search

EngineHub / WorldGuard

🛡️ Protect your Minecraft server and lets players claim areas
https://enginehub.org/worldguard/
Other
836 stars 545 forks source link

Command blocking exploit #2056

Closed JHarris12345 closed 11 months ago

JHarris12345 commented 11 months ago

WorldEdit Version

7.2.15+6463-5ca4dff

WorldGuard Version

7.0.9-beta1+2249-223b80c

Platform Version

PaperSpigot 1.20.1

Confirmations

Bug Description

You are able to send commands by adding spaces after the forward slash. For example -> "/ spawn". You can add as many spaces as you like, the command will still work.

Worldguard "BlockedCmds" flag doesn't account for this. So if you block "/spawn" but they type "/ spawn", it will allow it. I propose doing a change where it first removes the spaces after the forward slash and before the first letter in a command and THEN checking on that new string

Expected Behavior

It should block commands even if you add a space

Reproduction Steps

  1. Block a command like /spawn
  2. Use / spawn

Optional WorldGuard-Report

No response

Anything Else?

No response

JHarris12345 commented 11 months ago

This code can build the new command string and perform the check on the string builder string:

    char[] charArray = command.toCharArray();
    StringBuilder stringBuilder = new StringBuilder();

    boolean foundCharacter = false;
    for (int i=0; i<charArray.length; i++) {
        char character = charArray[i];

        // Add any forward slashes at the start of the command
        if (character == '/') {
            stringBuilder.append(character);
            continue;
        }

        // Now skip over all the following spaces until the first character is found and then add them all from there
        if (character == ' ' && !foundCharacter) continue;

        foundCharacter = true;
        stringBuilder.append(character);
    }
wizjany commented 11 months ago

dupe