Players in database are stored too early
Maxetto opened this issue ยท 9 comments
Issue report
Tell us about your environment
5 Servers
BoNeMEAL Web Application
MySQL 5.6
-
Server Software:
Spigot -
Server Version:
1.8.8 -
BanManager Version:
5.13.1 -
Online/Offline mode:
Offline Mode -
Bungeecoord online/offline mode (if applicable):
Offline Mode
BanManager config.yml:
#
# Aliases will be found and blocked automatically, e.g. msg will block tell
debug: false
databases:
local:
enabled: true
host: 127.0.0.1
port: 3306
name: bans
user: username
password: password
maxConnections: 10
leakDetection: 3000
tables:
players: hub__bm_players
playerBans: hub__bm_player_bans
playerBanRecords: hub__bm_player_ban_records
playerMutes: hub__bm_player_mutes
playerMuteRecords: hub__bm_player_mute_records
playerKicks: hub__bm_player_kicks
playerNotes: hub__bm_player_notes
playerHistory: hub__bm_player_history
playerReports: hub__bm_player_reports
playerReportLocations: hub__bm_player_report_locations
playerReportStates: hub__bm_player_report_states
playerReportCommands: hub__bm_player_report_commands
playerReportComments: hub__bm_player_report_comments
playerWarnings: hub__bm_player_warnings
ipBans: hub__bm_ip_bans
ipBanRecords: hub__bm_ip_ban_records
ipMutes: hub__bm_ip_mutes
ipMuteRecords: hub__bm_ip_mute_records
ipRangeBans: hub__bm_ip_range_bans
ipRangeBanRecords: hub__bm_ip_range_ban_records
rollbacks: hub__bm_rollbacks
nameBans: hub__bm_name_bans
nameBanRecords: hub__bm_name_ban_records
global:
enabled: true
host: 127.0.0.1
port: 3306
name: bans
user: username
password: password
maxConnections: 10
leakDetection: 3000
tables:
playerBans: bm_player_ban_all
playerUnbans: bm_player_unban_all
playerMutes: bm_player_mute_all
playerUnmutes: bm_player_unmute_all
playerNotes: bm_player_note_all
ipBans: bm_ip_ban_all
ipUnbans: bm_ip_unban_all
mutedCommandBlacklist:
- msg
softMutedCommandBlacklist:
- msg
duplicateIpCheck: true
bypassDuplicateChecks:
- 0.0.0.0
- 127.0.0.1
logKicks: true
logIps: false
displayNotifications: true
broadcastOnSync: true
timeLimits: {}
reportCooldown: 300
warningCooldown: 60
warningActions:
enabled: true
actions:
'1':
- cmd: tempbanall [player] 7d [reason]
'2':
- cmd: tempbanall [player] 14d [reason]
'3':
- cmd: banall [player] [reason]
warningMute: false
hooks:
enabled: true
events:
ban:
post:
- cmd: banip [player] [reason]
tempban:
post:
- cmd: tempbanip [player] [expires] [reason]
unban:
pre:
- cmd: unbanip [player]
checkForUpdates: false
offlineAutoComplete: false
punishAlts: false
denyAlts: true
cleanUp:
kicks: 30
banRecords: 730
ipBanRecords: 730
ipMuteRecords: 90
muteRecords: 90
readWarnings: 180
unreadWarnings: 180
maxOnlinePerIp: 0
checkOnJoin: true
createNoteReasons: false
onlineMode: false
chatPriority: normal
Describe your issue:
Database player records are stored too early (during AsyncPlayerPreLoginEvent) and this means, in Offline Mode servers, that there are impossible player names in the database (not alphanumeric + underscore). Expecially spaces in player names makes the plugin show "duplicate record found" when the real name joins the server.
How to replicate:
Join the server with an impossible nickname in Offline Mode with AuthMe Reloaded.
You should get kicked for invalid characters.
Check the BanManager player table, your name should appear even if it's useless since you couldn't join the server.
Further information:
I'd suggest to use PlayerJoinEvent for creating the player record or make an option for it.
Debug mode doesn't seem to work for me. I tried activating it and doing "/bmreload" and also reloading the plugin via PlugMan. I didn't try a full reboot but I don't think it would change much.
The error it prints it's the same I posted before.
HIGHEST PRIORITY:
This could lead to Blind SQL Injection whether you use ' inside Player Names!
@confuser
@Maxetto The inserts are parameterised. It shouldn't be possible to perform an SQL injection.
[11:13:22] [Thread-719021/WARN]: com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'creed'' at line 1
[11:13:22] [Thread-719021/WARN]: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[11:13:22] [Thread-719021/WARN]: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[11:13:22] [Thread-719021/WARN]: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[11:13:22] [Thread-719021/WARN]: at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.Util.handleNewInstance(Util.java:407)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.Util.getInstance(Util.java:382)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:1052)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3593)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3525)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:1986)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2140)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2626)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:2111)
[11:13:22] [Thread-719021/WARN]: at com.mysql.jdbc.PreparedStatement.executeQuery(PreparedStatement.java:2273)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.hikari.pool.ProxyPreparedStatement.executeQuery(ProxyPreparedStatement.java:52)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.hikari.pool.HikariProxyPreparedStatement.executeQuery(HikariProxyPreparedStatement.java)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.jdbc.JdbcCompiledStatement.runQuery(JdbcCompiledStatement.java:55)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.stmt.SelectIterator.<init>(SelectIterator.java:55)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.stmt.StatementExecutor.buildIterator(StatementExecutor.java:247)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.stmt.StatementExecutor.query(StatementExecutor.java:196)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.dao.BaseDaoImpl.query(BaseDaoImpl.java:265)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.stmt.QueryBuilder.query(QueryBuilder.java:361)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.stmt.Where.query(Where.java:503)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.internal.ormlite.dao.BaseDaoImpl.queryForEq(BaseDaoImpl.java:245)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.storage.PlayerStorage.createOrUpdate(PlayerStorage.java:101)
[11:13:22] [Thread-719021/WARN]: at me.confuser.banmanager.listeners.JoinListener.onJoin(JoinListener.java:227)
[11:13:22] [Thread-719021/WARN]: at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source)
[11:13:22] [Thread-719021/WARN]: at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[11:13:22] [Thread-719021/WARN]: at java.lang.reflect.Method.invoke(Method.java:498)
[11:13:22] [Thread-719021/WARN]: at org.bukkit.plugin.java.JavaPluginLoader$1.execute(JavaPluginLoader.java:300)
[11:13:22] [Thread-719021/WARN]: at co.aikar.timings.TimedEventExecutor.execute(TimedEventExecutor.java:74)
[11:13:22] [Thread-719021/WARN]: at org.bukkit.plugin.RegisteredListener.callEvent(RegisteredListener.java:62)
[11:13:22] [Thread-719021/WARN]: at org.bukkit.plugin.SimplePluginManager.fireEvent(SimplePluginManager.java:517)
[11:13:22] [Thread-719021/WARN]: at org.bukkit.plugin.SimplePluginManager.callEvent(SimplePluginManager.java:499)
[11:13:22] [Thread-719021/WARN]: at net.minecraft.server.v1_8_R3.LoginListener$LoginHandler.fireEvents(LoginListener.java:248)
[11:13:22] [Thread-719021/WARN]: at net.minecraft.server.v1_8_R3.LoginListener$2.run(LoginListener.java:172)
[11:13:22] [Thread-719021/WARN]: at java.lang.Thread.run(Thread.java:745)
[11:13:22] [Thread-719021/INFO]: UUID of player Assasins'creed is 36356985-a2c1-33cd-b053-e411d5b43b56
I don't know much about SQLi, but this seems a valid case (in a web page it would have printed error 500)
Can you enable debug mode? Setting in config.yml
There will be a lot of noise, but it should output the query. Could be an issue with ORMLite, or the offline UUID generator might be generating an invalid value.
Thanks. Looks like ORMLite requires wrapping these kind of queries in a SelectArg
class for some reason. I'll try and prioritise this. Happy to accept a PR if anyone feels up to it.