Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix XSS in server owner selection (#2441)

Browse source 
Co-authored-by: Stepan Fedotov <stepan@crident.com>
Co-authored-by: Sergej <me@sergiz.com>
This commit is contained in:
Stepan Fedotov 2020-10-03 19:55:35 +03:00 committed by GitHub
parent dcf5cb3cd3
commit 1cd08e2f8d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa
This project follows [Semantic Versioning](http://semver.org) guidelines. This project follows [Semantic Versioning](http://semver.org) guidelines.
## v0.7.19 (Derelict Dermodactylus)
### Fixed
* **[Security]** Fixes XSS in the admin area's server owner selection.
## v0.7.18 (Derelict Dermodactylus) ## v0.7.18 (Derelict Dermodactylus)
### Fixed ### Fixed
* **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys. * **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys.

18
public/themes/pterodactyl/js/admin/new-server.js
View file

@ -37,6 +37,12 @@ $(document).ready(function() {
placeholder: 'Select Additional Allocations', placeholder: 'Select Additional Allocations',
}); });
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
$('#pUserId').select2({ $('#pUserId').select2({
ajax: { ajax: {
url: Router.route('admin.users.json'), url: Router.route('admin.users.json'),
@ -56,23 +62,23 @@ $(document).ready(function() {
escapeMarkup: function (markup) { return markup; }, escapeMarkup: function (markup) { return markup; },
minimumInputLength: 2, minimumInputLength: 2,
templateResult: function (data) { templateResult: function (data) {
if (data.loading) return data.text; if (data.loading) return escapeHtml(data.text);
return '<div class="user-block"> \ return '<div class="user-block"> \
<img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \ <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
<span class="username"> \ <span class="username"> \
<a href="#">' + data.name_first + ' ' + data.name_last +'</a> \ <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
</span> \ </span> \
<span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \ <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
</div>'; </div>';
}, },
templateSelection: function (data) { templateSelection: function (data) {
return '<div> \ return '<div> \
<span> \ <span> \
<img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
</span> \ </span> \
<span style="padding-left:5px;"> \ <span style="padding-left:5px;"> \
' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \ ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
</span> \ </span> \
</div>'; </div>';
} }

18
resources/themes/pterodactyl/admin/servers/view/details.blade.php
View file

@ -83,6 +83,12 @@
@section('footer-scripts') @section('footer-scripts')
@parent @parent
<script> <script>
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
$('#pUserId').select2({ $('#pUserId').select2({
ajax: { ajax: {
url: Router.route('admin.users.json'), url: Router.route('admin.users.json'),
@ -102,14 +108,14 @@
escapeMarkup: function (markup) { return markup; }, escapeMarkup: function (markup) { return markup; },
minimumInputLength: 2, minimumInputLength: 2,
templateResult: function (data) { templateResult: function (data) {
if (data.loading) return data.text; if (data.loading) return escapeHtml(data.text);
return '<div class="user-block"> \ return '<div class="user-block"> \
<img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \ <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
<span class="username"> \ <span class="username"> \
<a href="#">' + data.name_first + ' ' + data.name_last +'</a> \ <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
</span> \ </span> \
<span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \ <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
</div>'; </div>';
}, },
templateSelection: function (data) { templateSelection: function (data) {
@ -125,10 +131,10 @@
return '<div> \ return '<div> \
<span> \ <span> \
<img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
</span> \ </span> \
<span style="padding-left:5px;"> \ <span style="padding-left:5px;"> \
' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \ ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
</span> \ </span> \
</div>'; </div>';
} }