Command blocking exploit

Question

Command blocking exploit

JHarris12345 opened this issue 6 months ago · 2 comments

JHarris12345 commented 6 months ago

WorldEdit Version

7.2.15+6463-5ca4dff

WorldGuard Version

7.0.9-beta1+2249-223b80c

Platform Version

PaperSpigot 1.20.1

Confirmations

I am using the most recent Minecraft release.
I am using a version of WorldEdit compatible with my Minecraft version.
I am using a version of WorldGuard compatible with my Minecraft version.
I am using the latest or recommended version of my platform software.
I am NOT using a hybrid server, e.g. a server that combines Bukkit and Forge. Examples include Arclight, Mohist, and Cardboard.
I am NOT using a fork of WorldEdit, such as FastAsyncWorldEdit (FAWE) or AsyncWorldEdit (AWE)

Bug Description

You are able to send commands by adding spaces after the forward slash. For example -> "/ spawn". You can add as many spaces as you like, the command will still work.

Worldguard "BlockedCmds" flag doesn't account for this. So if you block "/spawn" but they type "/ spawn", it will allow it. I propose doing a change where it first removes the spaces after the forward slash and before the first letter in a command and THEN checking on that new string

Expected Behavior

It should block commands even if you add a space

Reproduction Steps

Block a command like /spawn
Use / spawn

Optional WorldGuard-Report

No response

Anything Else?

No response

wizjany commented 6 months ago

dupe

Answer 1 · 2024-01-04T22:55:10.000Z

This code can build the new command string and perform the check on the string builder string:

    char[] charArray = command.toCharArray();
    StringBuilder stringBuilder = new StringBuilder();

    boolean foundCharacter = false;
    for (int i=0; i<charArray.length; i++) {
        char character = charArray[i];

        // Add any forward slashes at the start of the command
        if (character == '/') {
            stringBuilder.append(character);
            continue;
        }

        // Now skip over all the following spaces until the first character is found and then add them all from there
        if (character == ' ' && !foundCharacter) continue;

        foundCharacter = true;
        stringBuilder.append(character);
    }