Ad Astra

Ad Astra

23M Downloads

[Feature Request]: Remove URL length limit and allow images from any URL

EntityinArray opened this issue ยท 5 comments

commented

Is your feature request related to a problem?

Hello, thank you for working on this mod.
Flag URL entry box is limited to 32 characters and only accepts links that begin with https://i.imgur.com/

Solution(s)

Remove pointless limitations

Describe alternatives you've considered

No response

Mod Version

1.12.6

Mod Loader Version

1.19.2 - 0.14.21

Mod Loader

Fabric

Additional context

No response

commented

The 32 limit is just the default Mojang gives to all text boxes and doesn't need to change as of right now we are not letting other image services as allowing other image services can be a potential attack surface for leaking IPs and possibly other information if someone creates a specially crafted link.

commented

sorry, but what's wrong with leaking IPs? you "leak" IP any time you join a minecraft server, or visit any website in general. Anyone can get your IP, it's like your phone number, there is nothing bad in that.

I understand your concern over possible exploits and such, but it's just an image. You load thousands of images in your browser, and open thousands of them in your image viewer. I don't think that such simple thing can host a vulnerability.

commented

There is a difference between having to initiate a leaking of IPs when you visit a website or join a server loading, an image is a 0 click no initiation attack that can be easily targeted towards people. Also when you load images in your browser it goes through 100s of security checks. It can definitely be a security vulnerability and I am not letting such an attack vector be possible and will be keeping the image hosts limited.

commented

ok, thanks

commented

I've been talking to my friends about this. What if the server downloads the image and sends it to clients? Then issue of IP leaking is solved I think. What do you think?

Also, about 'images going through 1000's security checks', i don't think so. you can't hack anyone with an image (the code needs to be REALLY bad to allow something like this and i don't think that's the case here)