Releases: plan-player-analytics/Plan
5.5 build 2272
5.5 build 2272
This update enables the new React based frontend by default, speeds up loading various parts of the website, and fixes a couple of issues.
If you are using Html Customization, it is now possible to migrate to the new system, see https://github.com/plan-player-analytics/Plan/wiki/Html-Customization--migration-guide-to-React - You can use Plugin.Use_Legacy_Frontend setting until your migrations are complete.
Back up your config in case you need to revert to previous version. Updating should be easy, simply replace the jar.
Change log
React Frontend (Previously called Frontend BETA)
The frontend rewrite is complete, so the new frontend is now enabled by default. Plugin.Use_Legacy_Frontend (default: false) setting still allows using old frontend for a while until it's completely removed.
Here is a summary of improvements this brings if you have not participated in the Beta:
- Faster loading time since less data requests are made at once
- Improved mobile navigation
- New features
- Page navigation button for switching between pages
- Switching language on the frontend
- Join address tab
- Visualizer switches for some graphs
- Average players online data to Performance tabs
- Interactive '?' help for Activity Index and New Player Retention (These were the two most common questions on how they work)
- Redesigned Network > Servers tab
- Easier to maintain and develop further
Changes from previous update:
- Added a page navigation button that allows moving to different servers and other pages easily. This replaces the 'Back to main page' button. You can switch between the same page for two servers (eg. Move from Server 1 > Performance to Server 2 > Performance in one click)
- Improved mobile navigation. With the navigation button this should help mobile users a lot.
- Interactive '?' help for Activity Index and New Player Retention (These were the two most common questions on how they work)
- Fixed network server list saying "No servers installed" while servers were being loaded.
- Fixed page translation issues
- React was updated to version 18
- Javascript APIs for extending the page programmatically were implemented https://github.com/plan-player-analytics/Plan/wiki/APIv5-PageExtension-API#javascript-api
- Fixed join address data breaking the page when visualized as a table
- Fixed issues of plugin cards overlapping when switching between plugins of two servers on player page
New feature: public_html
A new feature in the webserver allows hosting any web files on the Plan webserver. Please note that any files placed in the public_html folder (/plugins/Plan/public_html by default) can be read by anyone who knows the address to the webserver even if you have login enabled. The folder can be configured with Webserver.Public_html_directory setting.
The main purpose of this feature is to allow Html Customization of the React bundle https://github.com/plan-player-analytics/Plan/wiki/Html-Customization
Webserver
- Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.
- Implemented public_html feature that allows hosting custom files from a configurable folder
Webserver.Public_html_directory
(default/plugins/Plan/public_html
). This can be used to host http-challenge file for certbot and other files.
Database
- PlayerTableRowPatch should no longer be re-applied all the time
- Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
- Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement
- Optimized /v1/network/servers endpoint, got a 66% speed increase, so Servers tab on network page should load faster.
PlaceholderAPI
- Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.
5.5 DEV build 2254
5.5 DEV build 2254
This dev release enables the React Frontend by default and adds new APIs for adding content to the React website via Javascript and Java.
This is a release candidate, I just didn't have time to write enough documentation for a full release this weekend.
Changes from DEV build 2208
- Enabled React frontend by default
- Added 'Plugin.Use_Legacy_Frontend' (default: false) that still allows using old frontend for a while until it's completely removed.
- Added new PageExtension javascript APIs. Documentation is still in progress.
- pageExtensionApi.js
- ResourceService got two new methods
ResourceService.Position.AFTER_MAIN_SCRIPT
is now deprecated and is a no-op if used with index.html (The react bundle .html file)
Change log
React Frontend (Previously called Frontend BETA)
New frontend is now enabled by default. 'Plugin.Use_Legacy_Frontend' (default: false) setting still allows using old frontend for a while until it's completely removed.
- Use public_html for customizing React-bundle. See https://github.com/plan-player-analytics/Plan/wiki/Html-Customization--migration-guide-to-React on how to use the customization features with new frontend.
- Added a page navigation button that allows moving to different servers and other pages easily. This replaces the 'Back to main page' button.
- Improved mobile navigation. With the navigation button this should help mobile users a lot.
- Fixed network server list saying "No servers installed" while servers were being loaded.
- Fixed page translation issues
- React was updated to version 18
Webserver
- Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.
- Implemented public_html feature that allows hosting custom files from a configurable folder
Webserver.Public_html_directory
(default/plugins/Plan/public_html
). This can be used to host http-challenge file for certbot and other files. - /v1/network/servers endpoint was optimized, got a 66% speed increase, so Servers tab on network page should load faster.
Database
- PlayerTableRowPatch should no longer be re-applied all the time
- Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
- Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement
PlaceholderAPI
- Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.
5.5 DEV build 2208
5.5 DEV build 2208
This dev release contains bugfixes, html customization equivalent for a React-bundle, and navigation improvements to Frontend BETA.
Changes from DEV build 2195
- Implemented public_html feature
- Mobile navigation and navigation button to Frontend BETA
- Fixed /plan reload when PlaceholderAPI is installed
Change log
Webserver
- Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.
- Implemented public_html feature that allows hosting custom files from a configurable folder
Webserver.Public_html_directory
(default/plugins/Plan/public_html
). This can be used to host http-challenge file for certbot and other files.
Frontend BETA
New frontend can be enabled with Plugin.Frontend_BETA
-setting
- Use public_html for customizing React-bundle. See https://github.com/plan-player-analytics/Plan/wiki/Html-Customization--migration-guide-to-React on how to use the customization features with new frontend.
- Added a page navigation button that allows moving to different servers and other pages easily. This replaces the 'Back to main page' button.
- Improved mobile navigation. With the navigation button this should help mobile users a lot.
- Fixed network server list saying "No servers installed" while servers were being loaded.
- Fixed page translation issues
Database
- PlayerTableRowPatch should no longer be re-applied all the time
- Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
- Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement
PlaceholderAPI
- Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.
5.5 DEV build 2195
5.5 DEV build 2195
This dev release contains optimizations to the website loading speed.
Change log
Webserver
- Implemented HTTP Caching: Browser will now cache some responses and avoid sending unnecessary data if it was already loaded. This can improve page loading times from multiple seconds to milliseconds.
Frontend BETA
- Fixed network server list saying "No servers installed" while servers were being loaded.
Database
- Optimized server player table query: /server/players now loads much faster. Tested optimization: 4s -> 500ms: 8x improvement
- Optimized server latest join addresses query: /sever/join_addresses now loads much faster. Tested optimization: 19s -> 150ms: 120x improvement
PlaceholderAPI
- Unregister placeholder extension when Plan disables: this possibly fixes an issue where PlaceholderAPI would log errors when Plan disabled before PlaceholderAPI.
5.5 build 2172 - CRITICAL security vulnerability fix
5.5 build 2172 - CRITICAL security vulnerability fix
This build contains a fix to a CRITICAL SQL Injection vulnerability, as well as fixes to minor security vulnerabilities.
Yesterday (2023-01-14): Finding a minor Path Traversal security vulnerability lead to a throughout process of labeling all untrusted data in the codebase, and during that process a critical SQL Injection vulnerability was also discovered. When exploited successfully SQL Injection allows a malicious actor to read any data from the database and change or delete data. This may expose user salted+hashed Plan web user passwords or other data in the database.
It is recommended to update as soon as possible, even though exploits for the vulnerability may not yet exist in the wild.
This is a first time a this high priority vulnerability affects Plan, so I'm a bit overwhelmed, but I'm hoping to address this vulnerability professionally by releasing a fix in a timely manner, and keeping exact details undisclosed for now to give users time to update.
The fix has been backported to build 1722 https://github.com/plan-player-analytics/Plan/releases/tag/5.4.1722.1
Change Log
Fixed CRITICAL SQL Injection vulnerability
Details
Vulnerable versions: 5.2 build 1168 to 5.5 build 2163
if login is enabled: Malicious users with permission level 1 (plan.player.other) or 0 (plan.server) can access an endpoint which was found to contain an SQL Injection vulnerability.
if login is not enabled: Any malicious actor can access an endpoint which was found to contain an SQL Injection vulnerability.
Mitigation if you are unable to update
- Enable https and login so that less users have access to the vulnerable endpoint.
https://github.com/plan-player-analytics/Plan/wiki/SSL-Certificate-%28HTTPS%29-Set-Up - Enable IP Whitelist so that less users have access to the vulnerable endpoint.
Webserver:
Security:
IP_whitelist:
Enabled: true
- if unable to update or secure the server, disable Plan Webserver. This option is good if you want to delay updating to a more convenient time.
Webserver:
Disable_webserver: true
Other fixed security vulnerabilities
- [Minor] Fixed Path Traversal vulnerability where attacker could gain read access to .css, .js, .png, .woff, .woff2, .eot, .tff files anywhere on the host machine if Customized_files.Enable_web_dev_mode setting was set as true
- [Minor] Fixed XSS (Cross site scripting) vulnerability in Whitelist deny 403 -page when attacker routes traffic to Plan through a reverse-proxy with malicious X-Forwarded-For header
- Removed untrusted data from exception messages used within the plugin
- [Minor] Prevented potential XSS vulnerabilities in Not Found page when untrusted data could enter the error message
- [Minor] Prevented potential XSS vulnerabilities in Internal Server Error page when untrusted data could enter the error message
- [Minor] Prevented malicious Hello-packet from breaking Session serialization to CSV on server disable if join address had a ; character in it
Locale
- Updated Finnish (FI) Locale
5.4 build 1722.1
5.4 build 1722.1 - Backported critical security vulnerability fix to build 1722
This build contains a fix to a critical SQL Injection vulnerability, as well as fixes to minor security vulnerabilities.
Refer to release https://github.com/plan-player-analytics/Plan/releases/tag/5.5.2172 for further details, and prefer newest version whenever possible if installing new versions. 5.4 is not actively maintained and the backport was created since 15% of servers still use build 1722.
5.5 build 2163
5.5 build 2163
This update contains performance improvements and subdirectory support for the new frontend.
Change log
Database
- Fixed concurrency bottleneck where write and read operations interfered with each other, limiting to one query or transaction from executing at the same time. This bottleneck occurred since the access-lock designed to prevent database operations during schema modifications was still enabled after the schema modifications already completed.
- Disabled BadAFKThresholdValuePatch - This patch was written to fix bad data input from version 4.5.2 which is no longer being used according to metrics, so this patch can be disabled. It was sometimes executed if a player joined a server and never moved.
Frontend BETA
Export features are now complete, up next is Html Customization.
- Implemented support and tests for reverse-proxy setups with subdirectory proxy_pass settings (Eg. address.com/plan/)
- Implemented support and tests for Export to a subdirectory (eg. /var/public_html/plan/ accessed from address.com/plan/)
Webserver
- Added a read-write lock to json_cache so that files are not read while being written. This might solve some randomly occurring issues.
Plugin Enable
- Incorrectly written lines in unsaved-sessions.csv during plugin disable are now ignored - a warning is printed instead of an exception stacktrace.
5.5 build 2150 - Hotfix
5.5 build 2150 - Hotfix
This update contains a hotfix to build 2144. New installations after build 2100 are not affected - The bug affected instances that were updated from versions prior to build 2100 on networks or fabric servers. Sorry for any inconvenience it has caused. More about the bug below.
Fixed bug in BadJoinAddressCorrectionPatch
An unfortunate typo in session to join address id correction code caused all sessions to get invalid join address id. Instead of correcting invalid ids to correct ids, it changed correct ids to incorrect ids. Any installations where the broken patch ran lost their join address data.
Symptoms of the bad patch:
- Playtime data too low or missing on player pages
- Activity index differs between player page and player list
- Join address data shows no data
Fixes in this update:
- Fixed the typo, now the patch works as intended and corrects join address ids.
- Added a second patch that attempts to recover at least some of the missing data by using latest join address in plan_user_info table for installations that ran the bad patch. This is a best-effort solution since the original data was deleted by the bad patch, so some granularity like player changing the address they have used in the past was lost.
- Playtime and activity index values should recover since the issue was caused by join address ids pointing to invalid numbers.
5.5 build 2144
5.5 build 2144
This build contains various bugfixes.
Change log
Join Address Data
- Any join address data that has null characters (gathering was fixed in previous update) is now cleaned on first startup - the data after null character is cleared, and the valid data kept. This should help with join address tab not loading in many cases. This was thoroughly unit tested to ensure it works properly.
Query page
- Fixed Query results erroring with 500 due to mistake in the code not placing boolean parameters in the query parameters.
Frontend BETA
- Fixed timezone not being applied to graphs (All line graphs)
- Fixed exported pages constantly updating data in the background
5.5 build 2121
5.5 build 2121
Another release to add 1.19.3 support to Fabric and release all the goodies developed since previous update :)
Special thanks to DrexHD for contributions to this update.
Change Log
Data gathering
- Local private network addresses (https://en.wikipedia.org/wiki/Private_network) are now detected as as 'Local Private Network' in Geolocations similar to how 127.0.0.1 is marked as 'Local Machine'.
Fabric
- DrexHD updated fabric code to be compatible with 1.19.3 changes
Frontend BETA
- Fixed login and register redirects to wrong place
- Fixed Playerbase overview 30 days and Now being wrong way around on the table
- React Export is now functional (At least on webservers that serve the bundle at
/
, further testing needed if your export is on/stats/
for example.)- If Frontend beta and export are enabled, the old html files are no longer exported.
- Extra index.html files are exported to redirect back to the React bundle to allow sharing the URLs to others. This is because in the React frontend the address is handled by React Router and clicking most links on the pages makes no extra requests for html. Reloading on the other hand needs html file, so the extra files redirect to {address}/?redirect={address you used} - so that you end up where you want.
- Exported pages have a different icon next to last refresh timestamp to visually distinguish from screenshots which one is being used.
- Known issue with export: The json files are constantly being reloaded by the browser if they're old