB)
linux_386.tar.gz(17.20 MB)
linux_386.zip(17.66 MB)
linux_amd64.tar.gz(17.50 MB)
linux_amd64.zip(17.99 MB)
linux_armv5.zip(15.85 MB)
raspi2_armv6.zip(17.27 MB)
windows_386.zip(15.95 MB)
windows_386_mws.zip(15.99 MB)
windows_amd64.zip(16.64 MB)
windows_amd64_mws.zip(16.68 MB)

Bug fixes

Profile editing looses changes on validation error #1123
Wrong repository count in organization dashboard #4351
Fail to migrate from version prior to 0.10 #4355
Private repository with public issues didn't handle anonymous visit properly #4359