13
0
geforkt von Mirrors/Paper
Paper/patches/server/0411-Fix-regex-mistake-in-CB-NBT-int-deserialization.patch
Owen 89d51d5f29
Allow enabling sand duping (#10191)
Because this exploit has been widely known for years and has not been fixed by Mojang, we decided that it was worth allowing people to toggle it on/off due to how easy it is to make it configurable.

It should be noted that this decision does not promise all future exploits will be configurable.
2024-03-03 17:05:34 -05:00

28 Zeilen
1.7 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: mbax <matt@phozop.net>
Date: Mon, 17 Aug 2020 12:17:37 -0400
Subject: [PATCH] Fix regex mistake in CB NBT int deserialization
The existing regex is too open and allows for the absence of any actual
number data, detecting an NBT entry of just the letter "i" in upper or
lower case. This causes a single-character NBT entry to be processed as
an integer ending in "i", passing an empty String to to Integer.parseInt,
triggering an exception in loading the item.
This commit forces numbers to be present prior to the ending "i"
letter.
diff --git a/src/main/java/org/bukkit/craftbukkit/util/CraftNBTTagConfigSerializer.java b/src/main/java/org/bukkit/craftbukkit/util/CraftNBTTagConfigSerializer.java
index be9686a4240acf24a9ee022cff6ba848524b4498..1d282b1f3cf968364474ce5700bc95ebc46b9f1c 100644
--- a/src/main/java/org/bukkit/craftbukkit/util/CraftNBTTagConfigSerializer.java
+++ b/src/main/java/org/bukkit/craftbukkit/util/CraftNBTTagConfigSerializer.java
@@ -18,7 +18,7 @@ import org.jetbrains.annotations.NotNull;
public class CraftNBTTagConfigSerializer {
private static final Pattern ARRAY = Pattern.compile("^\\[.*]");
- private static final Pattern INTEGER = Pattern.compile("[-+]?(?:0|[1-9][0-9]*)?i", Pattern.CASE_INSENSITIVE);
+ private static final Pattern INTEGER = Pattern.compile("[-+]?(?:0|[1-9][0-9]*)i", Pattern.CASE_INSENSITIVE); // Paper - fix regex
private static final Pattern DOUBLE = Pattern.compile("[-+]?(?:[0-9]+[.]?|[0-9]*[.][0-9]+)(?:e[-+]?[0-9]+)?d", Pattern.CASE_INSENSITIVE);
private static final TagParser MOJANGSON_PARSER = new TagParser(new StringReader(""));