From 6ef60633d3b73a1fe1d65b1fe54aa4d510f883e1 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 24 Apr 2021 16:39:56 -0700
Subject: [PATCH 1/2] Additional coverage to ensure values are wrapped as
 expected; ref #3287

---
 .../Commands/EnvironmentWriterTrait.php       | 30 ++++++-------
 .../Helpers/EnvironmentWriterTraitTest.php    | 43 +++++++++++++++++++
 2 files changed, 58 insertions(+), 15 deletions(-)
 create mode 100644 tests/Unit/Helpers/EnvironmentWriterTraitTest.php

diff --git a/app/Traits/Commands/EnvironmentWriterTrait.php b/app/Traits/Commands/EnvironmentWriterTrait.php
index 10692a9a4..5435dc321 100644
--- a/app/Traits/Commands/EnvironmentWriterTrait.php
+++ b/app/Traits/Commands/EnvironmentWriterTrait.php
@@ -1,11 +1,4 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Traits\Commands;
 
@@ -13,6 +6,20 @@ use Pterodactyl\Exceptions\PterodactylException;
 
 trait EnvironmentWriterTrait
 {
+    /**
+     * Escapes an environment value by looking for any characters that could
+     * reasonablly cause environment parsing issues. Those values are then wrapped
+     * in quotes before being returned.
+     */
+    public function escapeEnvironmentValue(string $value): string
+    {
+        if (!preg_match('/^\"(.*)\"$/', $value) && preg_match('/([^\w.\-+\/])+/', $value)) {
+            return sprintf('"%s"', addslashes($value));
+        }
+
+        return $value;
+    }
+
     /**
      * Update the .env file for the application using the passed in values.
      *
@@ -28,14 +35,7 @@ trait EnvironmentWriterTrait
         $saveContents = file_get_contents($path);
         collect($values)->each(function ($value, $key) use (&$saveContents) {
             $key = strtoupper($key);
-            // If the key value is not sorrounded by quotation marks, and contains anything that could reasonably
-            // cause environment parsing issues, wrap it in quotes before writing it. This also adds slashes to the
-            // value to ensure quotes within it don't cause us issues.
-            if (!preg_match('/^\"(.*)\"$/', $value) && preg_match('/([^\w.\-+\/])+/', $value)) {
-                $value = sprintf('"%s"', addslashes($value));
-            }
-
-            $saveValue = sprintf('%s=%s', $key, $value);
+            $saveValue = sprintf('%s=%s', $key, $this->escapeEnvironmentValue($value));
 
             if (preg_match_all('/^' . $key . '=(.*)$/m', $saveContents) < 1) {
                 $saveContents = $saveContents . PHP_EOL . $saveValue;
diff --git a/tests/Unit/Helpers/EnvironmentWriterTraitTest.php b/tests/Unit/Helpers/EnvironmentWriterTraitTest.php
new file mode 100644
index 000000000..f2022f798
--- /dev/null
+++ b/tests/Unit/Helpers/EnvironmentWriterTraitTest.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace Pterodactyl\Tests\Unit\Helpers;
+
+use Pterodactyl\Tests\TestCase;
+use Pterodactyl\Traits\Commands\EnvironmentWriterTrait;
+
+class EnvironmentWriterTraitTest extends TestCase
+{
+    /**
+     * @dataProvider variableDataProvider
+     */
+    public function testVariableIsEscapedProperly($input, $expected)
+    {
+        $output = (new FooClass())->escapeEnvironmentValue($input);
+
+        $this->assertSame($expected, $output);
+    }
+
+    public function variableDataProvider(): array
+    {
+        return [
+            ['foo', 'foo'],
+            ['abc123', 'abc123'],
+            ['val"ue', '"val\"ue"'],
+            ['my test value', '"my test value"'],
+            ['mysql_p@assword', '"mysql_p@assword"'],
+            ['mysql_p#assword', '"mysql_p#assword"'],
+            ['mysql p@$$word', '"mysql p@$$word"'],
+            ['mysql p%word', '"mysql p%word"'],
+            ['mysql p#word', '"mysql p#word"'],
+            ['abc_@#test', '"abc_@#test"'],
+            ['test 123 $$$', '"test 123 $$$"'],
+            ['#password%', '"#password%"'],
+            ['$pass ', '"$pass "'],
+        ];
+    }
+}
+
+class FooClass
+{
+    use EnvironmentWriterTrait;
+}

From d0c7e2c0e62f67ae3b78bc64c61d472bfeffc72f Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 24 Apr 2021 16:45:54 -0700
Subject: [PATCH 2/2] Update CHANGELOG.md

---
 CHANGELOG.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f070441be..dbf875146 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,17 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v1.4.0
+### Fixed
+* Removes the use of tagging when storing server resource usage in the cache. This addresses errors encountered when using the `file` driver.
+* Fixes Wings response handling if Wings returns an error response with a 200-level status code that would improperly be passed back to the client as a successful request.
+* Fixes use of JSON specific functions in SQL queries to better support MariaDB users.
+* Fixes a migration that could fail on some MySQL/MariaDB setups when trying to encrypt node token values.
+
+### Changed
+* Increases the maximum length allowed for a server name using the Rust egg.
+* Updated server resource utilization API call to Wings to use new API response format used by `Wings@1.4.0`.
+
 ## v1.3.2
 ### Fixed
 * Fixes self-upgrade incorrectly executing the command to un-tar downloaded archives.