You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This release consolidates significant security hardening, multi-user isolation improvements, and new features based on community feedback and a lightweight audit.
It addresses all findings from the audit, including rate-limiting, TUS re-validation, stricter file permissions, and global security headers. It also introduces share detail editing and ranged download support.
Co-authored-by: Gemini CLI <noreply@google.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+22Lines changed: 22 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,28 @@ All notable changes to ferry will be documented in this file starting with the f
4
4
5
5
The format follows the spirit of [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and ferry follows semantic versioning after `v1.0.0`.
6
6
7
+
## [1.1.0] - 2026-05-03
8
+
9
+
### Added
10
+
-**Edit Share Details:** Share owners and managers can now edit the title and note of a share after its creation.
11
+
-**Ranged Download Support:** The server now supports `Range` headers for file downloads, improving compatibility with download managers and resuming large downloads.
12
+
-**Global Security Headers:** Every response now includes `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, `Referrer-Policy: no-referrer`, and a strict `Content-Security-Policy`.
13
+
-**Differentiated User Feedback:** The dashboard now displays whether you are logged in as an admin or a standard user, including your display name.
14
+
-**Enhanced Security Documentation:** Updated [Security Model](docs/SECURITY_MODEL.md) to reflect the new hardening measures.
15
+
16
+
### Fixed
17
+
-**Multi-User Isolation:** Standard users now only see and manage their own shares on the dashboard.
18
+
-**Directional Semantics:** Restored the intended upload logic: Guests upload to 'Receive' (Upload) shares, while Owners/Admins upload to 'Send' (Download) shares for management.
19
+
-**TUS Authorization:** Every TUS upload request (`POST`, `PATCH`, `HEAD`) is validated against the current session to ensure the user has access to the associated share.
20
+
-**Badge Persistence:** Improved the 'Upload Success' badge tracking to survive HTMX list refreshes correctly.
21
+
-**UI Refinements:** Restored the 'Knight Rider' processing glint animation and fixed a broken navigation tag.
22
+
-**Permissions Regression:** Authenticated admins can now correctly delete shares in break-glass mode again.
23
+
24
+
### Security
25
+
-**Restricted Permissions:** Storage and database directories are now created with `0700` permissions. Blobs and database files are restricted to `0600`.
26
+
-**Non-Root Execution:** The Docker container now runs as a dedicated, non-privileged `ferry` user.
27
+
-**Setup Protection:** The `/setup` bootstrap flow is now protected by the authentication rate-limiter.
0 commit comments