mirror of
				https://github.com/pelican-dev/panel.git
				synced 2025-10-25 06:06:51 +02:00 
			
		
		
		
	Apply security fixes from #2441 to 1.0
This commit is contained in:
		
							parent
							
								
									3473e1dfbf
								
							
						
					
					
						commit
						62856556b9
					
				
							
								
								
									
										13
									
								
								CHANGELOG.md
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								CHANGELOG.md
									
									
									
									
									
								
							| @ -3,6 +3,15 @@ This file is a running track of new features and fixes to each version of the pa | |||||||
| 
 | 
 | ||||||
| This project follows [Semantic Versioning](http://semver.org) guidelines. | This project follows [Semantic Versioning](http://semver.org) guidelines. | ||||||
| 
 | 
 | ||||||
|  | ## v0.7.19 (Derelict Dermodactylus) | ||||||
|  | ### Fixed | ||||||
|  | * **[Security]** Fixes XSS in the admin area's server owner selection. | ||||||
|  | 
 | ||||||
|  | ## v0.7.18 (Derelict Dermodactylus) | ||||||
|  | ### Fixed | ||||||
|  | * **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys. | ||||||
|  | * **[Security]** Addresses a Client API vulnerability that would allow a user to list all servers on the system ([`GHSA-6888-7f3w-92jx`](https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx)) | ||||||
|  | 
 | ||||||
| ## v0.7.17 (Derelict Dermodactylus) | ## v0.7.17 (Derelict Dermodactylus) | ||||||
| ### Fixed | ### Fixed | ||||||
| * Limited accounts to 5 API keys at a time. | * Limited accounts to 5 API keys at a time. | ||||||
| @ -301,7 +310,7 @@ the response from the server `GET` endpoint. | |||||||
| * Nest and Egg listings now show the associated ID in order to make API requests easier. | * Nest and Egg listings now show the associated ID in order to make API requests easier. | ||||||
| * Added star indicators to user listing in Admin CP to indicate users who are set as a root admin. | * Added star indicators to user listing in Admin CP to indicate users who are set as a root admin. | ||||||
| * Creating a new node will now requires a SSL connection if the Panel is configured to use SSL as well. | * Creating a new node will now requires a SSL connection if the Panel is configured to use SSL as well. | ||||||
| * Connector error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure. | * Socketio error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure. | ||||||
| * File manager now supports mass deletion option for files and folders. | * File manager now supports mass deletion option for files and folders. | ||||||
| * Support for CS:GO as a default service option selection. | * Support for CS:GO as a default service option selection. | ||||||
| * Support for GMOD as a default service option selection. | * Support for GMOD as a default service option selection. | ||||||
| @ -431,7 +440,7 @@ the response from the server `GET` endpoint. | |||||||
| * Changed 2FA login process to be more secure. Previously authentication checking happened on the 2FA post page, now it happens prior and is passed along to the 2FA page to avoid storing any credentials. | * Changed 2FA login process to be more secure. Previously authentication checking happened on the 2FA post page, now it happens prior and is passed along to the 2FA page to avoid storing any credentials. | ||||||
| 
 | 
 | ||||||
| ### Added | ### Added | ||||||
| * Connector error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure. | * Socketio error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure. | ||||||
| 
 | 
 | ||||||
| ## v0.7.0-beta.1 (Derelict Dermodactylus) | ## v0.7.0-beta.1 (Derelict Dermodactylus) | ||||||
| ### Added | ### Added | ||||||
|  | |||||||
| @ -153,6 +153,12 @@ function updateAdditionalAllocations() { | |||||||
| } | } | ||||||
| 
 | 
 | ||||||
| function initUserIdSelect(data) { | function initUserIdSelect(data) { | ||||||
|  |     function escapeHtml(str) { | ||||||
|  |         var div = document.createElement('div'); | ||||||
|  |         div.appendChild(document.createTextNode(str)); | ||||||
|  |         return div.innerHTML; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|     $('#pUserId').select2({ |     $('#pUserId').select2({ | ||||||
|         ajax: { |         ajax: { | ||||||
|             url: '/admin/users/accounts.json', |             url: '/admin/users/accounts.json', | ||||||
| @ -176,28 +182,27 @@ function initUserIdSelect(data) { | |||||||
|         data: data, |         data: data, | ||||||
|         escapeMarkup: function (markup) { return markup; }, |         escapeMarkup: function (markup) { return markup; }, | ||||||
|         minimumInputLength: 2, |         minimumInputLength: 2, | ||||||
| 
 |  | ||||||
|         templateResult: function (data) { |         templateResult: function (data) { | ||||||
|             if (data.loading) return data.text; |             if (data.loading) return escapeHtml(data.text); | ||||||
| 
 | 
 | ||||||
|             return '<div class="user-block"> \ |             return '<div class="user-block"> \ | ||||||
|                         <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \ |                 <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \ | ||||||
|                 <span class="username"> \ |                 <span class="username"> \ | ||||||
|                             <a href="#">' + data.name_first + ' ' + data.name_last +'</a> \ |                     <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \ | ||||||
|                 </span> \ |                 </span> \ | ||||||
|                         <span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \ |                 <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \ | ||||||
|             </div>'; |             </div>'; | ||||||
|         }, |         }, | ||||||
| 
 |  | ||||||
|         templateSelection: function (data) { |         templateSelection: function (data) { | ||||||
|             return '<div> \ |             return '<div> \ | ||||||
|                 <span> \ |                 <span> \ | ||||||
|                             <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ |                     <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ | ||||||
|                 </span> \ |                 </span> \ | ||||||
|                 <span style="padding-left:5px;"> \ |                 <span style="padding-left:5px;"> \ | ||||||
|                             ' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \ |                     ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \ | ||||||
|                 </span> \ |                 </span> \ | ||||||
|             </div>'; |             </div>'; | ||||||
|         } |         } | ||||||
|  | 
 | ||||||
|     }); |     }); | ||||||
| } | } | ||||||
|  | |||||||
| @ -66,6 +66,12 @@ | |||||||
| @section('footer-scripts') | @section('footer-scripts') | ||||||
|     @parent |     @parent | ||||||
|     <script> |     <script> | ||||||
|  |     function escapeHtml(str) { | ||||||
|  |         var div = document.createElement('div'); | ||||||
|  |         div.appendChild(document.createTextNode(str)); | ||||||
|  |         return div.innerHTML; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|     $('#pUserId').select2({ |     $('#pUserId').select2({ | ||||||
|         ajax: { |         ajax: { | ||||||
|             url: '/admin/users/accounts.json', |             url: '/admin/users/accounts.json', | ||||||
| @ -85,14 +91,14 @@ | |||||||
|         escapeMarkup: function (markup) { return markup; }, |         escapeMarkup: function (markup) { return markup; }, | ||||||
|         minimumInputLength: 2, |         minimumInputLength: 2, | ||||||
|         templateResult: function (data) { |         templateResult: function (data) { | ||||||
|             if (data.loading) return data.text; |             if (data.loading) return escapeHtml(data.text); | ||||||
| 
 | 
 | ||||||
|             return '<div class="user-block"> \ |             return '<div class="user-block"> \ | ||||||
|                 <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \ |                 <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \ | ||||||
|                 <span class="username"> \ |                 <span class="username"> \ | ||||||
|                     <a href="#">' + data.name_first + ' ' + data.name_last +'</a> \ |                     <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \ | ||||||
|                 </span> \ |                 </span> \ | ||||||
|                 <span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \ |                 <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \ | ||||||
|             </div>'; |             </div>'; | ||||||
|         }, |         }, | ||||||
|         templateSelection: function (data) { |         templateSelection: function (data) { | ||||||
| @ -108,10 +114,10 @@ | |||||||
| 
 | 
 | ||||||
|             return '<div> \ |             return '<div> \ | ||||||
|                 <span> \ |                 <span> \ | ||||||
|                     <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ |                     <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ | ||||||
|                 </span> \ |                 </span> \ | ||||||
|                 <span style="padding-left:5px;"> \ |                 <span style="padding-left:5px;"> \ | ||||||
|                     ' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \ |                     ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \ | ||||||
|                 </span> \ |                 </span> \ | ||||||
|             </div>'; |             </div>'; | ||||||
|         } |         } | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user
	 Stepan Fedotov
						Stepan Fedotov