v0.6.0-pre.7 (Courageous Carniadactylus)

⚠️ READ ME ⚠️ This is a pre-release version of Pterodactyl Panel, do not install this on mission critical servers or use for services that cannot experience hiccups and potential downtime. While I strive to keep as many bugs out of releases as possible, the v0.6.0 branch is receiving many major core updates and functionality changes. Please do not install this release and then complain when something doesn't work and we don't fix it immediately.

As noted in the documentation in a giant red box: do not install these pre-releases if you are using custom services. THESE RELEASES WILL DESTROY THOSE CUSTOM SERVICES AND BREAK YOUR SERVERS USING THEM.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

Fixed

• [pre.6] — Addresses misconfigured console queue that was still sending data way to quickly thus causing the console to explode on some devices when large amounts of data were sent.
• [pre.6] — Fixes bug in allocation parsing for a node that prevented adding new allocations.
• [pre.6] — Fixes typo in migrations that wouldn't save custom regex for non-required variables.
• [pre.6] — Fixes auto-deploy checkbox on server creation causing validation error.

SHA256 Checksum

945a0defe08c54cc5d8894cb9c127c9f3da3b77fe1cf79bb3f60d366123653c2  Panel-0.6.0-pre.7.tar.gz

v0.6.0-pre.6 (Courageous Carniadactylus)

This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!

Fixed

• [pre.5] — Console based server rebuild tool now actually rebuilds the servers with the correct information.
• [pre.5] — Fixes typo and wrong docker contaienr for certain applications.

Changed

• Removed all old theme JS and CSS folders to cleanup and avoid confusion in the future.

Added

• [pre.5] — Added foreign key to pack_id to ensure nothing eds up breaking there.

SHA256 Checksum

81f131608d6cac6ed2c7e78f39773528b603d0de0ff93f2aa75f956c141c6416  Panel-0.6.0-pre.6.tar.gz

v0.6.0-pre.5 (Courageous Carniadactylus)

This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!

Changed

• New theme applied to Admin CP. Many graphical changes were made, some data was moved around and some display data changed. Too much was changed to feasibly log it all in here. Major breaking changes or notable new features will be logged.
• New server creation page now makes significantly less AJAX calls and is much quicker to respond.
• Server and Node view pages wee modified to split tabs into individual pages to make re-themeing and modifications significantly easier, and reduce MySQL query loads on page.
• [pre.4] — Services and Pack magement overhauled to be faster, cleaner, and more extensible in the future.
• Most of the backend UnhandledException display errors now include a clearer error that directs admins to the program's logs.
• Table seeders for services now can be run during upgrades and will attempt to locate and update, or create new if not found in the database.
• Many structural changes to the database and Pterodactyl\Models classes that would flood this changelog if they were all included. All required migrations included to handle database changes.
• [pre.4] — Service pack files are now stored in the database rather than on the host system to make updates easier.
• Clarified details for database hosts to prevent users entering invalid account details, as well as renamed tables and columns relating to it to keep things clearer.
• Updated all code to be Laravel compliant when using env() and moved to using config() throughout non config/*.php files.

Fixed

• Fixes potential bug with invalid CIDR notation (ex: 192.168.1.1/z) when adding allocations that could cause over 4 million records to be created at once.
• [pre.4] — Fixes bug preventing server updates from occurring by the system due to undefined Auth::user() in the event listener.
• [pre.4] — Fixes Server::byUuid() caching to actually clear the cache for all users, rather than the logged in user by using cache tags.
• [pre.4] — Fixes server listing on frontend not displaying a page selector when more than 10 servers exist.
• [pre.4] — Fixes non-admin users being unable to create personal API keys.
• Fixes bug where daemon was unable to register that certain games had fully booted and were ready to play on.
• Fixes bug causing MySQL user accounts to be corrupted when resetting a password via the panel.
• [pre.4] — Multiple clients refreshing the console no longer clears the console for all parties involved... sorry about that.
• [pre.4] — Fixes bug in environment setting script that would not remeber defaults and try to re-assign values.

Added

• Ability to assign multiple allocations at once when creating a new server.
• New humanReadable macro on File facade that accepts a file path and returns a human readable size. (File::humanReadable(path, precision))
• Added ability to edit database host details after creation on the system.

Deprecated

• Old API calls to Server::create will fail due to changed data structure.
• Many old routes were modified to reflect new standards in panel, and many of the controller functions being called were also modified. This shouldn't really impact anyone unless you have been digging into the code and modifying things.

SHA256 Checksum

66d03e2c0d92af595fc22a754682a1791bc1f10a249bf2410940bf274d92af78  Panel-0.6.0-pre.5.tar.gz

v0.6.0-pre.4 (Courageous Carniadactylus)

This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!

Fixed

• [SECURITY] [pre.3] — Fixes bug in cache handler that doesn't cache against the user making the request. Would have allowed for users to access servers not belonging to themselves in production.
• [pre.3] — Fixes misnamed MySQL column that was causing the inability to delete certain port ranges from the database.
• [pre.3] — Fixes bug preventing rebuilding server containers through the Admin CP.

Added

• New cache policy for ServerPolicy to avoid making 15+ queries per page load when confirming if a user has permission to perform an action.

SHA256 Checksum

28d41e596cc12c2bb9288f30475012ad092e8a0180f1c6b78c5784ea59e700bc  Panel-0.6.0-pre.4.tar.gz

v0.6.0-pre.3 (Courageous Carniadactylus)

This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!

Fixed

• [pre.2] — Fixes bug where servers could not be manually deployed to nodes due to a broken SQL call.
• [pre.2] — Fixes inability to edit a server due to owner_id issues.
• [pre.2] — Fixes bug when trying to add new subusers.
• Emails sending with 'Pterodactyl Panel' as the from name. Now configurable by using php artisan pterodactyl:mail to update.
• [pre.2] — Fixes inability to delete accounts due to SQL changes.
• [pre.2] — Fixes bug with checking power-permissions that showed the wrong buttons. Also adds check back to sidebar to only show options a user can use.
• [pre.2] — Fixes allocation listing on node allocations tab as well as bug preventing deletion of port.
• [pre.2] — Fixes bug in services that prevented saving updated settings or creating new services.

Changed

• [pre.2] — File Manager now displays relevant information on all screen sizes, and includes better button clicking mechanics for dropdown menu.
• Reduced the number of database queries being executed when viewing a specific server. This is done by caching the query for up to 60 minutes in memcached.
• User creation emails include more information and are sent by the event listener rather than the repository.
• Account password reset emails now auto-fill the email when clicking the link.

Added

• Notifications when a user is added or removed as a subuser for a server.

SHA256 Checksum

cb9c92d26cc89c8771f53d7b0b9be2fe2402606883335e9a72599cdb3d3fe6e4  Panel-0.6.0-pre.3.tar.gz

v0.6.0-pre.2 (Courageous Carniadactylus)

This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!

Fixed

• [pre.1] — Fixes bug with database seeders that prevented correctly installing the panel.

Changed

• [pre.1] — Moved around navigation bar on fronted to make it more obvious where logout and admin buttons were, as well as use the right icon for server listing.

SHA256 Checksum

6d1fb1aaecdc476b8024706a03e17e82c543c515e068fc9ecddd5f43f4013aae  Panel-0.6.0-pre.2.tar.gz

v0.6.0-pre.1 (Courageous Carniadactylus)

This is pre-release software. Do not use this on a mission critical server where you cannot handle bugs or potential downtime or data loss!

Added

• Remote routes for daemon to contact in order to allow Daemon to retrieve updated service configuration files on boot. Centralizes services to the panel rather than to each daemon.
• Basic service pack implementation to allow assignment of modpacks or software to a server to pre-install applications and allow users to update.
• Users can now have a username as well as client name assigned to their account.
• Ability to create a node through the CLI using pterodactyl:node as well as locations via pterodactyl:location.
• New theme (AdminLTE) for front-end with tweaks to backend files to work properly with it.
• Add support for PhraseApp's in-context editor

Fixed

• Bug causing error logs to be spammed if someone timed out on an ajax based page.
• Fixes edge case where specific server names could cause daemon errors due to an invalid SFTP username being created by the panel.
• Fixes sessions being removed on browser close, and set sessions to idle for up to 3 hours before being marked as expired.

Changed

• Admin API and base routes for user management now define the fields that should be passed to repositories rather than passing all fields.
• User model now defines mass assignment fields using $fillable rather than $guarded.
• 2FA checkpoint on login is now its own page, and not an AJAX based call. Improves security on that front.
• Updated Server model code to be more efficient, as well as make life easier for backend changes and work.

Deprecated

• Server::getUserDaemonSecret(Server $server) was removed and replaced with User::daemonSecret(Server $server) in order to clean up models.
• Server::getByUUID() was replaced with Server::byUuid() as well as various other functions through-out the Server model.
• Server::getHeaders() was removed and replaced with Server::getClient() which returns a Guzzle Client with the correct headers already assigned.

SHA256 Checksum

cd31684982077b724658d7e761484e0c11314cd48e8faf6a5a198f01aece1518  Panel-0.6.0-pre.1.tar.gz

v0.5.7 (Bodacious Boreopterus)

Security Vulnerability Disclosure

Sunday, February 5th, 2016, 02:20 GMT

Affected Versions: v0.5.0-pre.3 through v0.5.6

Attn:

Today (06/02/2016) at approximately 02:20 GMT we became aware of a flaw in a core authentication validation function within our software. This flaw allows users who know the UUID or Short-UUID (sUUID) for a server to modify the application's URL and view the server overview page, even when they do not have permissions to do so.

This security flaw was introduced in commit 125856d [1] and is present in all versions of Pterodactyl Panel from v0.5.0-pre.3 through v0.5.6. The cause of this flaw was a minor change to core validation code [2] which was intended to allow validating against either a UUID or sUUID for servers. Unfortunately, this change modified the SQL statement to be in a different order than it was previously, and caused our statement to always evaluate to true.

The SQL query that was intended is:

select * from `servers` where (`uuidShort` = ? or `uuid` = ?) and `id` in (?, ?, ?) and `servers`.`deleted_at` is null limit 1

The SQL query that was being built was:

select * from `servers` where (`uuidShort` = ? or `uuid` = ? and `id` in (?, ?, ?)) and `servers`.`deleted_at` is null limit 1

For the less SQL inclined, effectively this check was validating as true immediately because the sUUID (uuidShort) was matching within the parenthesis and the rest of the checking was terminated.

It is important to note that this vulnerability did not disclose any sensitive information to users who did not already have permission to access the server. Unapproved users were able to view the console overview page and see the server name, however due to our additional layers of application security they were not authenticated against the daemon, and were therefore unable to see the console, send commands, or otherwise control the server or daemon. Additional permission layers in the panel prevented users from being able to access any other server-specific pages.

We have addressed this vulnerability as of 4a320c2 [3] in our mainline release branch and 0d61417 [4] in our new-feature branch which will be merged into the development branch.

This notice was posted as part of our continued commitment to our product's security. Please do not hesitate to get in contact with us via Discord or email ([email protected]) if you should have any comments, questions, or concerns about the content of this notification.

[1] - 125856d

[2] - 125856d#diff-3dd8f3d382459350ae3d8c43039ed472R180

[3] - 4a320c2

[4] - 0d61417

Changelog

Fixed

• [Security Vulnerability] — Fixed a bug in the Server Model SQL code that was causing server access verification to evaluate to true regardless of a users access permissions.

SHA256 Checksum

307174597cca7e0b3527c1916cfcdc058449e1d9867fed0a54e778dc4430366b  Panel-0.5.7.tar.gz

v0.5.6 (Bodacious Boreopterus)

Added

• Added the following languages: Estonian et, Dutch nl, Norwegian nb (partial), Romanian ro, and Russian ru. Interested in helping us translate the panel into more languages, or improving existing translations? Contact us on Discord and let us know.
• Added missing strings.password to language file for English.
• Allow listing of users from the API by passing either the user ID or their email.

Fixed

• Fixes bug where assigning a variable a default value (or valid value) of 0 would cause the panel to reject the value thinking it did not exist.
• Addresses potential for crash by limiting total ports that can be assigned per-range to 2000.
• Fixes server names requiring at minimum 4 characters. Name can now be 1 to 200 characters long. ✏️
• Fixes bug that would allow adding the owner of a server as a subuser for that same server.
• Fixes bug that would allow creating multiple subusers with the same email address.
• Fixes bug where Sponge servers were improperly tagged as a spigot server in the daemon causing issues when booting or modifying configuration files.
• Use transpiled ES6 -> ES5 filemanager code in browsers.
• Fixes service option name displaying the name of a nwly added variable after the variable is added and until the page is refreshed. (see #208)

Changed

• Filemanager and EULA checking javascript is now written in pure ES6 code rather than as a blade-syntax template. This allows the use of babel to transpile into ES5 as a minified version.

SHA256 Checksum

7d3d121c9bd4d45536294e3237e51212bc04814be72d9f30e344af4e00431a87  Panel-0.5.6.tar.gz

v0.5.5 (Bodacious Boreopterus)

Added

• New API route to return allocations given a server ID. This adds support for a community-driven WHMCS module 🚀 available here.

Fixed

• Fixes subuser display when trying to edit an existing subuser.

SHA256 Checksum

96ea9b5e0d0b4cb73305c4c28924d2663d3f6a2f91d08b292a1c522d0d81bfcf  Panel-0.5.5.tar.gz