/cs allows execution of files outside of craftscripts dir

Question

/cs allows execution of files outside of craftscripts dir

lorenzop opened this issue 3 years ago · 2 comments

lorenzop commented 3 years ago

WorldEdit Version

7.2.7

Platform Version

spigot

Confirmations

I am using the most recent Minecraft release.
I am using a version of WorldEdit compatible with my Minecraft version.
I am using the latest or recommended version of my platform software.
I am NOT using a hybrid server, e.g. a server that combines Bukkit and Forge. Examples include Arclight, Mohist, and Cardboard.
I am NOT using a fork of WorldEdit, such as FastAsyncWorldEdit (FAWE) or AsyncWorldEdit (AWE)

Bug Description

The /cs command allows execution of files outside of the plugins/WorldEdit/craftscripts/ directory, any place on the server.

I assume this is a bug, as I don't see mention of this in any other issue tickets. Is this a desired behavior?

Expected Behavior

deny access to files outside of plugins/WorldEdit/craftscripts/ dir

Reproduction Steps

place a test.js file (with contents or blank) into the plugins/WorldEdit/ directory
can run it with /cs ../test.js

Anything Else?

No response

lorenzop · Answer 1 · 2021-12-08T19:45:02.000Z

oops, I am wrong. This is my mistake, I wasn't seeing an error in game, but now I am. Thank you for your great work on this plugin, I couldn't live without it.

wizjany · Answer 2 · 2021-12-08T19:45:39.000Z

in the future, a public issue tracker is not the correct place to report supposed security issues.

Share to