WorldEdit for Bukkit

WorldEdit for Bukkit

21M Downloads

/cs allows execution of files outside of craftscripts dir

lorenzop opened this issue ยท 2 comments

commented

WorldEdit Version

7.2.7

Platform Version

spigot

Confirmations

  • I am using the most recent Minecraft release.
  • I am using a version of WorldEdit compatible with my Minecraft version.
  • I am using the latest or recommended version of my platform software.
  • I am NOT using a hybrid server, e.g. a server that combines Bukkit and Forge. Examples include Arclight, Mohist, and Cardboard.
  • I am NOT using a fork of WorldEdit, such as FastAsyncWorldEdit (FAWE) or AsyncWorldEdit (AWE)

Bug Description

The /cs command allows execution of files outside of the plugins/WorldEdit/craftscripts/ directory, any place on the server.

I assume this is a bug, as I don't see mention of this in any other issue tickets. Is this a desired behavior?

Expected Behavior

deny access to files outside of plugins/WorldEdit/craftscripts/ dir

Reproduction Steps

  1. place a test.js file (with contents or blank) into the plugins/WorldEdit/ directory
  2. can run it with /cs ../test.js

Anything Else?

No response

commented

oops, I am wrong. This is my mistake, I wasn't seeing an error in game, but now I am. Thank you for your great work on this plugin, I couldn't live without it.

commented

in the future, a public issue tracker is not the correct place to report supposed security issues.