What Changed in v2.1.4
🔒 Security
- WebDAV
--no-deletebypass via MOVE/COPY (GHSA-hq33-8jgp-8qq3) — Under-w --no-delete(and--upload-only), the WebDAVMOVEverb still removed the source file — a rename deletes it from its original path — and, withOverwrite: T, destroyed an existing destination;COPYonto an existing file did the same via an implicit delete. The mode flags are now
enforced on these verbs:MOVEis rejected whenever deletion is disabled, and aCOPYthat would overwrite an existing file is blocked, while a plainCOPYto a new path stays allowed.--read-onlycontinues to block all of them. - SFTP authentication bypass with a single credential (GHSA-rjrw-mjq6-hpmm) — SFTP only installed its password handler when both a username and a password were configured, so setting only one left the server accepting unauthenticated logins. Authentication is now enforced whenever either credential is set.
✨ New Features
- Clipboard copy in the TUI generator — The
--tuireverse-shell generator can now copy the selected payload straight to your - clipboard withy/c. It works both locally (xclip/xsel, wl-copy, pbcopy, clip) and over SSH via OSC 52, filling both the system clipboard and the X11 primary selection (Ctrl+V and middle-click / Shift+Insert). The generator tab was also restructured into a stacked layout so multi-line output can be cleanly mouse-selected without also grabbing the menu entries.
🐛 Bug Fixes
- Fatal port-bind errors under
--tui— Every listening protocol is now bound before the TUI dashboard takes over the terminal, so a port conflict (or any bind error) is reported cleanly and is fatal up front — instead of being swallowed by a serving goroutine, which under--tuileft the terminal in raw mode needing areset(and was silently dropped entirely for FTP).
⬆️ Dependencies
- Bumped
golang.org/x/net0.53.0 → 0.55.0. - Bumped GitHub Actions:
github/codeql-action(init/autobuild/analyze) 4.36.2 → 4.36.3, andgoreleaser/goreleaser-action7.2.2 → 7.2.3.