Schematic Cannon can place Clipboard with malicious names
CKenJa opened this issue ยท 0 comments
Description
Schematic cannon can place clipboards with any Raw Text JSON set in display name.
Additionally, some targets and sources may allow copying any Raw Text JSON using display links.
This means that you can obtain maliciously named clipboards with ClickEvent using schematic cannon without OP.
ClickEvent does not work on item names, only on chat, signs, and Lectern. (maybe)
However, when the name is copied to lectern via depot using a display link, the ClickEvent work.
This issue allows execute command illegally on survival multiplayer servers.
Also, you can use open URL, display string when hover, chat insertion, change page on written book, etc. for survival tricks.
However, I could not confirm whether ClickEvent works this way on signs.
Since this is possible via any mod feature that can copy Raw Text JSON directly, such as item names.
I suggest removing ClickEvents when setting up a clipboard by schematic cannon or writing text to Lectern by display link.
Reproduction Steps
In Creative World:
- Use commands to obtain a clipboard with a ClickEvent set in its name.
example:/give @p create:clipboard{display:{Name:'{"text":"test","clickEvent":{"action":"open_url","value":"https://github.com/Creators-of-Create/Create"}}'}} 1 - Place the clipboard
- Use a schematic and quill to convert it into a schematic.
In Survival World:
- Use schematic cannon to place the created schematic.
- Break the clipboard to obtain it as an item.
- Copying names into written books using display link, depot, and lectern.
- Click on a string from GUI of the lectern
Game Log
Debug Information
Client Info
Create:
Mod Version: 0.5.1h
Forge Version: 47.2.21
Minecraft Version: 1.20.1
Graphics:
Flywheel Version: 0.6.11-13
Flywheel Backend: INSTANCING
OpenGL Renderer: NVIDIA GeForce RTX 3060/PCIe/SSE2
OpenGL Version: 4.6.0 NVIDIA 551.61
Graphics Mode: options.graphics.fancy
System Information:
Operating System: Windows 11 (amd64) version 10.0
Java Version: 17.0.4.1, Eclipse Adoptium
JVM Flags: 3 total; -Xmx4096m -Xms1024m -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump
Memory: 845591120 bytes (806 MiB) / 2237661184 bytes (2134 MiB) up to 4294967296 bytes (4096 MiB)
Total Memory: 13476265984 bytes (12846 MiB) / 17114124288 bytes (16314 MiB)
CPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz @ 3.40 GHz; 4 cores / 8 threads on 1 socket(s)
Graphics card #0: NVIDIA GeForce RTX 3060 (NVIDIA (0x10de)); 4095.00 MB of VRAM
Other Mods:
Server Info
Create:
Mod Version: 0.5.1h
Forge Version: 47.2.21
Minecraft Version: 1.20.1
System Information:
Operating System: Windows 11 (amd64) version 10.0
Java Version: 17.0.4.1, Eclipse Adoptium
JVM Flags: 3 total; -Xmx4096m -Xms1024m -XX:HeapDumpPath=MojangTricksIntelDriversForPerformance_javaw.exe_minecraft.exe.heapdump
Memory: 845591120 bytes (806 MiB) / 2237661184 bytes (2134 MiB) up to 4294967296 bytes (4096 MiB)
Total Memory: 13476265984 bytes (12846 MiB) / 17114124288 bytes (16314 MiB)
CPU: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz @ 3.40 GHz; 4 cores / 8 threads on 1 socket(s)
Graphics card #0: NVIDIA GeForce RTX 3060 (NVIDIA (0x10de)); 4095.00 MB of VRAM
Other Mods: