panel

Fixed

• Fixes typo in message shown to user when deleting a database.
• Fixes formatting of IPv6 addresses when displaying allocations to users.
• Fixes an exception thrown while trying to return error messages from API endpoints that inproperly masked the true underlying error.
• Fixes SSL certificate path generation for Let's Encrypt by ensuring they are always transformed to lowercase.
• Removes duplicate entries when creating a nested folder in the file manager.
• Fixes missing validation of Egg Author email addresses during the setup process that could cause unexpected failures later on.
• Fixes font rendering issues of the console on Firefox due to an outdated version of xterm.js being used.
• Fixes display overlap issues of the two-factor configuration form in a user's settings.
• [security] When authenticating using an API key a user session is now only persisted for the duration of the request before being destroyed. (https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv)

Changed

• CPU graph changed to show the maximum amount of CPU available to a server to better match how the memory graph is displayed.

Added

• Adds support for DB_PORT environment variable in the Docker enterpoint for the Panel image.
• Adds suport for ARM environments in the Docker image.
• Adds a new warning modal for Steam servers shown when an invalid Game Server Login Token (GSL Token) is detected.
• Adds a new warning modal for Steam servers shown when the installation process runs out of available disk space.
• Adds a new warning modal for Minecraft servers shown when a server exceeds the maximum number of child processes.
• Adds support for displaying certain server variable fields as a checkbox when they're detected as using boolean or in:0,1 validation rules.
• Adds support for Pug and Jade in the file editor.
• Adds an entry to the robots.txt file to correctly disallow all bot indexing.

SHA256 Checksum

f41bfcacfdf623b8a680a3ee747f3f9f6863c47f43186c101287ee6f938a776d  panel.tar.gz

Fixed

• [security] Fixes a CSRF vulnerability for both the administrative test email endpoint and node auto-deployment token generation endpoint. GHSA-wwgq-9jhf-qgw6

Changed

• Updates Minecraft eggs to include latest Java 17 yolk by default.

SHA256 Checksum

232a131448872837f29f285fa0f7be19b39062abf3a9ef617f4b985b03cc27a6  panel.tar.gz

Fixed

• Fixes broken application API endpoints due to changes introduced with session management in 1.6.4.
• (in 1.6.4) Fixes a session management bug that would cause a user who signs out of one browser to be unintentionally logged out of other browser sessions when using the client API.

SHA256 Checksum

18556850a8081e72e6b3daf8332483063ac8007922df52cefa35ce00b0095432  panel.tar.gz

Fixed

• [Security] Changes logout endpoint to be a POST request with CSRF-token validation to prevent a malicious actor from triggering a user logout.
• Fixes Wings receiving the wrong server suspension state when syncing servers.

Added

• Adds additional throttling to login and password reset endpoints.
• Adds server uptime display when viewing a server console.

SHA256 Checksum

b5026df64c100fca6e2845fc01f70f3b2767ac9965163df1efa3c10ef6c11266  panel.tar.gz

Fixed

• [Security] Fixes an authentication bypass vulerability that could allow a malicious actor to login as another user in the Panel without knowing that user's email or password.

Security Vulnerability Disclosure

Due to the severity of the vulnerability fixed in this release the technical details of the underlying bug have been embargoed until October 6th, 2021 @ 12:00 PST. At that time the following security release will become public detailing the underlying details of the vulnerability.

GHSA-5vfx-8w6m-h3v4 (High Severity) (CVSS 3.1: 8.1)

SHA256 Checksum

d6a5e0297fc8f62b2983fd90f0e2865594a3145ee8b1aef5de8c05a3e4df7a56  panel.tar.gz

Fixed

• Fixes server build modifications not being properly persisted to the database when edited.
• Correctly exposes the oom_disabled field in the build limits block for a server build so that Wings can pick it up.

SHA256 Checksum

51f9d82b216ab860955cd6e24596c2f016d9811449f92c00a32bc08dd27e96b1  panel.tar.gz

Fixed

• Fixes array merging logic for server transfers that would cause a 500 error to occur in some scenarios.
• Fixes user password updates not correctly logging the user out and returning a failure message even upon successful update.
• Fixes the count of used backups when browsing a paginated backup list for a server.
• Fixes an error being triggered when API endpoints are called with no User-Agent header and an audit log is generated for the action.
• Fixes state management on the frontend not properly resetting the loading indicator when adding subusers to a server.
• Fixes extraneous API calls being made to Wings for the server file listing when not on a file manager screen.

Added

• Adds foreign key relationship on the mount_node, mount_server and egg_mount tables.
• Adds environment variable PER_SCHEDULE_TASK_LIMIT to allow manual overrides for the number of tasks that can exist on a single schedule. This is currently defaulted to 10.
• OOM killer can now be configured at the time of server creation.

Changed

• Server updates are not dependent on a successful call to Wings occurring — if the API call fails internally the error will be logged but the server update will still be persisted.

Removed

• Removed WingsServerRepository::update() function — if you were previously using this to modify server elements on Wings please replace calls to it with ::sync() after updating Wings.

SHA256 Checksum

a077f11e86fdf94db0b78c6b4a7e1984078d2d9e437458b1aeee3f2316660180  panel.tar.gz

Fixed

• Fixes Docker image 404ing instead of being able to access the Panel.
• Fixes Java version feature being only loaded when the eula feature is specified.
• Fixes php artisan p:upgrade not forcing and seeding while running migrations.
• Fixes spinner overlays overlapping on the server console page.
• Fixes Wings being unable to update backup statuses.

SHA256 Checksum

4a32b6a08f67064bd7c49aa266144ca8baab8ee661442ba9b8030d35c992cbfb  panel.tar.gz

Fixed

• Fixes deleting a locked backup that has also been marked as failed to allow deletion rather than returning an error about being locked.
• Fixes server creation process not correctly sending start_on_completion to Wings instance.
• Fixes z-index on file mass delete modal so it is displayed on top of all elements, rather than hidden under some.
• Supports re-sending requests to the Panel API for backups that are currently marked as failed, allowing a previously failed backup to be marked as successful.
• Minor updates to multiple default eggs for improved error handling and more accurate field-level validation.

Updated

• Updates help text for CPU limiting when creating a new server to properly indicate virtual threads are included, rather than only physical threads.
• Updates all of the default eggs shipped with the Panel to reference new ghcr.io yolks repository.
• When adding 2FA to an account the key used to generate the token is now displayed to the user allowing them to manually input into their app if necessary.

Added

• Adds SSL/TLS options for MySQL and Redis in line with most recent Laravel updates.
• New users created for server MySQL instances will now have the correct permissions for creating foreign keys on tables.
• Adds new automatic popup feature to allow users to quickly update their Minecraft servers to the latest Java® eggs as necessary if unsupported versions are detected.

Removed

• Removes legacy userInteraction key from eggs which was unused.

SHA256 Checksum

f0a39543e21664c0354ee04c46ace8993e0c0cfba966d3825c29700a148ad65b  panel.tar.gz

Fixed

• Fixes logic to disallow creating a backup schedule if the server's backup limit is set to 0.
• Fixes bug preventing a database host from being updated if the linked node is set to "none".
• Fixes files and menus under the "Mass Actions Bar" being unclickable when it is visible.
• Fixes issues with the Teamspeak and Mumble eggs causing installs to fail.
• Fixes automated query to avoid pruning backups that are still running unintentionally.
• Fixes "Delete Server" confirmation modal on the admin screen to actually show up when deleting rather than immediately deleting the server.

Added

• Adds support for locking individual server backups to prevent deletion by users or automated backup processes.
• List of files to be deleted is now shown on the delete file confirmation modal.
• Adds support for using IF statements in database queries when a database user is created through the Panel.
• Adds support for using a custom mailgun API endpoint rather than only the US based endpoint.
• Adds CPU limit display next to the current CPU usage to match disk and memory usage reporting.
• Adds a "Scroll to Bottom" helper element to the server console when not scrolled to the bottom currently.
• Adds support for querying the API for servers by using the uuidShort field rather than only the uuid field.

Changed

• Updates codebase to use TypeScript 4.
• [security]: removes the external dependency for loading QRCode images. They're now generated directly on the frontend using JavaScript.

SHA256 Checksum

b13ac4ad0a01628d0dba8369b12eeeaa38d59b3abdc09daa900d3beb02e92b19  panel.tar.gz

Added

• Adds support for only running a schedule if the server is currently in an online state.
• Adds support for ignoring errors during task execution and continuing on to the next item in the sequence. For example, continuing to a server restart even if sending a command beforehand failed.
• Adds the ability to specify the group to use for file permissions when using the p:upgrade command.
• Adds the ability to manually run a schedule even if it is currently disabled.

SHA256 Checksum

1a8fb006fdfe04f06f5acdb13aafcde03b885613ce9aed9f14b62c103647bce2  panel.tar.gz

Fixed

• Removes the use of tagging when storing server resource usage in the cache. This addresses errors encountered when using the file driver.
• Fixes Wings response handling if Wings returns an error response with a 200-level status code that would improperly be passed back to the client as a successful request.
• Fixes use of JSON specific functions in SQL queries to better support MariaDB users.
• Fixes a migration that could fail on some MySQL/MariaDB setups when trying to encrypt node token values.

Changed

• Increases the maximum length allowed for a server name using the Rust egg.
• Updated server resource utilization API call to Wings to use new API response format used by [email protected].

SHA256 Checksum

4303c672fe21ec92dadecbc14ce47704ed6b2a26afc11bede650f00138ca99c6  panel.tar.gz

Fixed

• Fixes self-upgrade incorrectly executing the command to un-tar downloaded archives.
• Fixes the checkbox to delete all files when restoring a backup not actually passing that along in the API call. Files will now properly be deleted when restoring if selected.
• Fixes some keybindings not working correctly in the server console on Windows machines.
• Fixes mobile UI incorrectly squishing the Docker image selector on the server settings page.
• Fixes recovery tokens not having a created_at value set on them properly when they are created.
• Fixes flawed migration that would not correctly set the month value into schedule crons.
• Fixes incorrect mounting for Docker compose file that would cause error logs to be missing.

Changed

• Server resource lookups are now cached on the Panel for 20 seconds at a time to reduce the load from multiple clients requesting the same server's stats.
• Bungeecord egg no longer force-enables the query listener.
• Adds page to the dashboard URL to allow easy loading of a specific pagination page rather than resetting back to the first page when refreshing.
• All application API endpoints now correctly support the ?per_page=N query parameter to specify how many resources to return at once.

SHA256 Checksum

2524cbde2eb27bf3dc29d53ee9618a9e4d1d7bb0cbcaced1fd9b705fc9fb6ca1  panel.tar.gz

Fixed

• Fixes the Rust egg not properly seeding during the upgrade & installation process.
• Fixes backups not being downloadable via the frontend.
• Fixes backup listing showing the wrong number of existing backups based on the current page you're on.

SHA256 Checksum

683fc4ad86423b22c903c0dfa877232f7b296910718b72ef02a4d649e4bcb746  panel.tar.gz

Fixed

• Fixes administrator "Other Servers" toggle being persisted wrongly when signing out and signing into a non-administrator account on the server dashboard.
• Fixes composer failing to run properly in local environments where there is no database connection available once configured.
• Fixes SQL exception caused by the Panel attempting to store null values in the database.
• Fixes validation errors caused by improper defaults when trying to edit system settings in the admin area.
• Fixes console overflow when using smaller-than-default font sizes in Firefox.
• Fixes console text input field having a white background when manually building new assets from the release build due to a missing babel-macros definition file.
• Fixes database improperly using a signed smallint field rather than an unsigned field which restricted SFTP ports to 32767 or less.
• Fixes server console resize handler to no longer encounter an exception at random that breaks the entire UI.
• Fixes unhandled error caused by entering an invalid IP address or FQDN when creating a new node allocation.
• Fixes unhandled error when Wings would fetch a server configuration from the Panel that uses an Egg with invalid JSON data for the configuration fields.
• Fixes email not being sent to a user when their server is done installing.

Added

• Adds support for automatically copying SFTP connection details when clicking into the text field.
• Messaging about a node not having any allocations available for deployment has been adjusted to be more understandable by users.
• Adds automated self-upgrade process for Pterodactyl Panel once this version is installed on servers. This allows users to update by using a single command.
• Adds support for specifying a month when creating or modifying a server schedule.
• Adds support for restoring backups (including those in S3 buckets) to a server and optionally deleting all existing files when doing so.
• Adds underlying support for audit logging on servers. Currently this is only used by some internal functionality but will be slowly expanded as time permits to allow more robust logging.
• Adds logic to automatically reset failed server states when Wings is rebooted. This will kick servers out of "installing" and "restoring from backup" states automatically.

Changed

• Updated to Laravel 8 and bumped minimum PHP version from 7.3 to 7.4 with PHP 8.0 being the recommended.
• Server state is now stored in a single status column within the database rather than multiple different tinyint columns.

SHA256 Checksum

8b31c8a4e0c8f0ff4cdeb0c33d627eaf790b103f4cdb7de516a616d85727e37b  panel.tar.gz

Fixed

• [security] Fixes authentication bypass allowing a user to take control of specific server actions such as executing schedules, rotating database passwords, and viewing or deleting a backup.

SHA256 Checksum

e03a532623a62adf36c4b2769a90ed0a38954af1645d453bee0e470651e9aaf2  panel.tar.gz

Fixed

• Fixes URL-encoding of filenames when working in the filemanager to fix issues when moving, renaming, or deleting files.
• Fixes URL-encoding of email addresses when requesting a password reset.

Added

• Adds the ability for users to select a base Java Docker image for most Minecraft specific eggs shipped as defaults.

SHA256 Checksum

602825991169240b466d967fc53850797dbaa4099465e730d63dd1991481aabd  panel.tar.gz

Fixed

• Fixes newest backup being deleted when creating a new one using the schedule tasks, rather than the oldest backup.
• Fixes multiple encoding issues when handling file names in the manager.
• Fixes database password not properly being copied to the clipboard when clicked.
• Fixes failed transfers unintentionally locking a server into a failed state and not properly releasing allocations that were reserved.
• Fixes error box on server pages having an oval refresh button rather than a perfect circle.
• Fixes a bunch of errors and usage issues relating to backups especially when uploading to S3-based systems.
• Fixes HMR breaking navigation in development modes on the frontend.

Changed

• Updated Paper egg to default to Java 11 as the base docker image.
• Removes the file mode display from the File Manager row listing.
• Updated input UI elements to have thicker borders and more consistent highlighting when active.
• Changed searchbar toggle from "k" to Cmd/Ctrl + "/" to avoid accidental toggles and be more consistent with other sites.
• Upgrades TailwindCSS to v2.

Added

• Adds support for eggs to define multiple Docker images that can be selected by users (e.g. Java 8 & 11 images for a single egg).
• Adds support for configuring the default interval for failed backups to be pruned from the system to avoid long running backups being incorrectly cleared.
• Adds server transfer output logging to the server console allowing admins to see how a transfer is progressing directly in the UI.
• Adds client API endpoint to download a file from a remote souce. This functionality is not currently expressed in the UI.

SHA256 Checksum

d42b1280191cd5f38d7c80002cc870e501ef811c435eb30bc56789eae373c983  panel.tar.gz

Fixed

• Server bulk power actions command will no longer attempt to run commands against installing or suspended servers.
• Fixes the application API throwing an error when attempting to return variables for a server.
• Fixes an error when attempting to install Panel dependencies without specifying an .env file due to an unset default timezone.
• Fixes a null value flip in the database migrations.
• Fixes password change endpoint for users allowing a blank value to be provided (even if nothing actually happened).
• Fixes database IP addresses not allowing a 0 in the first octet field.
• Fixes node information being impossible to update if there was a network error during the process. Any errors encountered communicating with Wings are now reported but will not block the actual saving of the changes.
• [Security] When 2FA is required on an account the client API endpoints will now properly return an error and the UI will redirect the user to setup 2FA.
• [Security] When changing the owner of a server the old owner's JWT is now properly invalidated on Wings.
• Fixes a server error when requesting database information for a server as a subuser and the account is not granted view_password permissions.

Added

• Adds support for basic backup rotation on a server when creating scheduled backup tasks.
• Makes URLs present in the console clickable.
• Adds chmod support to the file manager so that users can manually make modifications to file permissions as they need.

Changed

• UI will no longer show a delete button to users when they're editing themselves.
• Updated logic for bulk power actions to no longer run actions against suspended or installing servers.

SHA256 Checksum

a045752bade2da2487665951a8cb5fce229821f7f3afc2b630b681355df62215  panel.tar.gz

Fixed

• Fixes allocation permissions checking on the frontend checking the wrong permission therefore leading to the item never showing up.
• Fixes allocations not updating correctly when added or deleted and switching between pages.

SHA256 Checksum

65d775fd815722460c87031967754b03dcde40295fab3b774e09f1051e8df077  panel.tar.gz