From a1e8b7afe71d690a049cb5f451687a6b9db61af3 Mon Sep 17 00:00:00 2001 From: Andrew Date: Sat, 17 Dec 2022 12:21:15 -0500 Subject: [PATCH 1/2] Make server directories non-configurable --- app/classes/web/panel_handler.py | 14 +++++++++----- app/classes/web/routes/api/servers/server/index.py | 3 ++- app/frontend/templates/panel/server_config.html | 7 ++++--- 3 files changed, 15 insertions(+), 9 deletions(-) diff --git a/app/classes/web/panel_handler.py b/app/classes/web/panel_handler.py index 6c6b398f..322ca807 100644 --- a/app/classes/web/panel_handler.py +++ b/app/classes/web/panel_handler.py @@ -808,9 +808,15 @@ class PanelHandler(BaseHandler): user_roles_list = self.controller.users.get_user_roles_names( user.user_id ) - user_servers = self.controller.servers.get_authorized_servers( - user.user_id - ) + try: + user_servers = self.controller.servers.get_authorized_servers( + user.user_id + ) + except: + return self.redirect( + "/panel/error?error=Cannot load panel config" + " while servers are unloaded" + ) servers = [] for server in user_servers: if server.name not in servers: @@ -1606,7 +1612,6 @@ class PanelHandler(BaseHandler): if Helpers.validate_traversal( self.helper.get_servers_root_dir(), server_path ): - server_obj.path = server_path server_obj.log_path = log_path if Helpers.validate_traversal( self.helper.get_servers_root_dir(), executable @@ -1618,7 +1623,6 @@ class PanelHandler(BaseHandler): server_obj.executable_update_url = executable_update_url server_obj.show_status = show_status else: - server_obj.path = server_obj.path server_obj.log_path = server_obj.log_path server_obj.executable = server_obj.executable server_obj.execution_command = execution_command diff --git a/app/classes/web/routes/api/servers/server/index.py b/app/classes/web/routes/api/servers/server/index.py index 11f8620b..3d5e3e2f 100644 --- a/app/classes/web/routes/api/servers/server/index.py +++ b/app/classes/web/routes/api/servers/server/index.py @@ -90,7 +90,8 @@ class ApiServersServerIndexHandler(BaseApiHandler): server_obj = self.controller.servers.get_server_obj(server_id) for key in data: # If we don't validate the input there could be security issues - setattr(server_obj, key, data[key]) + if key != "path": + setattr(server_obj, key, data[key]) self.controller.servers.update_server(server_obj) self.controller.management.add_to_audit_log( diff --git a/app/frontend/templates/panel/server_config.html b/app/frontend/templates/panel/server_config.html index d0c0d42f..d1310a91 100644 --- a/app/frontend/templates/panel/server_config.html +++ b/app/frontend/templates/panel/server_config.html @@ -62,9 +62,10 @@ - +
+ {{ data['server_stats']['server_id']['path'] }} + 🔒 +
{% if data['server_stats']['server_type'] != "minecraft-bedrock" %} From 8b5cbad8ab7c51c1bcf8faaba8ec090d785b700b Mon Sep 17 00:00:00 2001 From: Zedifus Date: Wed, 21 Dec 2022 15:51:07 +0000 Subject: [PATCH 2/2] Update changelog !511 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 390dd0fa..242a88e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,7 +11,7 @@ TBD - Remove Pathlib from sub path check ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/507)) - Fix root dir selection in Upload Zip Import ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/508)) ### Tweaks -TBD +- Make server directories non-configurable ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/511)) ### Lang TBD