Update CHANGELOG.md

Signed-off-by: Matthew Penner <me@matthewp.io>

.github/workflows/build.yaml

@@ -13,20 +13,22 @@ on:
 jobs:
   ui:
     name: UI
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
         node-version: [16]
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: "yarn"
+          cache: yarn
 
       - name: Install dependencies
         run: yarn install --frozen-lockfile

.github/workflows/ci.yaml

@@ -13,12 +13,19 @@ on:
 jobs:
   tests:
     name: Tests
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
-        php: [8.1, 8.2]
-        database: ["mariadb:10.2", "mysql:8"]
+        php: [8.2, 8.3]
+        database:
+          - mariadb:10.5
+          - mariadb:10.11
+          - mariadb:11.5
+          - mysql:8
+          - mysql:9
     services:
       database:
         image: ${{ matrix.database }}
@@ -27,10 +34,9 @@ jobs:
           MYSQL_DATABASE: testing
         ports:
           - 3306
-        options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get cache directory
         id: composer-cache
@@ -38,7 +44,7 @@ jobs:
           echo "dir=$(composer config cache-files-dir)" >> $GITHUB_OUTPUT
 
       - name: Cache
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ${{ steps.composer-cache.outputs.dir }}
           key: ${{ runner.os }}-composer-${{ matrix.php }}-${{ hashFiles('**/composer.lock') }}

.github/workflows/docker.yaml

@@ -16,15 +16,18 @@ on:
 jobs:
   push:
     name: Push
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     if: "!contains(github.ref, 'develop') || (!contains(github.event.head_commit.message, 'skip docker') && !contains(github.event.head_commit.message, 'docker skip'))"
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Code checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Docker metadata
         id: docker_meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ghcr.io/pterodactyl/panel
           flavor: |
@@ -35,18 +38,18 @@ jobs:
             type=ref,event=branch
 
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         if: "github.event_name != 'pull_request'"
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
-          password: ${{ secrets.REGISTRY_TOKEN }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Update version
         if: "github.event_name == 'release' && github.event.action == 'published'"
@@ -56,7 +59,7 @@ jobs:
           sed -i "s/    'version' => 'canary',/    'version' => '${REF:1}',/" config/app.php
 
       - name: Build and Push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
           context: .
           file: ./Dockerfile

.github/workflows/lint.yaml

@@ -13,15 +13,17 @@ on:
 jobs:
   lint:
     name: Lint
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - name: Code Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup PHP
         uses: shivammathur/setup-php@v2
         with:
-          php-version: "8.1"
+          php-version: "8.2"
           extensions: bcmath, curl, gd, mbstring, mysql, openssl, pdo, tokenizer, xml, zip
           tools: composer:v2
           coverage: none

.github/workflows/release.yaml

@@ -8,16 +8,18 @@ on:
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: write # write is required to create releases and push.
     steps:
       - name: Code checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 16
-          cache: "yarn"
+          cache: yarn
 
       - name: Install dependencies
         run: yarn install --frozen-lockfile
@@ -29,19 +31,19 @@ jobs:
         env:
           REF: ${{ github.ref }}
         run: |
-          BRANCH=release/${REF:10}
-          git config --local user.email "ci@pterodactyl.io"
-          git config --local user.name "Pterodactyl CI"
-          git checkout -b $BRANCH
-          git push -u origin $BRANCH
+          BRANCH=release/"${REF:10}"
+          git config --local user.email 'ci@pterodactyl.io'
+          git config --local user.name 'Pterodactyl CI'
+          git checkout -b "$BRANCH"
+          git push -u origin "$BRANCH"
           sed -i "s/    'version' => 'canary',/    'version' => '${REF:11}',/" config/app.php
           git add config/app.php
-          git commit -m "ci(release): bump version"
+          git commit -m 'ci(release): bump version'
           git push
 
       - name: Create release archive
         run: |
-          rm -rf node_modules tests CODE_OF_CONDUCT.md CONTRIBUTING.md flake.lock flake.nix phpunit.xml shell.nix 
+          rm -rf node_modules tests CODE_OF_CONDUCT.md CONTRIBUTING.md flake.lock flake.nix phpunit.xml shell.nix
           tar -czf panel.tar.gz * .editorconfig .env.example .eslintignore .eslintrc.js .gitignore .prettierrc.json
 
       - name: Extract changelog
@@ -54,36 +56,17 @@ jobs:
         run: |
           SUM=`sha256sum panel.tar.gz`
           echo -e "\n#### SHA256 Checksum\n\n\`\`\`\n$SUM\n\`\`\`\n" >> ./RELEASE_CHANGELOG
-          echo $SUM > checksum.txt
+          echo "$SUM" > checksum.txt
 
       - name: Create release
         id: create_release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           draft: true
           prerelease: ${{ contains(github.ref, 'rc') || contains(github.ref, 'beta') || contains(github.ref, 'alpha') }}
           body_path: ./RELEASE_CHANGELOG
-
-      - name: Upload release archive
-        id: upload-release-archive
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: panel.tar.gz
-          asset_name: panel.tar.gz
-          asset_content_type: application/gzip
-
-      - name: Upload release checksum
-        id: upload-release-checksum
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./checksum.txt
-          asset_name: checksum.txt
-          asset_content_type: text/plain
+          files: |
+            panel.tar.gz
+            checksum.txt

CHANGELOG.md

@@ -3,6 +3,34 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v1.11.11
+
+### Fixed
+
+* Fixed CVE-2025-49132
+
+## v1.11.10
+
+### BREAKING
+
+* Minimum PHP verion is now 8.2 due to Laravel upgrade!
+
+### Fixed
+
+* Update Laravel to address [CVE-2024-52301](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
+
+## v1.11.9
+
+### Fixed
+
+* Fixed issue with CI not pushing Docker image
+
+## v1.11.8
+
+### Fixed
+
+* Fixed an issue where a `DELETE` request was used instead of a `POST`, potentially logging user passwords in plain text if they disable 2FA.
+
 ## v1.11.7
 
 ### Added

Dockerfile

@@ -10,7 +10,7 @@ RUN yarn install --frozen-lockfile \
 
 # Stage 1:
 # Build the actual container with all of the needed PHP dependencies that will run the application.
-FROM --platform=$TARGETOS/$TARGETARCH php:8.1-fpm-alpine
+FROM --platform=$TARGETOS/$TARGETARCH php:8.2-fpm-alpine
 WORKDIR /app
 COPY . ./
 COPY --from=0 /app/public/assets ./public/assets

app/Http/Controllers/Base/LocaleController.php

@@ -2,11 +2,11 @@
 
 namespace Pterodactyl\Http\Controllers\Base;
 
-use Illuminate\Http\Request;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Translation\Translator;
 use Illuminate\Contracts\Translation\Loader;
 use Pterodactyl\Http\Controllers\Controller;
+use Pterodactyl\Http\Requests\Base\LocaleRequest;
 
 class LocaleController extends Controller
 {
@@ -20,20 +20,11 @@ class LocaleController extends Controller
     /**
      * Returns translation data given a specific locale and namespace.
      */
-    public function __invoke(Request $request): JsonResponse
+    public function __invoke(LocaleRequest $request): JsonResponse
     {
-        $locales = explode(' ', $request->input('locale') ?? '');
-        $namespaces = explode(' ', $request->input('namespace') ?? '');
-
-        $response = [];
-        foreach ($locales as $locale) {
-            $response[$locale] = [];
-            foreach ($namespaces as $namespace) {
-                $response[$locale][$namespace] = $this->i18n(
-                    $this->loader->load($locale, str_replace('.', '/', $namespace))
-                );
-            }
-        }
+        $locale = $request->input('locale');
+        $namespace = $request->input('namespace');
+        $response[$locale][$namespace] = $this->i18n($this->loader->load($locale, $namespace));
 
         return new JsonResponse($response, 200, [
             // Cache this in the browser for an hour, and allow the browser to use a stale

app/Http/Requests/Base/LocaleRequest.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Base;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class LocaleRequest extends FormRequest
+{
+    public function rules(): array
+    {
+        return [
+            'locale' => ['required', 'string', 'regex:/^[a-z][a-z]$/'],
+            'namespace' => ['required', 'string', 'regex:/^[a-z]{1,191}$/'],
+        ];
+    }
+}

composer.json

@@ -17,52 +17,52 @@
         }
     ],
     "require": {
-        "php": "^8.1 || ^8.2",
+        "php": "^8.2 || ^8.3",
         "ext-json": "*",
         "ext-mbstring": "*",
         "ext-pdo": "*",
         "ext-pdo_mysql": "*",
         "ext-posix": "*",
         "ext-zip": "*",
-        "aws/aws-sdk-php": "~3.260.1",
-        "doctrine/dbal": "~3.6.0",
-        "guzzlehttp/guzzle": "~7.5.0",
-        "hashids/hashids": "~5.0.0",
-        "laracasts/utilities": "~3.2.2",
-        "laravel/framework": "~10.1.3",
-        "laravel/helpers": "~1.6.0",
-        "laravel/sanctum": "~3.2.1",
-        "laravel/tinker": "~2.8.1",
-        "laravel/ui": "~4.2.1",
+        "aws/aws-sdk-php": "~3.316.10",
+        "doctrine/dbal": "~3.8.6",
+        "guzzlehttp/guzzle": "~7.9.2",
+        "hashids/hashids": "~5.0.2",
+        "laracasts/utilities": "~3.2.3",
+        "laravel/framework": "~10.48.23",
+        "laravel/helpers": "~1.7.0",
+        "laravel/sanctum": "~3.3.3",
+        "laravel/tinker": "~2.9.0",
+        "laravel/ui": "~4.5.2",
         "lcobucci/jwt": "~4.3.0",
-        "league/flysystem-aws-s3-v3": "~3.12.2",
-        "league/flysystem-memory": "~3.10.3",
-        "matriphe/iso-639": "~1.2",
-        "phpseclib/phpseclib": "~3.0.18",
-        "pragmarx/google2fa": "~8.0.0",
-        "predis/predis": "~2.1.1",
-        "prologue/alerts": "~1.1.0",
+        "league/flysystem-aws-s3-v3": "~3.28.0",
+        "league/flysystem-memory": "~3.28.0",
+        "matriphe/iso-639": "~1.3",
+        "phpseclib/phpseclib": "~3.0.39",
+        "pragmarx/google2fa": "~8.0.1",
+        "predis/predis": "~2.2.2",
+        "prologue/alerts": "~1.2.0",
         "psr/cache": "~3.0.0",
         "s1lentium/iptools": "~1.2.0",
-        "spatie/laravel-fractal": "~6.0.3",
-        "spatie/laravel-query-builder": "~5.1.2",
+        "spatie/laravel-fractal": "~6.2.1",
+        "spatie/laravel-query-builder": "~5.8.1",
         "staudenmeir/belongs-to-through": "~2.13",
-        "symfony/http-client": "~6.2.6",
-        "symfony/mailgun-mailer": "~6.2.5",
-        "symfony/postmark-mailer": "~6.2.5",
-        "symfony/yaml": "~6.2.5",
+        "symfony/http-client": "~6.4.10",
+        "symfony/mailgun-mailer": "~6.4.10",
+        "symfony/postmark-mailer": "~6.4.8",
+        "symfony/yaml": "~6.4.8",
         "webmozart/assert": "~1.11.0"
     },
     "require-dev": {
-        "barryvdh/laravel-ide-helper": "~2.13.0",
-        "fakerphp/faker": "~1.21.0",
-        "friendsofphp/php-cs-fixer": "~3.14.4",
-        "itsgoingd/clockwork": "~5.1.12",
-        "laravel/sail": "~1.21.0",
-        "mockery/mockery": "~1.5.1",
-        "nunomaduro/collision": "~7.0.5",
-        "phpunit/phpunit": "~10.0.11",
-        "spatie/laravel-ignition": "~2.0.0"
+        "barryvdh/laravel-ide-helper": "~2.15.1",
+        "fakerphp/faker": "~1.23.1",
+        "friendsofphp/php-cs-fixer": "~3.61.1",
+        "itsgoingd/clockwork": "~5.2.2",
+        "laravel/sail": "~1.31.0",
+        "mockery/mockery": "~1.6.12",
+        "nunomaduro/collision": "~7.10.0",
+        "phpunit/phpunit": "~10.5.29",
+        "spatie/laravel-ignition": "~2.8.0"
     },
     "autoload": {
         "files": [
@@ -98,7 +98,7 @@
         "preferred-install": "dist",
         "sort-packages": true,
         "platform": {
-            "php": "8.1.0"
+            "php": "8.2.23"
         }
     },
     "minimum-stability": "stable",

resources/scripts/api/account/disableAccountTwoFactor.ts

@@ -1,9 +1,11 @@
 import http from '@/api/http';
 
-export default (password: string): Promise<void> => {
+function disableAccountTwoFactor(password: string): Promise<void> {
     return new Promise((resolve, reject) => {
-        http.delete('/api/client/account/two-factor', { params: { password } })
+        http.post('/api/client/account/two-factor/disable', { password })
             .then(() => resolve())
             .catch(reject);
     });
-};
+}
+
+export default disableAccountTwoFactor;

routes/api-client.php

@@ -24,7 +24,7 @@ Route::prefix('/account')->middleware(AccountSubject::class)->group(function ()
         Route::get('/', [Client\AccountController::class, 'index'])->name('api:client.account');
         Route::get('/two-factor', [Client\TwoFactorController::class, 'index']);
         Route::post('/two-factor', [Client\TwoFactorController::class, 'store']);
-        Route::delete('/two-factor', [Client\TwoFactorController::class, 'delete']);
+        Route::post('/two-factor/disable', [Client\TwoFactorController::class, 'delete']);
     });
 
     Route::put('/email', [Client\AccountController::class, 'updateEmail'])->name('api:client.account.update-email');