Skip to content

Commit 40f9617

Browse files
kakraGemini CLI
andcommitted
release: v1.1.0
This release consolidates significant security hardening, multi-user isolation improvements, and new features based on community feedback and a lightweight audit. It addresses all findings from the audit, including rate-limiting, TUS re-validation, stricter file permissions, and global security headers. It also introduces share detail editing and ranged download support. Co-authored-by: Gemini CLI <noreply@google.com>
1 parent 4a59e0a commit 40f9617

2 files changed

Lines changed: 23 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,28 @@ All notable changes to ferry will be documented in this file starting with the f
44

55
The format follows the spirit of [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and ferry follows semantic versioning after `v1.0.0`.
66

7+
## [1.1.0] - 2026-05-03
8+
9+
### Added
10+
- **Edit Share Details:** Share owners and managers can now edit the title and note of a share after its creation.
11+
- **Ranged Download Support:** The server now supports `Range` headers for file downloads, improving compatibility with download managers and resuming large downloads.
12+
- **Global Security Headers:** Every response now includes `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `Referrer-Policy: no-referrer`, and a strict `Content-Security-Policy`.
13+
- **Differentiated User Feedback:** The dashboard now displays whether you are logged in as an admin or a standard user, including your display name.
14+
- **Enhanced Security Documentation:** Updated [Security Model](docs/SECURITY_MODEL.md) to reflect the new hardening measures.
15+
16+
### Fixed
17+
- **Multi-User Isolation:** Standard users now only see and manage their own shares on the dashboard.
18+
- **Directional Semantics:** Restored the intended upload logic: Guests upload to 'Receive' (Upload) shares, while Owners/Admins upload to 'Send' (Download) shares for management.
19+
- **TUS Authorization:** Every TUS upload request (`POST`, `PATCH`, `HEAD`) is validated against the current session to ensure the user has access to the associated share.
20+
- **Badge Persistence:** Improved the 'Upload Success' badge tracking to survive HTMX list refreshes correctly.
21+
- **UI Refinements:** Restored the 'Knight Rider' processing glint animation and fixed a broken navigation tag.
22+
- **Permissions Regression:** Authenticated admins can now correctly delete shares in break-glass mode again.
23+
24+
### Security
25+
- **Restricted Permissions:** Storage and database directories are now created with `0700` permissions. Blobs and database files are restricted to `0600`.
26+
- **Non-Root Execution:** The Docker container now runs as a dedicated, non-privileged `ferry` user.
27+
- **Setup Protection:** The `/setup` bootstrap flow is now protected by the authentication rate-limiter.
28+
729
## [1.0.4] - 2026-05-03
830

931
### Added

internal/version/version.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
package version
22

3-
const Version = "v1.0.4"
3+
const Version = "v1.1.0"

0 commit comments

Comments
 (0)