Fix creation and import Exploit#2353
Conversation
Through this fix you can avoid deleting of important folders.
nicegamer7
left a comment
There was a problem hiding this comment.
Thanks for the PR!
Here are my thoughts.
|
If there are no other corrections, I will modify the code and repeat the pull request if necessary. |
|
I'm not actually authorized to accept PRs, so I'd wait until the main dev gives his thoughts until you redo anything. |
dumptruckman
left a comment
There was a problem hiding this comment.
If there are no other corrections, I will modify the code and repeat the pull request if necessary.
Sorry for the delay in checking this out. I made some comments so yeah, need a couple changes but otherwise this is great.
|
Will be integrating this in ACF Command rework. Not sure if we want to merge it before that, like v4.3? |
|
@xSavior-of-God Are you still interested in proceeding on this PR? |
|
Yes, i need this fix! |
|
I think I recently added something similar, see https://github.com/Multiverse/Multiverse-Core/blob/main/src/main/java/com/onarandombox/MultiverseCore/utils/WorldNameChecker.java I suggest you take a look at it and see if it has fixed the exploits you are concern with. I haven't use WorldNameChecker in the create command class, but it's probably easy to implement. Another thing is I heard of people having sub-folders dir for worlds e.g. |
|
1 year ago I said how to fix/remedy the problem... and to date it has not been fixed... I also mentioned how to replicate it, which to date may have caused problems for some servers owners... with the hope that it will be fixed as soon as possible, but this was not... So now I tell you how things are...Did you know that if you want you can create a world inside folders like In any case, for example, it would be enough to know the path of the server folder to completely destroy it (or just use " However the problem still persists!How to replicate delete plugins folder?Simple just type this 2 commands: NB: Do not use contains in reverse! do it like this for(String check : BLACKLIST_NAMES)
if (worldName.contains(check))
return NameStatus.BLACKLISTED;I hope you have understood the seriousness of the problem and that I have not offended you (in case sorry), but above all I hope that the problem will be solved as soon as possible! |
|
ideally, we should check based on directory instead of just removing all /, possibly:
so that we control, but not straight up deny worlds in sub directory, to prevent breaking changes while fixing this exploit. |
benwoo1110
left a comment
There was a problem hiding this comment.
I will merge it as it is, and look into configurable options, as well as reducing false positives as I mentioned in the near future.
|
Why do you have to get too complicated? |
|
it's not... too complicated, I'm just providing ideas into how we can improve the world name checking system. Yes - things at mv are slow at times, but we do our best with the limited free time we have. |
Through this fix you can avoid deleting of important folders.