[BUG] 1.21 Console Error

Dinos3396 commented 2 months ago

Description

https://mclo.gs/DjHPAaG

Steps to reproduce

Use 1.21 paper server and latest QuickShop maybe.

Expected Behaviour

No error.

Screenshots

Hhhhmmmm

`/quickshop paste` URL

https://mclo.gs/FHN0fLE

Additional Context

No response

Checklist

[X] I'm running Paper or Spigot, and not a fork
[X] I confirm that Paper/Spigot has been updated to the latest build
[X] I confirm that QuickShop-Hikari has been updated to the latest stable version released on Modrinth (or the latest CI version)
[ ] I confirm that I have not read these checkboxes and therefore I just ticked them all.
[X] I confirm that I'm using QuickShop-Hikari, not QuickShop-Reremake, and I'm well aware that they're maintained by different people, and that Reremake issues shouldn't be reported here.
[X] I confirm that I am running a server that is not a Hybird Server, (e.g. Mohist, Magma, CatServer, Banner, etc.), and I am aware that QuickShop-Hikari may not function properly on a Forge/Fabric hybrid server, and I am running at my own risk on such a server program, and I am aware that the I run such server-side programs at my own risk and know that I will not receive any support or help for this behavior.
[X] I am well aware that if the Issue Ticket is not filled out correctly and completely, it will simply be closed without any response or reason.

YuanYuanOwO commented 2 months ago

Please disable quickshop.history permission node before dev patched it.
if you are using LuckPerms,just set the permission node to false.
/lp group default permission set quickshop.history false

PonderFox0643 commented 2 months ago

Please disable quickshop.history permission node before dev patched it. if you are using LuckPerms,just set the permission node to false. /lp group default permission set quickshop.history false

@YuanYuanOwO I had disable quickshop.history permission node in LuckPerms. But,it not work. (Paper version 1.21-40-master@b45d9b6 )

YuanYuanOwO commented 2 months ago

Please disable quickshop.history permission node before dev patched it. if you are using LuckPerms,just set the permission node to false. /lp group default permission set quickshop.history false

@YuanYuanOwO I had disable quickshop.history permission node in LuckPerms. But,it not work. (Paper version 1.21-40-master@b45d9b6 )

已知，待开发者修复 waiting for dev to fix this

quiquelhappy commented 2 months ago

@Ghost-chu this can be used to exploit items out of the history tab, which is bad because it features diamonds on it by default on its gui. Some owners are unware of this exploit, although you can easily disable its permission node to get rid of the feature, we would love to see a more permanent fix

YuanYuanOwO commented 2 months ago

@Ghost-chu this can be used to exploit items out of the history tab, which is bad because it features diamonds on it by default on its gui. Some owners are unware of this exploit, although you can easily disable its permission node to get rid of the feature, we would love to see a more permanent fix

Sorry, but Ghost-chu is no longer in charge of QuickShop-Hikari development, which is now handled by creatorfromhell

quiquelhappy commented 2 months ago

gotcha. pinging because this is what I would consider to be an important exploit that should be resolved asap. @creatorfromhell

Ghost-chu commented 2 months ago

I'm nolonger actively develop the QuickShop-Hikari, please contact @creatorfromhell

Ghost_chu @.***

------------------ Original ------------------ From: @.>; Date: 2024年7月9日(星期二) 下午2:57 To: @.>; Cc: @.>; @.>; Subject: Re: [QuickShop-Community/QuickShop-Hikari] [BUG] 1.21 Console Error (Issue #1632)

@Ghost-chu this can be used to exploit items out of the history tab, which is bad because it features diamonds on it by default on its gui. Some owners are unware of this exploit, although you can easily disable its permission node to get rid of the feature, we would love to see a more permanent fix

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

creatorfromhell commented 2 months ago

gotcha. pinging because this is what I would consider to be an important exploit that should be resolved asap. @creatorfromhell

Will fix when I have time for now change permissions to disable their ability to access

MoNoLidThZ commented 2 months ago

This is the working PoC for the exploit https://youtu.be/RMAiCLi51_w

Will make the video public once the dev team has patched it.

YuanYuanOwO commented 2 months ago

This is the working PoC for the exploit https://youtu.be/RMAiCLi51_w

Will make the video public once the dev team has patched it.

Already know this issue
Please upgrade QuickShop-Hikari to dev build.

VermiumSifell commented 2 months ago

The new dev build seems to disable history completely. Or am I installing wrong version? https://ci.codemc.io/job/Ghost-chu/job/QuickShop-Hikari-SNAPSHOT/lastSuccessfulBuild/artifact/quickshop-bukkit/target/

YuanYuanOwO commented 2 months ago

The new dev build seems to disable history completely. Or am I installing wrong version? https://ci.codemc.io/job/Ghost-chu/job/QuickShop-Hikari-SNAPSHOT/lastSuccessfulBuild/artifact/quickshop-bukkit/target/

temp disable history feature before dev patched it. Waiting for dev fix

VermiumSifell commented 2 months ago

Ah I see

QuickShop-Community / QuickShop-Hikari