Command blocking exploit
JHarris12345 opened this issue ยท 2 comments
WorldEdit Version
7.2.15+6463-5ca4dff
WorldGuard Version
7.0.9-beta1+2249-223b80c
Platform Version
PaperSpigot 1.20.1
Confirmations
- I am using the most recent Minecraft release.
- I am using a version of WorldEdit compatible with my Minecraft version.
- I am using a version of WorldGuard compatible with my Minecraft version.
- I am using the latest or recommended version of my platform software.
- I am NOT using a hybrid server, e.g. a server that combines Bukkit and Forge. Examples include Arclight, Mohist, and Cardboard.
- I am NOT using a fork of WorldEdit, such as FastAsyncWorldEdit (FAWE) or AsyncWorldEdit (AWE)
Bug Description
You are able to send commands by adding spaces after the forward slash. For example -> "/ spawn". You can add as many spaces as you like, the command will still work.
Worldguard "BlockedCmds" flag doesn't account for this. So if you block "/spawn" but they type "/ spawn", it will allow it. I propose doing a change where it first removes the spaces after the forward slash and before the first letter in a command and THEN checking on that new string
Expected Behavior
It should block commands even if you add a space
Reproduction Steps
- Block a command like /spawn
- Use / spawn
Optional WorldGuard-Report
No response
Anything Else?
No response
This code can build the new command string and perform the check on the string builder string:
char[] charArray = command.toCharArray();
StringBuilder stringBuilder = new StringBuilder();
boolean foundCharacter = false;
for (int i=0; i<charArray.length; i++) {
char character = charArray[i];
// Add any forward slashes at the start of the command
if (character == '/') {
stringBuilder.append(character);
continue;
}
// Now skip over all the following spaces until the first character is found and then add them all from there
if (character == ' ' && !foundCharacter) continue;
foundCharacter = true;
stringBuilder.append(character);
}
