Apply security fixes from #2441 to 1.0

This commit is contained in:
Stepan Fedotov 2020-10-03 19:55:35 +03:00 committed by Dane Everitt
parent 3473e1dfbf
commit 62856556b9
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
3 changed files with 44 additions and 24 deletions

View file

@ -3,6 +3,15 @@ This file is a running track of new features and fixes to each version of the pa
This project follows [Semantic Versioning](http://semver.org) guidelines. This project follows [Semantic Versioning](http://semver.org) guidelines.
## v0.7.19 (Derelict Dermodactylus)
### Fixed
* **[Security]** Fixes XSS in the admin area's server owner selection.
## v0.7.18 (Derelict Dermodactylus)
### Fixed
* **[Security]** Re-addressed missed endpoint that would not properly limit a user account to 5 API keys.
* **[Security]** Addresses a Client API vulnerability that would allow a user to list all servers on the system ([`GHSA-6888-7f3w-92jx`](https://github.com/pterodactyl/panel/security/advisories/GHSA-6888-7f3w-92jx))
## v0.7.17 (Derelict Dermodactylus) ## v0.7.17 (Derelict Dermodactylus)
### Fixed ### Fixed
* Limited accounts to 5 API keys at a time. * Limited accounts to 5 API keys at a time.
@ -301,7 +310,7 @@ the response from the server `GET` endpoint.
* Nest and Egg listings now show the associated ID in order to make API requests easier. * Nest and Egg listings now show the associated ID in order to make API requests easier.
* Added star indicators to user listing in Admin CP to indicate users who are set as a root admin. * Added star indicators to user listing in Admin CP to indicate users who are set as a root admin.
* Creating a new node will now requires a SSL connection if the Panel is configured to use SSL as well. * Creating a new node will now requires a SSL connection if the Panel is configured to use SSL as well.
* Connector error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure. * Socketio error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure.
* File manager now supports mass deletion option for files and folders. * File manager now supports mass deletion option for files and folders.
* Support for CS:GO as a default service option selection. * Support for CS:GO as a default service option selection.
* Support for GMOD as a default service option selection. * Support for GMOD as a default service option selection.
@ -431,7 +440,7 @@ the response from the server `GET` endpoint.
* Changed 2FA login process to be more secure. Previously authentication checking happened on the 2FA post page, now it happens prior and is passed along to the 2FA page to avoid storing any credentials. * Changed 2FA login process to be more secure. Previously authentication checking happened on the 2FA post page, now it happens prior and is passed along to the 2FA page to avoid storing any credentials.
### Added ### Added
* Connector error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure. * Socketio error messages due to permissions are now rendered correctly in the UI rather than causing a silent failure.
## v0.7.0-beta.1 (Derelict Dermodactylus) ## v0.7.0-beta.1 (Derelict Dermodactylus)
### Added ### Added

View file

@ -153,6 +153,12 @@ function updateAdditionalAllocations() {
} }
function initUserIdSelect(data) { function initUserIdSelect(data) {
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
$('#pUserId').select2({ $('#pUserId').select2({
ajax: { ajax: {
url: '/admin/users/accounts.json', url: '/admin/users/accounts.json',
@ -176,28 +182,27 @@ function initUserIdSelect(data) {
data: data, data: data,
escapeMarkup: function (markup) { return markup; }, escapeMarkup: function (markup) { return markup; },
minimumInputLength: 2, minimumInputLength: 2,
templateResult: function (data) { templateResult: function (data) {
if (data.loading) return data.text; if (data.loading) return escapeHtml(data.text);
return '<div class="user-block"> \ return '<div class="user-block"> \
<img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \ <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
<span class="username"> \ <span class="username"> \
<a href="#">' + data.name_first + ' ' + data.name_last +'</a> \ <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
</span> \ </span> \
<span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \ <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
</div>'; </div>';
}, },
templateSelection: function (data) { templateSelection: function (data) {
return '<div> \ return '<div> \
<span> \ <span> \
<img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
</span> \ </span> \
<span style="padding-left:5px;"> \ <span style="padding-left:5px;"> \
' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \ ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
</span> \ </span> \
</div>'; </div>';
} }
}); });
} }

View file

@ -66,6 +66,12 @@
@section('footer-scripts') @section('footer-scripts')
@parent @parent
<script> <script>
function escapeHtml(str) {
var div = document.createElement('div');
div.appendChild(document.createTextNode(str));
return div.innerHTML;
}
$('#pUserId').select2({ $('#pUserId').select2({
ajax: { ajax: {
url: '/admin/users/accounts.json', url: '/admin/users/accounts.json',
@ -85,14 +91,14 @@
escapeMarkup: function (markup) { return markup; }, escapeMarkup: function (markup) { return markup; },
minimumInputLength: 2, minimumInputLength: 2,
templateResult: function (data) { templateResult: function (data) {
if (data.loading) return data.text; if (data.loading) return escapeHtml(data.text);
return '<div class="user-block"> \ return '<div class="user-block"> \
<img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" alt="User Image"> \ <img class="img-circle img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" alt="User Image"> \
<span class="username"> \ <span class="username"> \
<a href="#">' + data.name_first + ' ' + data.name_last +'</a> \ <a href="#">' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) +'</a> \
</span> \ </span> \
<span class="description"><strong>' + data.email + '</strong> - ' + data.username + '</span> \ <span class="description"><strong>' + escapeHtml(data.email) + '</strong> - ' + escapeHtml(data.username) + '</span> \
</div>'; </div>';
}, },
templateSelection: function (data) { templateSelection: function (data) {
@ -108,10 +114,10 @@
return '<div> \ return '<div> \
<span> \ <span> \
<img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + data.md5 + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \ <img class="img-rounded img-bordered-xs" src="https://www.gravatar.com/avatar/' + escapeHtml(data.md5) + '?s=120" style="height:28px;margin-top:-4px;" alt="User Image"> \
</span> \ </span> \
<span style="padding-left:5px;"> \ <span style="padding-left:5px;"> \
' + data.name_first + ' ' + data.name_last + ' (<strong>' + data.email + '</strong>) \ ' + escapeHtml(data.name_first) + ' ' + escapeHtml(data.name_last) + ' (<strong>' + escapeHtml(data.email) + '</strong>) \
</span> \ </span> \
</div>'; </div>';
} }