diff --git a/CHANGELOG.md b/CHANGELOG.md index 149b3ff7c..29bf1764b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ All notable changes to Gogs are documented in this file. ### Added - An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733) +- Add new configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315) ### Changed @@ -16,13 +17,7 @@ All notable changes to Gogs are documented in this file. ### Fixed -- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314) -- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319) -- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339) -- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289) -- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316) -- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300) -- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files. +- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) ### Removed @@ -31,7 +26,6 @@ All notable changes to Gogs are documented in this file. - Configuration section `[service]` is no longer used. - Configuration option `APP_NAME` is no longer used. - Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is no longer used. -- Configuration option `[database] PASSWD` is no longer used. - Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is no longer used. - Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is no longer used. - Configuration option `[auth] ENABLE_CAPTCHA` is no longer used. @@ -44,6 +38,23 @@ All notable changes to Gogs are documented in this file. - Configuration option `[database] DB_TYPE` is no longer used. - Configuration option `[database] PASSWD` is no longer used. +## 0.12.3 + +### Fixed + +- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316) +- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300) +- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files. + +## 0.12.2 + +### Fixed + +- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314) +- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319) +- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339) +- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289) + ## 0.12.1 ### Fixed @@ -81,6 +92,7 @@ All notable changes to Gogs are documented in this file. - Configuration section `[service]` is deprecated and will end support in 0.13.0, please start using `[auth]`. - Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] ACTIVATE_CODE_LIVES`. - Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] RESET_PASSWORD_CODE_LIVES`. +- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is deprecated and will end support in 0.13.0, please start using `[auth] REQUIRE_EMAIL_CONFIRMATION`. - Configuration option `[auth] ENABLE_CAPTCHA` is deprecated and will end support in 0.13.0, please start using `[auth] ENABLE_REGISTRATION_CAPTCHA`. - Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`. - Configuration option `[session] GC_INTERVAL_TIME` is deprecated and will end support in 0.13.0, please start using `[session] GC_INTERVAL`. diff --git a/internal/context/context.go b/internal/context/context.go index 2971700b4..9af98ebcd 100644 --- a/internal/context/context.go +++ b/internal/context/context.go @@ -290,6 +290,7 @@ func Contexter() macaron.Handler { // 🚨 SECURITY: Prevent MIME type sniffing in some browsers, // see https://github.com/gogs/gogs/issues/5397 for details. c.Header().Set("X-Content-Type-Options", "nosniff") + c.Header().Set("X-Frame-Options", "DENY") ctx.Map(c) }