Creative mode item exploits (enchant/meta) [DBO 560]

[MyPictures]

What is the problem? What do you expect to see instead?

I have recently been having issues with players applying custom enchantments using "All-U-Want Inventory Editor". This has become a huge issue since there are weapons with level 30 000 enchantments floating around on the server. Would it be possible to block spawning of these items and enchantments using NoCheatPlus?

Can it be reproduced systematically and if so: How?

Install "All-U-Want Inventory Editor" Join a server, open your inventory and hover a slot, click R. Select an item, amount, enchantments, etc. Hit save and the item will land in your inventory. The player can do this without being OP or having permissions to /give or /i

Which version of NC+ are you running? (Check with /version NoCheatPlus or /ncp version on your server)<<<

3.9.2-RC-b520

What's your NoCheatPlus configuration file version? (config.yml: copy the first line in here)

Configuration generated by NoCheatPlus 3.9.2-RC-b520. Did you change anything in your NC+ configuration file? If yes: What did you change?

Nope.

On which Craftbukkit/Craftbukkit/Spigot build do you run your server on? (Simple execute /version)

CraftBukkit version git-Bukkit-1.5.2-R0.1-4-gbf74d15-b2783jnks (MC: 1.5.2) (Implementing API version 1.5.2-R0.2-SNAPSHOT)

How easy is it to reproduce? Does it always happen? Does it happen to all players? Does it happen with vanilla clients?

Works each and every time as described above. Does not work for vanilla clients as they need Modloader and "All-U-Want Inventory Editor" to spawn items.

Do you run any other special plugin next to NC+ (Spout, mcmmo, heroes and others)?

WorldEdit.

Please provide any additional information below (logs, screenshots, plugin list, player amount, .....):

[MyPictures]

ha11oga11o: "What to say guys, this is serious issue, cause mine players can transfer these items on survival somehow... dont know how but they have those items in survival now. Is there any chance to just delete that item from inventory if its simply overpowered?

Thank you:)"

[MyPictures]

travja: "To all with this bug. With it being a creative only issue... Disable Enderchests in your creative worlds, this will prevent users from placing/using the enderchests. You can do this with WorldGuard or ModifyWorld. I had this for a bit disabled EnderChests and haven't had a problem since.

All I can say :/"

[MyPictures]

marcosds13: "Negative Enchants can crash the server, if a EnderPearl/Snowball/Arrow have a negative Enchant there is a probability when launch the item the server Crashs :S"

[MyPictures]

jet315: "I would also like a fix for this.

Channing the meta/lore for an item has resulted in an item being created that crashes any client when they mouse over it.

I am unsure as to what exactly the change is. Additionally changing an item to a negative enchant causes death and inability to re-spawn.

So far the worst case for my server has been an item which crashes the client then prevents re-log. I have deleted the users player data file and essentials file but they still are unable to log in.

This could potentially become a serious issue to creative servers as more and more players seem to be using the mod. The player who created the items confirmed he was using All-U-Want.

[MyPictures]

GoldenCar100: "asofold: I actually would not mind if players could use this mod for non crashing purposes. Instead of trying to block the mod all together right NOW, try to focus on blocking the items that can crash the server as a result of using the mod. Like, I know for sure that "item name length limitation" by MyPictures is a incredible idea; A lot of players are crashing because the item name length is way too big. Additionally, preventing players from having negative enchantments could be a plus.No cheat Plus can probably start scanning inventories for any items that exceed a name length or having a "negative enchant [which] causes death and inability to re-spawn". If it the requirements are meet, then No Cheat Plus should cancel the event. The main reason why people wanted this mod blocked is not because of the mod itself, but rather how it can be used. That's why focusing on smaller patches that crash players or cause annoying things is more important than trying to block mod itself."

[MyPictures]

asofold: "Any idea for a simple heuristic on which levels are ok (not crashing)?

We need some default settings, or we have to deactivate such checks by default, 0 <= level <= 50 ?

The other choices are to alter the enchantment level (or remove enchantments), to log, to have different levels of action (alter enchantments, just cancel the even if not crashingt) etc.

The other question is if we need to scan the players inventories constantly or if it is enough to monitor pickup, drop, death-drops, sorts of interactions/item-.in-hand..."

[MyPictures]

asofold: "Highest voted ticket for a long time - unfortunately we are struggling with the basic cheats still (move/fly/fight)."

[RoboMWM]

FWIW this plugin can stop such, and nicely logs it too: https://www.spigotmc.org/resources/creativeitemcontrol.9471/

[asofold]

Looks good.