search

nijikokun / iConomy3

Please, if you fork iConomy only do so if you are really fixing or adding something useful!
7 stars 1 forks source link

[BUG][4.1] NPE on inverted parameters #12

Open ShadowDrakken opened 13 years ago

ShadowDrakken commented 13 years ago

Need to validate user input... this bug also leads to a potential SQL security issue

Quoted from Napier (via Bukkit forums)

Just as a minor note, the following invalid command produces the below error. In an event where a user inadvertently switches the variables (which i just did ).

/money grant 100 [player]

Code:

2011-02-28 03:08:13 [SEVERE] java.lang.NullPointerException
2011-02-28 03:08:13 [SEVERE]     at com.nijiko.coelho.iConomy.util.Messaging.argument(Messaging.java:51)
2011-02-28 03:08:13 [SEVERE]     at com.nijiko.coelho.iConomy.util.Template.parse(Template.java:49)
2011-02-28 03:08:13 [SEVERE]     at com.nijiko.coelho.iConomy.entity.iPlayerListener.onPlayerCommand(iPlayerListener.java:512)
2011-02-28 03:08:13 [SEVERE]     at com.nijiko.coelho.iConomy.iConomy.onCommand(iConomy.java:133)
2011-02-28 03:08:13 [SEVERE]     at org.bukkit.command.PluginCommand.execute(PluginCommand.java:19)
2011-02-28 03:08:13 [SEVERE]     at org.bukkit.command.SimpleCommandMap.dispatch(SimpleCommandMap.java:77)
2011-02-28 03:08:13 [SEVERE]     at org.bukkit.craftbukkit.CraftServer.dispatchCommand(CraftServer.java:176)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.NetServerHandler.c(NetServerHandler.java:638)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.NetServerHandler.chat(NetServerHandler.java:601)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:595)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.Packet3Chat.a(SourceFile:24)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.NetworkManager.a(SourceFile:230)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.NetServerHandler.a(NetServerHandler.java:70)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.NetworkListenThread.a(SourceFile:100)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.MinecraftServer.h(MinecraftServer.java:338)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.MinecraftServer.run(MinecraftServer.java:253)
2011-02-28 03:08:13 [SEVERE]     at net.minecraft.server.ThreadServerApplication.run(SourceFile:36
nijikokun commented 13 years ago

It's not an SQL injection issue, everything is stripped out correctly and parsed as required, but I will look into that.