/trapped gives ability to grief
Owehttamy opened this issue · 2 comments
Observed Behavior
Untrusted players gain ability to modify claims during the countdown after executing /trapped
.
Admittedly, I have not tried this with only GP installed, but some users have noticed an issue, and there should probably be some incompatibility error put into place if another plugins is causing the issue.
Expected Behavior
Untrusted players shouldn't be able to modify claims no matter if they're trapped or not.
Reproduction steps
- Find a claim you don't have permissions in.
- Look around for some blocks you want to break inside the claim and look at them.
- Execute
/trapped
. - Break the blocks.
- Profit.
Stack trace or error log
No response
Server version
This server is running Paper version git-Paper-376 (MC: 1.19.3) (Implementing API version 1.19.3-R0.1-SNAPSHOT) (Git: 1719345)
You are 4 version(s) behind
GriefPrevention version
GriefPrevention version 16.18
Configuration
# Default values are perfect for most servers. If you want to customize and have a question, look for the answer here first: http://dev.bukkit.org/bukkit-plugins/grief-prevention/pages/setup-and-configuration/
GriefPrevention:
SeaLevelOverrides:
world: -1
world_nether: -1
world_the_end: -1
Claims:
Mode:
world_nether: Disabled
world: Survival
world_the_end: Disabled
PreventGlobalMonsterEggs: true
PreventTheft: true
ProtectCreatures: true
PreventButtonsSwitches: true
LockWoodenDoors: false
LockTrapDoors: false
LockFenceGates: true
EnderPearlsRequireAccessTrust: true
RaidTriggersRequireBuildTrust: true
ProtectHorses: true
ProtectDonkeys: true
ProtectLlamas: true
InitialBlocks: 100
Claim Blocks Accrued Per Hour:
Default: 100
Max Accrued Claim Blocks:
Default: 100000
Accrued Idle Threshold: 0
AccruedIdlePercent: 0
AbandonReturnRatio: 1.0
AutomaticNewPlayerClaimsRadius: 4
AutomaticNewPlayerClaimsRadiusMinimum: 0
ExtendIntoGroundDistance: 5
MinimumWidth: 5
MinimumArea: 100
MaximumDepth: -2147483648
InvestigationTool: STICK
ModificationTool: GOLDEN_SHOVEL
Expiration:
ChestClaimDays: 7
UnusedClaimDays: 14
AllClaims:
DaysInactive: 60
ExceptWhenOwnerHasTotalClaimBlocks: 10000
ExceptWhenOwnerHasBonusClaimBlocks: 5000
AutomaticNatureRestoration:
SurvivalWorlds: false
AllowTrappedInAdminClaims: false
MaximumNumberOfClaimsPerPlayer: 0
CreationRequiresWorldGuardBuildPermission: true
VillagerTradingRequiresPermission: true
CommandsRequiringAccessTrust: /sethome
DeliverManuals: true
ManualDeliveryDelaySeconds: 30
RavagersBreakBlocks: true
FireSpreadsInClaims: false
FireDamagesInClaims: false
LecternReadingRequiresAccessTrust: true
Spam:
Enabled: false
LoginCooldownSeconds: 0
LoginLogoutNotificationsPerMinute: 0
ChatSlashCommands: /me;/global;/local
WhisperSlashCommands: /tell;/pm;/r;/whisper;/msg
WarningMessage: Please reduce your noise level. Spammers will be banned.
BanOffenders: true
BanMessage: Banned for spam.
AllowedIpAddresses: 1.2.3.4; 5.6.7.8
DeathMessageCooldownSeconds: 0
Logout Message Delay In Seconds: 0
PvP:
RulesEnabledInWorld:
world: true
world_nether: true
world_the_end: true
ProtectFreshSpawns: false
PunishLogout: false
CombatTimeoutSeconds: 0
AllowCombatItemDrop: false
BlockedSlashCommands: /home;/vanish;/spawn;/tpa
ProtectPlayersInLandClaims:
PlayerOwnedClaims: true
AdministrativeClaims: true
AdministrativeSubdivisions: true
AllowLavaDumpingNearOtherPlayers:
PvPWorlds: true
NonPvPWorlds: false
AllowFlintAndSteelNearOtherPlayers:
PvPWorlds: true
NonPvPWorlds: false
ProtectPetsOutsideLandClaims: false
Economy:
ClaimBlocksMaxBonus: 0
ClaimBlocksPurchaseCost: 0.0
ClaimBlocksSellValue: 0.0
ProtectItemsDroppedOnDeath:
PvPWorlds: false
NonPvPWorlds: true
BlockLandClaimExplosions: true
BlockSurfaceCreeperExplosions: true
BlockSurfaceOtherExplosions: true
LimitSkyTrees: true
LimitTreeGrowth: false
PistonMovement: CLAIMS_ONLY
PistonExplosionSound: true
FireSpreads: false
FireDestroys: false
AdminsGetWhispers: false
AdminsGetSignNotifications: true
VisualizationAntiCheatCompatMode: false
SmartBan: true
Mute New Players Using Banned Words: true
MaxPlayersPerIpAddress: 3
SilenceBans: true
Siege:
Worlds: []
BreakableBlocks:
- GRASS_BLOCK
- DIRT
- COBBLESTONE
- OAK_PLANKS
- SPRUCE_PLANKS
- BIRCH_PLANKS
- JUNGLE_PLANKS
- ACACIA_PLANKS
- DARK_OAK_PLANKS
- SAND
- GRAVEL
- GLASS
- GRASS
- FERN
- DEAD_BUSH
- WHITE_WOOL
- ORANGE_WOOL
- MAGENTA_WOOL
- LIGHT_BLUE_WOOL
- YELLOW_WOOL
- LIME_WOOL
- PINK_WOOL
- GRAY_WOOL
- LIGHT_GRAY_WOOL
- CYAN_WOOL
- PURPLE_WOOL
- BLUE_WOOL
- BROWN_WOOL
- GREEN_WOOL
- RED_WOOL
- BLACK_WOOL
- SNOW
- GLASS_PANE
DoorsOpenDelayInSeconds: 300
CooldownEndInMinutes: 60
EndermenMoveBlocks: false
SilverfishBreakBlocks: false
CreaturesTrampleCrops: false
RabbitsEatCrops: true
HardModeZombiesBreakDoors: false
Database:
URL: ''
UserName: ''
Password: ''
UseBanCommand: false
BanCommandPattern: ban %name% %reason%
Advanced:
fixNegativeClaimblockAmounts: true
ClaimExpirationCheckRate: 60
OfflinePlayer_cache_days: 90
Abridged Logs:
Days To Keep: 7
Included Entry Types:
Social Activity: true
Suspicious Activity: true
Administrative Activity: false
Debug: false
Muted Chat Messages: false
Plugin list
Plugins (20): Chunky, CoreProtect, DiscordSRV, GPFlags, Graves, GriefPrevention, GSit, InteractiveChat, InteractiveChatDiscordSrvAddon, ItemSwapperPlugin, LetMeDespawn, LuckPerms, OpenInv, Orebfuscator, PlaceholderAPI, ProtocolLib, Vault, voicechat, WorldEdit, WorldGuard
Running without GriefPrevention
- I attempted running the server without GriefPrevention installed.
- The problem does not occur when GriefPrevention is removed from the server.
Running with only GriefPrevention
- I attempted running only GriefPrevention on the server.
- The issue still occurs when GriefPrevention is the only plugin running.
Running on a fresh, clean server installation
- I attempted testing for the issue on a new server.
- The issue still occurs on a new server.
Using unmodified client
- I attempted testing for the issue with the vanilla client.
- The issue still occurs when using the vanilla client.
We appreciate you taking the time to fill out a bug report!
- I searched for similar issues before submitting this bug report.
What was the issue?
I only got a report from one player who said they could consistently reproduce it. I, nor any other players could manage it, and when I asked to see the original reporter attempt the exploit, they would be conveniently unavailable. 🤷
With a basic understanding of how the plugin works, it sounds odd for something like "/trapped" to disregard all claim protections when all it does is just teleport the player.
Also, given the general implications of this potential exploit and its possible repercussions, I'm sure it would've already been found and rampantly abused.