search

PaperMC / Paper

The most widely used, high performance Minecraft server that aims to fix gameplay and mechanics inconsistencies
https://papermc.io/
Other
9.67k stars 2.25k forks source link

hoverEvent action show_entity with invalid UUID will crash server #7013

Closed ghost closed 2 years ago

ghost commented 2 years ago

Stack trace

https://paste.gg/p/anonymous/6f4c32bd43f74b7e9eb2ef3d2038fc84

Plugin and Datapack List

[01:32:24 INFO]: Plugins (0):

[01:32:26 INFO]: There are 2 data packs enabled: [vanilla (built-in)], [file/bukkit (world)] [01:32:26 INFO]: There are no more data packs available

Actions to reproduce (if known)

/minecraft:item replace entity @s armor.head with minecraft:written_book{pages: ['{"text":"test","hoverEvent":{"action":"show_entity","contents":{"id":"[][","type":"minecraft:player"}}}']}

Paper version

[01:35:52 INFO]: Checking version, please wait... [01:35:52 INFO]: This server is running Paper version git-Paper-391 (MC: 1.17.1) (Implementing API version 1.17.1-R0.1-SNAPSHOT) (Git: 3e73355 on ver/1.17.1) You are running the latest version

Other

No response

Machine-Maker commented 2 years ago

This almost certainly happens on vanilla right?

Is there is any way to get this without the /give command?

electronicboy commented 2 years ago

vanilla touches this stuff less so it's possible stuff like this gets by, but, am not sure we can really prevent invalid data causing issues, especially when explicitly created; Ideally this is stuff caught early into creation given that my solution for cases like this would be to just delete such broken items, and I'm not sure I want the perf cost or maintantence debt of that dangling over us

ghost commented 2 years ago

This almost certainly happens on vanilla right?

Is there is any way to get this without the /give command?

You can use a saved hotbar on creative mode, but the server will kick you with "Packet processing error" if you try to place it on your actual inventory.

Machine-Maker commented 2 years ago

See the problem with that is, there are about 1000 ways to abuse creative mode on servers. Creative mode is pretty broken, and going around trying to hack a fix to all the issues from the server's side isn't really tenable.

VideoGameSmash12 commented 2 years ago

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

ghost commented 2 years ago

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

It was being abused on a free op anarchy server I was playing on.

ping5001 commented 2 years ago

It was being abused on a free op anarchy server I was playing on.

its FREE OP anarchy, people come solely to break Minecraft in some ways

VideoGameSmash12 commented 2 years ago

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

It was being abused on a free op anarchy server I was playing on.

I was afraid of that. I created the exploit originally in July, though I never used it for anything malicious (I primarily used it for administrative purposes) but I know others have used it maliciously before. It's worth noting that the actual client is vulnerable to this exploit as well in a much more severe fashion. Versions of Minecraft (client and server) 1.16.x to 1.18 are affected by this.

ghost commented 2 years ago

It was being abused on a free op anarchy server I was playing on.

its FREE OP anarchy, people come solely to break Minecraft in some ways

Not really, no. People who break Minecraft on these servers are a loud minority solely due to the nature of their actions. Most people just find enjoyment in the freedom of alike servers.

ghost commented 2 years ago

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

It was being abused on a free op anarchy server I was playing on.

I was afraid of that. I created the exploit originally in July, though I never used it for anything malicious (I primarily used it for administrative purposes) but I know others have used it maliciously before. It's worth noting that the actual client is vulnerable to this exploit as well in a much more severe fashion. Versions of Minecraft (client and server) 1.16.x to 1.18 are affected by this.

I believe a variation of this exploit exists on bedrock edition, however it's hard to say if that originated from you or not.

ghost commented 2 years ago

See the problem with that is, there are about 1000 ways to abuse creative mode on servers. Creative mode is pretty broken, and going around trying to hack a fix to all the issues from the server's side isn't really tenable.

Shouldn't we at least make a reasonable attempt to patch these exploits, if possible?

0x4D2D commented 2 years ago

Shouldn't we at least make a reasonable attempt to patch these exploits, if possible?

no

fartdev commented 2 years ago

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

It was being abused on a free op anarchy server I was playing on.

You mean that you develop for? You have some repositories related to one such server

VideoGameSmash12 commented 2 years ago

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

It was being abused on a free op anarchy server I was playing on.

I was afraid of that. I created the exploit originally in July, though I never used it for anything malicious (I primarily used it for administrative purposes) but I know others have used it maliciously before. It's worth noting that the actual client is vulnerable to this exploit as well in a much more severe fashion. Versions of Minecraft (client and server) 1.16.x to 1.18 are affected by this.

I believe a variation of this exploit exists on bedrock edition, however it's hard to say if that originated from you or not.

I didn't create the Bedrock variant, only the Java variant. The very first variant of the exploit was a Java-specific one, and this is the component I had it as: {"text":"fuck","hoverEvent":{"action":"show_entity","contents":{"id":"f97c0d7b-6413-4558-a409-88f09a8f9adb[][][][][][][]][][][","type":"minecraft:player"}}}

ghost commented 2 years ago

Shouldn't we at least make a reasonable attempt to patch these exploits, if possible?

no

Aren't you one of the people abusing this exploit? You have some repositories on your profile related to minecraft cheats, and crash exploits.

Just out of curiosity, where'd you find this? I recall I saw something of this nature a while ago.

It was being abused on a free op anarchy server I was playing on.

You mean that you develop for? You have some repositories related to one such server

I occasionally make pull requests for the server, but I wouldn't consider myself a developer for the server.

e-im commented 2 years ago

reference #7011