diff --git a/MAINTAINERS b/MAINTAINERS
index 926a308d1eb6c..e3357f7b8fe44 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -45,3 +45,4 @@ Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
 Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
 Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
 Leon Hofmeister <dev.lh@web.de> (@delvh) 
+Gusted <williamzijl7@hotmail.com) (@Gusted)
diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index eadc1c0d96256..9643e396b6984 100644
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -1400,6 +1400,7 @@ PATH =
 ;; Built-in: loopback (for localhost), private (for LAN/intranet), external (for public hosts on internet), * (for all hosts)
 ;; CIDR list: 1.2.3.0/8, 2001:db8::/32
 ;; Wildcard hosts: *.mydomain.com, 192.168.100.*
+;; Since 1.15.7. Default to * for 1.15.x, external for 1.16 and later
 ;ALLOWED_HOST_LIST = external
 ;;
 ;; Allow insecure certification
diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 6cc6043cae7d0..3b5d9213df625 100644
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -581,7 +581,7 @@ Define allowed algorithms and their minimum key length (use -1 to disable a type
 
 - `QUEUE_LENGTH`: **1000**: Hook task queue length. Use caution when editing this value.
 - `DELIVER_TIMEOUT`: **5**: Delivery timeout (sec) for shooting webhooks.
-- `ALLOWED_HOST_LIST`: **external**: Webhook can only call allowed hosts for security reasons. Comma separated list.
+- `ALLOWED_HOST_LIST`: **external**: Since 1.15.7. Default to `*` for 1.15.x, `external` for 1.16 and later. Webhook can only call allowed hosts for security reasons. Comma separated list.
   - Built-in networks:
     - `loopback`: 127.0.0.0/8 for IPv4 and ::1/128 for IPv6, localhost is included.
     - `private`: RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and RFC 4193 (FC00::/7). Also called LAN/Intranet.
diff --git a/services/gitdiff/gitdiff.go b/services/gitdiff/gitdiff.go
index f843bc4dcf9dc..614f8104ecaf2 100644
--- a/services/gitdiff/gitdiff.go
+++ b/services/gitdiff/gitdiff.go
@@ -839,7 +839,12 @@ parsingLoop:
 			case strings.HasPrefix(line, "--- "):
 				// Handle ambiguous filenames
 				if curFile.IsAmbiguous {
-					if len(line) > 6 && line[4] == 'a' {
+					// The shortest string that can end up here is:
+					// "--- a\t\n" without the qoutes.
+					// This line has a len() of 7 but doesn't contain a oldName.
+					// So the amount that the line need is at least 8 or more.
+					// The code will otherwise panic for a out-of-bounds.
+					if len(line) > 7 && line[4] == 'a' {
 						curFile.OldName = line[6 : len(line)-1]
 						if line[len(line)-2] == '\t' {
 							curFile.OldName = curFile.OldName[:len(curFile.OldName)-1]
@@ -1194,6 +1199,11 @@ func readFileName(rd *strings.Reader) (string, bool) {
 	_ = rd.UnreadByte()
 	if char == '"' {
 		fmt.Fscanf(rd, "%q ", &name)
+		if len(name) == 0 {
+			log.Error("Reader has no file name: %v", rd)
+			return "", true
+		}
+
 		if name[0] == '\\' {
 			name = name[1:]
 		}
diff --git a/services/gitdiff/gitdiff_test.go b/services/gitdiff/gitdiff_test.go
index d69d0c01d8df8..6decb59b64b5a 100644
--- a/services/gitdiff/gitdiff_test.go
+++ b/services/gitdiff/gitdiff_test.go
@@ -541,3 +541,22 @@ func TestDiffToHTML_14231(t *testing.T) {
 
 	assertEqual(t, expected, output)
 }
+
+func TestNoCrashes(t *testing.T) {
+	type testcase struct {
+		gitdiff string
+	}
+
+	tests := []testcase{
+		{
+			gitdiff: "diff --git \n--- a\t\n",
+		},
+		{
+			gitdiff: "diff --git \"0\n",
+		},
+	}
+	for _, testcase := range tests {
+		// It shouldn't crash, so don't care about the output.
+		ParsePatch(setting.Git.MaxGitDiffLines, setting.Git.MaxGitDiffLineCharacters, setting.Git.MaxGitDiffFiles, strings.NewReader(testcase.gitdiff))
+	}
+}
diff --git a/web_src/js/features/comp/ImagePaste.js b/web_src/js/features/comp/ImagePaste.js
index 30c5820f62f99..f7f076bf80546 100644
--- a/web_src/js/features/comp/ImagePaste.js
+++ b/web_src/js/features/comp/ImagePaste.js
@@ -1,4 +1,4 @@
-const {appSubUrl, csrfToken} = window.config;
+const {csrfToken} = window.config;
 
 async function uploadFile(file, uploadUrl) {
   const formData = new FormData();
@@ -67,7 +67,7 @@ export function initCompImagePaste($target) {
           const name = img.name.substr(0, img.name.lastIndexOf('.'));
           insertAtCursor(textarea, `![${name}]()`);
           const data = await uploadFile(img, uploadUrl);
-          replaceAndKeepCursor(textarea, `![${name}]()`, `![${name}](${appSubUrl}/attachments/${data.uuid})`);
+          replaceAndKeepCursor(textarea, `![${name}]()`, `![${name}](/attachments/${data.uuid})`);
           const input = $(`<input id="${data.uuid}" name="files" type="hidden">`).val(data.uuid);
           dropzoneFiles.appendChild(input[0]);
         }
@@ -83,7 +83,7 @@ export function initSimpleMDEImagePaste(simplemde, dropzone, files) {
       const name = img.name.substr(0, img.name.lastIndexOf('.'));
       const data = await uploadFile(img, uploadUrl);
       const pos = simplemde.codemirror.getCursor();
-      simplemde.codemirror.replaceRange(`![${name}](${appSubUrl}/attachments/${data.uuid})`, pos);
+      simplemde.codemirror.replaceRange(`![${name}](/attachments/${data.uuid})`, pos);
       const input = $(`<input id="${data.uuid}" name="files" type="hidden">`).val(data.uuid);
       files.append(input);
     }