What Changed in v2.1.0
Security fixes
- GHSA-j48m-h7xq-2xpj — Fixed Share-link ?token=… redemption races past download limit
- GHSA-3whc-qvhv-xqjp — Fixed WebDAV listener ignores --read-only, --upload-only, and --no-delete mode flags
Bug fixes
- Context menu "Open" (#166) — The right-click "Open" action now always opens the target in a new browser tab instead of toggling between preview and navigation depending on file type
- Clipboard data race — Added
sync.RWMutexto the clipboard store; concurrent reads and writes no longer cause a race condition - Auth cache — Replaced the unbounded boolean auth cache with a time-based expiry map, preventing unbounded memory growth on repeated auth attempts
- WebSocket origin check — Both the main WebSocket handler and the catcher WebSocket now enforce a same-host origin check, rejecting cross-origin connections
- Catcher session IDs — Session IDs upgraded from 32-bit + timestamp to 128-bit
crypto/rand, eliminating predictability and timestamp-based collisions - DNS server data race — Default reply IP is now set in the constructor rather than the handler, fixing a race on concurrent DNS requests
- SFTP
Setstat—chmod 000no longer applied when aSetstatrequest omits the mode attribute - LDAP TLV read — Added a 1 MB size guard in
readTLV()to prevent unbounded memory allocation on malformed LDAP packets - Chunk size constant — Corrected internal
chunkSizefrom 256 MB to the intended 16 MB
Project
- Repository moved to github.com/goshs-labs/goshs
- Security contributor acknowledgement: @black-shadow-007
Dependencies
- Bumped
github/codeql-actionto 4.36.0