Transfer.sh Versions Save

Security alert

The fix introduced on v1.6.0 (https://github.com/dutchcoders/transfer.sh/pull/564) still had a bug allowing any IP to bypass basic http auth in case an IP whitelist was set, regardless the IP was matching the IP or not. This release include the fix for the bug.

What's Changed

• server/server.go: use TLS config provided by acme/autocert by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/567
• Bump golang.org/x/net from 0.8.0 to 0.17.0 by @dependabot in https://github.com/dutchcoders/transfer.sh/pull/581
• deps: remove ioutil package by @ginglis13 in https://github.com/dutchcoders/transfer.sh/pull/583
• Bump google.golang.org/grpc from 1.53.0 to 1.56.3 by @dependabot in https://github.com/dutchcoders/transfer.sh/pull/586
• Fixes transfer() issues by @luizluca in https://github.com/dutchcoders/transfer.sh/pull/579
• Add new example by @AdamsGH in https://github.com/dutchcoders/transfer.sh/pull/574

New Contributors

• @ginglis13 made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/583
• @luizluca made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/579
• @AdamsGH made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/574

Full Changelog: https://github.com/dutchcoders/transfer.sh/compare/v1.6.0...v1.6.1

Security alert

Since the first commit merged on main branch after v.1.5.0, including docker images tagged as edge (#537) we had a bug that disabled the basic auth feature. This release include the fix for the bug as well as the new feature that introduced the bug: ie, using and htpasswd file for basic auth credentials.

What's Changed

• add http-auth-htpasswd by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/537
• add IP_FILTERLIST_BYPASS_HTTP_AUTH by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/538
• Add Vary headers in responses by @kotx in https://github.com/dutchcoders/transfer.sh/pull/536
• call WriteHeader after last change to header map by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/542
• Add charset to content type in getHandler by @snowphone in https://github.com/dutchcoders/transfer.sh/pull/545
• Dockerfile: Use Go 1.20 by default by @adamantike in https://github.com/dutchcoders/transfer.sh/pull/550
• Bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by @dependabot in https://github.com/dutchcoders/transfer.sh/pull/552
• Add mime.types to docker container to select charset properly by @snowphone in https://github.com/dutchcoders/transfer.sh/pull/547
• Upgrade github.com/urfave/cli to v2 by @adamantike in https://github.com/dutchcoders/transfer.sh/pull/551
• Improve purgeTime display in web page by @natilou in https://github.com/dutchcoders/transfer.sh/pull/558
• Improve Docker layer caching for Go dependencies by @adamantike in https://github.com/dutchcoders/transfer.sh/pull/560
• Upgrade aws-sdk-go to v2 by @adamantike in https://github.com/dutchcoders/transfer.sh/pull/559
• fix basic auth by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/564

New Contributors

• @kotx made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/536
• @snowphone made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/545
• @adamantike made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/550
• @natilou made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/558

Full Changelog: https://github.com/dutchcoders/transfer.sh/compare/v1.5.0...v1.6.0

What's Changed

• server: reorganize storage layer into more clear subfolder by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/496
• all: update gdrive client and various linting cleanups by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/497
• Fixed improper implementation of content type by @blind-intruder in https://github.com/dutchcoders/transfer.sh/pull/501
• bump transfer.sh-web dep by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/504
• Add /tmp dir to Docker image by @am97 in https://github.com/dutchcoders/transfer.sh/pull/506
• Fix for unrecognized flags on du by @frankievalentine in https://github.com/dutchcoders/transfer.sh/pull/488
• server: do not ignore listening errors by @mpl in https://github.com/dutchcoders/transfer.sh/pull/523
• min go version 1.18, include tip for test by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/532
• Bump golang.org/x/crypto from 0.0.0-20220131195533-30dcbda58838 to 0.1.0 by @dependabot in https://github.com/dutchcoders/transfer.sh/pull/533
• Bump golang.org/x/net from 0.0.0-20220513224357-95641704303c to 0.7.0 by @dependabot in https://github.com/dutchcoders/transfer.sh/pull/534
• Lint accept range by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/535
• gpg encryption support by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/162

New Contributors

• @blind-intruder made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/501
• @am97 made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/506
• @frankievalentine made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/488
• @mpl made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/523

Full Changelog: https://github.com/dutchcoders/transfer.sh/compare/v1.4.0...v1.5.0

What's Changed

• go.mod,go.sum: bumping storj dependency by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/454
• .github/workflows: adding golangci-lint as new job by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/453
• server/handlers.go,storage.go: smaller fixes by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/452
• server: propagate context to storage layer by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/455
• Clamav prescan by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/389
• fix perform-clamav-prescan by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/460
• server/storage.go: Update storj dependencies and set user-agent by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/467
• Add X-Url-Delete-* headers to POST handler by @anihm136 in https://github.com/dutchcoders/transfer.sh/pull/435
• Docker: Allow selection of (unprivileged) UID/GID at build time by @lkubb in https://github.com/dutchcoders/transfer.sh/pull/418
• Correct typo in CODE_OF_CONDUCT.md by @keks24 in https://github.com/dutchcoders/transfer.sh/pull/480
• server: adding no-store header by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/476
• .github/,go.mod,go.sum: Update storj dependencies, drop older go versions by @stefanbenten in https://github.com/dutchcoders/transfer.sh/pull/468
• Example Zsh/Bash function for transfer.sh homepage by @keks24 in https://github.com/dutchcoders/transfer.sh/pull/478
• Issue 485 by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/486

New Contributors

• @anihm136 made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/435
• @lkubb made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/418
• @keks24 made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/480

Full Changelog: https://github.com/dutchcoders/transfer.sh/compare/v1.3.1...v1.3.2

What's Changed

• Golint by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/404
• Update README.md by @modem7 in https://github.com/dutchcoders/transfer.sh/pull/414
• Update README.md by @mazedlx in https://github.com/dutchcoders/transfer.sh/pull/415
• Edited code of conduct for more information and corrected a grammatical error by @whosoumilarora in https://github.com/dutchcoders/transfer.sh/pull/421
• Fix path by @mattn in https://github.com/dutchcoders/transfer.sh/pull/416
• fix missed errors by @matsuyoshi30 in https://github.com/dutchcoders/transfer.sh/pull/417
• Implement Nix Flake by @ysndr in https://github.com/dutchcoders/transfer.sh/pull/424
• issue #420 return 400 response when Max-Days is too big by @kugiyasan in https://github.com/dutchcoders/transfer.sh/pull/422
• issue #420 added MaxDate.IsZero() check by @kugiyasan in https://github.com/dutchcoders/transfer.sh/pull/427
• Add uploading and copy download command by @GanZhiXiong in https://github.com/dutchcoders/transfer.sh/pull/412
• fix in force-https redirect by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/441
• remove tor, remove bitcoin, fix contact us by @aspacca in https://github.com/dutchcoders/transfer.sh/pull/447

New Contributors

• @modem7 made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/414
• @mazedlx made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/415
• @whosoumilarora made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/421
• @mattn made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/416
• @matsuyoshi30 made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/417
• @ysndr made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/424
• @kugiyasan made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/422
• @GanZhiXiong made their first contribution in https://github.com/dutchcoders/transfer.sh/pull/412

Full Changelog: https://github.com/dutchcoders/transfer.sh/compare/v1.3.0...v1.3.1

New features:

• Deletion on UI (#353)

Enhanchments:

• Version on build time for Docker and releases
• Purge time and max upload size on UI reflect configuration
• Releases for multiple targets and in archive fromat (tar gz) (thanks @wc7086)

Fixes:

• Fix for #398
• Fix for #380
• Fix for #377

This is a patch release to provide static binaries in releases

This is a security release, disclosures of details will follow. Highly suggested to update to this version.

Others changes:

• .UrlRandomToken available in templates to help building custom url to the upload
• --random-token-length|RANDOM_TOKEN_LENGTH startup setting to define length of the url random token

This release fixes https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33496 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33497

Thanks to RyotaK for reporting them

• Optimization on metadata writes @JustAnotherArchivist
• Optimization on reader for sanitisation @aspacca
• Migration to github actions @marzocchi

• bump dependecies
• sanitize html in inline handler
• fix in docker/binary build