search

xmamo / VanillaVotifier

Votifier plugin, but for Minecraft vanilla!
https://mamo.dev/vanillavotifier
Other
17 stars 8 forks source link

Chat spam exploit #21

Closed zedwick closed 7 years ago

zedwick commented 7 years ago

We've only tested with some fairly simple chat insertions, but it is possible to spam the chat by adding \n or other symbols to names given to server lists.

hello\nhello \n hello

In theory, but again untested, it may be possible to break out of a tell raw and insert a clickable action to run other commands.

Could you add a filter to prevent these, or maybe allow for regex filtering so we can add our own filters certain words, symbols or code?

xmamo commented 7 years ago

Currently, I'm not at home and I won't be able to work on this. I think I'll add regex filtering, as it is a great idea. In the meantime you can avoid the problem by executing a shell script instead of sending RCon commands (for example by using sed), but then you would have to be very careful about script injection...

xmamo commented 7 years ago

Hello, I just wanted to tell you I finally got some time to complete your request. The feature is ready now, but I want to fix some old stuff before releasing a new version. Sorry for making you wait so long!

xmamo commented 7 years ago

Ok, I released a new version. Here's a really simple example of some regex-filtering you might want to use, which replaces all \ with \\:

# [...]

# A list of actions to perform as soon as somebody votes for your server.
on-vote:
  # Sends one or more commands to a Minecraft RCon server.
  - action: 'rcon'
    # The IP address, port, and password of the RCon server.
    # Using a local IP address should be preferred, since the RCon protocol requires passwords to be sent as plaintext.
    server:
      ip: '0.0.0.0'
      port: 25575
      password: 'password'

    # The commands to send to the RCon server.
    # "${service-name}" will be replaced with the service the player has voted on (for example MCSL).
    # "${user-name}" will be replaced with the IGN of the player.
    # "${address}" will be replaced with the player's IP address.
    # "${timestamp}" will be replaced with the time stamp in which the player has voted. Format may vary depending on voting service.
    #
    # It is not recommended to use commands such as "give", "effect", etc., since they wouldn't work if the player is offline.
    # Instead, set a certain score (using the "scoreboard players set <player> <objective> <score> [dataTag]" command) and handle rewarding through an ingame Command Block clock which is always loaded.
    commands:
      - 'tellraw @a {"text":"${user-name} has just voted for this server on ${service-name}. Thanks!","color":"yellow"}'
      - 'scoreboard players add ${user-name} voted 1'

    regex-replace:
      '\\': '\\\\'
zedwick commented 7 years ago

Thanks, I'll be testing this soon!