[1.9-1.16] Custom Recipes and Crafting (CraftEnhance)

[1.9-1.16] Custom Recipes and Crafting (CraftEnhance)

44.3k Downloads

Recipe Viewer dupe (PaperSpigot 1.12.2)

spannercodes opened this issue ยท 6 comments

commented

A member of our server has found a way to take items from the recipe viewer without the event being cancelled: https://www.youtube.com/watch?v=W_thTK5UDoc
They are double clicking on a copy of the item in their inventory, which collects the item without triggering an InventoryClickEvent. It's also likely that hacked clients are able to do this without the need for a copy of the item.

This might be fixed by listening for InventoryInteractEvent instead of InventoryClickEvent, and then parsing the event information so that it follows the same process. This time, when the event is cancelled, it should also cancel the event when a player tries to do this dupe.

I'll work on a pull request for this, but I'm posting an issue in case any others have a better solution, or if mine doesn't work.

commented

I want to make sure that this is fixed as soon as possible. Thanks for reporting it, and sorry for the vulnerability.

Are you sure that no exceptions are raised? It's registering my duping attempts as clicks, meaning that they're cancelled. So maybe an exception is crashing the event handling making it not cancel. This could be solved with a try-catch-finally block.

Also, the InventoryInteractEvent is merely an abstract class, meaning that there are only implementations of child classes that use that event. Unfortunately I can't even get the glitch to work on my testing server, so I can't really test what event has to be handled to fix it.

commented

Alright, I've tested this again on a local server, and it works the same. No exceptions are raised. The way I'm doing it if the video was unclear, is having one of the item in the inventory, and then double clicking on it.

As for the event, yeah, I'm not particularly sure what it is that needs to be used, I've never worked with inventories before. I was just wondering if it's possible to cancel all interact events, then figure was also a click event, then decide what to do from that. But I don't know if that's possible / how it even works.

commented

Oh so you are able to reproduce it on a testserver? If so, what is the minecraft version of your server, and what api are you using (spigot, paperspigot, bukkit)? I would really like to also be able to reproduce this so I can work on a fix.

Maybe you could also try to look what events are fireing when you doubleclick; that would really help me in fixing this. Or you could just make your own pull request to help, if you can fix it yourself.

commented

The test server is Spigot 1.12.2
This server is running CraftBukkit version git-Spigot-79a30d7-acbc348 (MC: 1.12.2)
The actual server is Paper Spigot 1.12.2 (I can't currently get any more info on what specific build)

How would I check which events are firing? And yeah I'll recompile and see if I can make any changes

commented

You simply add all events in one Listener class and log some message when it's fired. So for example:

//You can simply add or modify these events in ``EventClass``

@EventHandler
void onClick(PlayerCLickEvent e){
   System.out.println("click event triggered");
} 

@EventHandler
void onMove(PlayerMoveItemEvent e){ //I don't know if this one exists for sure, it's just an example
   System.out.println("moveitem even triggered");
}

I still haven't been able to reproduce this glitch, so let me know if you find the cause of this. Thanks again for wanting to help :). You are one of the few people that actually understands that I made this plugin open source for this exact reason.

commented

Ah-ha! I've recompiled from source and it's cancelling all inventory events; it's impossible to dupe. I checked again and the public download doesn't do this, allowing for the dupe, despite them having the same version number. I'll close the issue since it's technically fixed, but you need to update your downloads (or at least for 1.12.2?)
In the meantime, I'll just upload the version I compiled to my server. Sorry if this was a waste of your time, hopefully it will save some servers' economies though :(