ProtectInventoryBeforeLogIn: true MUST also NOT /authme reload or it WILL SHOW BUG(BUG EXACTLY CONFIRMED!)

[ProblemsSender]

5.4.0 AuthMe - 1.12.2 Spigot

What behaviour is observed:

ProtectInventoryBeforeLogIn: true BUT it not fully protected player's Inventory. It show what item is have in this inventory

What behaviour is expected:

1/When ProtectInventoryBeforeLogIn: true 2/We must be entering the server with no exploit of inventory: a/Can't Pickup Item(Work fine) b/Can't Dropping Item(Work fine) c/Can't See the item in inventory, armor, and hand(BUG) - We can see the item and it must be picked to vanished or it just can't pick or dropped, this is an exploit bug!

Steps/models to reproduce:

The actions that cause the bug 1/Enter the config.yml with NotePad+ 2/Change: -ProtectInventoryBeforeLogIn: true 3/Open the server, then reload AuthMe Every player will be leak with this bug from this time

Plugin list:

[10:16:28 INFO]: Plugins (12): PermissionsEx, PlugMan, Vault, ProtocolLib, Essen tials, EssentialsProtect, EssentialsSpawn, EssentialsChat, EssentialsGeoIP, Esse ntialsAntiBuild, AuthMe, EssentialsXMPP

Environment description

Standalone server, MySql, ...

AuthMe build number:

10:17:12 INFO: ==========[ AuthMeReloaded ABOUT ]========== 10:17:12 INFO: Version: AuthMeReloaded v5.4.0 (build: 1877)

10:17:12 INFO: Alexandre Vanhecke // xephi59 (Original Author) 10:17:12 INFO: Lucas J. // ljacqu (Main Developer) 10:17:12 INFO: Gnat008 // gnat008 (Developer) 10:17:12 INFO: DNx5 // DNx5 (Developer) 10:17:12 INFO: games647 // games647 (Developer) 10:17:12 INFO: Tim Visee // timvisee (Developer) 10:17:12 INFO: Gabriele C. // sgdc3 (Project manager, Contributor) 10:17:12 INFO: Website: http://dev.bukkit.org/bukkit-plugins/authme-reloaded/ 10:17:12 INFO: License: GNU GPL v3.0 (See LICENSE file) 10:17:12 INFO: Copyright: Copyright (c) AuthMe-Team 2017. All rights reserved.

Error Log:

It works completely flawless with no stack trace, except the bug

Configuration:

Emulate the step to reproduce above to make the bug comes out

[ProblemsSender]

It took me some time to find this bug, it's harmless just until you enter /authme reload command, this issue is similar to closed issue before says inventory protected bug, just because no one notice this reload command so the developer just can't figure it out before. Now it's time to fix it!

[sgdc3]

AuthMe requires protocollib to hide the inventory...

[sgdc3]

Why is this an exploit? Please provide some examples.

[ProblemsSender]

It's hard to clarify since English is not my primary language... but basically 1/ If a player knows the username of a player that is rich or got a lot of stuff 2/ That player still have to know the password to log in and do the bad things 3/ But before (2), they might need to know if that username is worth griefing or not by using this bug a/ If that username is worth griefing, then they will use some password leaking tools and waiting it to be cracked that is downloadable on the internet. b/ If that username is not worth griefing, they may stop do it at first glance in inventory. 4/ If they can't use this bug, they'll need to hack this account first. If it success but that username doesn't have the prize, it'll be their failure, every account in their glance should be hacked again and again. Why I want this bug to be fixed? Hacker is doing bad things, they should work harder to get the prize, or they will not get it. Not just knowing that username had a prize then spend 10 hours of breaking it easily without thousand hours. Of course there's a chance, that player is hidden their treasure before log out, but I want to make it impossible to exploit Or there's a big chance that I'll not use /authme reload anymore, but it's inconvenience that I have will to run it 24/7 *Speaking of the "/authme reload" command, is this bug related to "/reload" command or sort of AutoSaveWorld plugins? So each update might be recommended a full restart. I haven't tested it so I can't tell. If this bug exist it'll even more inconvenience.

[sgdc3]

I still didn't understand what the exploit is... @ljacqu @games647 @Hex3l do you have any idea?

[sgdc3]

Ok i think i got it, ProtectInventoryBeforeLogIn stops working after a plugin reload, @games647 what do you think about this?

[ljacqu]

This was fixed in the referenced commit, which is part of 5.6.0 beta 1