Merge branch 'staging/1.7.8' into release

CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file.
 
+## [1.7.8] - Service release
+
+### Security
+
+- Fix reflected XXS in debug panel when debug mode was enabled or the user accessed directly the debug panel template.
+
+## [1.7.7] - Service release
+
+### Bugfixes
+
+- Fix #3588: Delete issue DNS record (#3589)
+- Tidy notifications copy (#3561)
+- Predefined ipset lists not loading #3552 (#3557)
+
 ## [1.7.7] - Service release
 
 ### Bugfixes

README.md

@@ -4,7 +4,7 @@
 
 <h2 align="center">Lightweight and powerful control panel for the modern web</h2>
 
-<p align="center"><strong>Latest stable release:</strong> Version 1.7.7 | <a href="https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md">View Changelog</a></p>
+<p align="center"><strong>Latest stable release:</strong> Version 1.7.8 | <a href="https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md">View Changelog</a></p>
 
 <p align="center">
 	<a href="https://www.hestiacp.com/">HestiaCP.com</a> |

install/hst-install-debian.sh

@@ -32,7 +32,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.7.7'
+HESTIA_INSTALL_VER='1.7.8'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.1"

install/hst-install-ubuntu.sh

@@ -32,7 +32,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.7.7'
+HESTIA_INSTALL_VER='1.7.8'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1" "8.2")
 fpm_v="8.1"

package.json

@@ -1,7 +1,7 @@
 {
 	"name": "hestia",
 	"private": true,
-	"version": "1.7.7",
+	"version": "1.7.8",
 	"description": "An open-source Linux web server control panel.",
 	"repository": "https://github.com/hestiacp/hestiacp",
 	"license": "GPL-3.0-or-later",
@@ -17,7 +17,7 @@
 		"preinstall": "npx only-allow yarn",
 		"postinstall": "husky install"
 	},
-	"packageManager": "yarn@3.5.1",
+	"packageManager": "yarn@3.6.0",
 	"dependencies": {
 		"@fortawesome/fontawesome-free": "^6.4.0",
 		"alpinejs": "^3.12.0",

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.7.7
+Version: 1.7.8
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

web/templates/pages/debug_panel.php

@@ -1,3 +1,9 @@
+<?php
+if( !defined("HESTIA_DIR_BIN") ){
+	die("Direct access disabled");
+}
+?>
+
 <div x-data="{ open: false }" class="debug-panel">
 	<button
 		type="button"
@@ -10,26 +16,26 @@
 		<?php
 			echo "<h3 class=\"u-mb10\">Server Variables</h3>";
 			foreach ($_SERVER as $key => $val) {
-				echo "<b>" . $key . "= </b> " . $val . " ";
+				echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
 			}
-  	?>
+		?>
 		<?php
 			echo "<h3 class=\"u-mb10 u-mt10\">Session Variables</h3>";
 			foreach ($_SESSION as $key => $val) {
-				echo "<b>" . $key . "= </b> " . $val . " ";
+				echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
 			}
-  	?>
+		?>
 		<?php
 			echo "<h3 class=\"u-mb10 u-mt10\">POST Variables</h3>";
 			foreach ($_POST as $key => $val) {
-				echo "<b>" . $key . "= </b> " . $val . " ";
+				echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
 			}
-  	?>
+		?>
 		<?php
 			echo "<h3 class=\"u-mb10 u-mt10\">GET Variables</h3>";
 			foreach ($_GET as $key => $val) {
-				echo "<b>" . $key . "= </b> " . $val . " ";
+				echo "<span class=\"u-text-bold\">" . htmlentities($key) . "= </span> " . htmlentities($val) . " ";
 			}
-  	?>
+		?>
 	</div>
 </div>