Paper/patches/server/0360-Validate-PickItem-Packet-and-kick-for-invalid.patch
Nassim Jahnke 2641c02193
Updated Upstream (Bukkit/CraftBukkit)
Upstream has released updates that appear to apply and compile correctly.
This update has not been tested by PaperMC and as with ANY update, please do your own testing

Bukkit Changes:
69fa4695 Add some missing deprecation annotations
f850da2e Update Maven plugins/versions
8d8400db Use regular compiler seeing as ECJ doesn't support Java 21 JRE
c29e1688 Revert "BUILDTOOLS-676: Downgrade Maven compiler version"
07bce714 SPIGOT-7355: More field renames and fixes
6a8ea764 Fix bad merge in penultimate commit
50a7920c Fix imports in previous commit
83640dd1 PR-995: Add required feature to MinecraftExperimental for easy lookups
fc1f96cf BUILDTOOLS-676: Downgrade Maven compiler version

CraftBukkit Changes:
90f1059ba Fix item placement
661afb43c SPIGOT-7633: Clearer error message for missing particle data
807b465b3 SPIGOT-7634: Armadillo updates infrequently
590cf09a8 Fix unit tests always seeing Mojang server as unavailable
7c7ac5eb2 SPIGOT-7636: Fix clearing ItemMeta
4a72905cf SPIGOT-7635: Fix Player#transfer and cookie methods
ebb50e136 Fix incorrect Vault implementation
b33fed8b7 Update Maven plugins/versions
6f00f0608 SPIGOT-7632: Control middle clicking chest does not copy contents
db821f405 Use regular compiler seeing as ECJ doesn't support Java 21 JRE
8a2976737 Revert "BUILDTOOLS-676: Downgrade Maven compiler version"
0297f87bb SPIGOT-7355: More field renames and fixes
2d03bdf6a SPIGOT-7629: Fix loading banner patterns
e77951fac Fix equality of deserialized display names
c66f3e4fd SPIGOT-7631: Fix deserialisation of BlockStateMeta
9c2c7be8d SPIGOT-7630: Fix crash saving unticked leashed entities
8c1e7c841 PR-1384: Disable certain PlayerProfile tests, if Mojang's services or internet are not available
ced93d572 SPIGOT-7626: sendSignChange() has no effect
c77362cae SPIGOT-7625: ItemStack with lore cannot be serialized in 1.20.5
ff2004387 SPIGOT-7620: Fix server crash when hoppers transfer items to double chests
8b4abeb03 BUILDTOOLS-676: Downgrade Maven compiler version
2024-04-25 23:23:57 +02:00

27 Zeilen
1.9 KiB
Diff

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Aikar <aikar@aikar.co>
Date: Sat, 2 May 2020 03:09:46 -0400
Subject: [PATCH] Validate PickItem Packet and kick for invalid
diff --git a/src/main/java/net/minecraft/server/network/ServerGamePacketListenerImpl.java b/src/main/java/net/minecraft/server/network/ServerGamePacketListenerImpl.java
index 4e649fe68c6d0cf42e35f821457064656410d823..997bf1c7bed5f78b017827acb6339f5e07791f7f 100644
--- a/src/main/java/net/minecraft/server/network/ServerGamePacketListenerImpl.java
+++ b/src/main/java/net/minecraft/server/network/ServerGamePacketListenerImpl.java
@@ -892,7 +892,14 @@ public class ServerGamePacketListenerImpl extends ServerCommonPacketListenerImpl
@Override
public void handlePickItem(ServerboundPickItemPacket packet) {
PacketUtils.ensureRunningOnSameThread(packet, this, this.player.serverLevel());
- this.player.getInventory().pickSlot(packet.getSlot());
+ // Paper start - validate pick item position
+ if (!(packet.getSlot() >= 0 && packet.getSlot() < this.player.getInventory().items.size())) {
+ ServerGamePacketListenerImpl.LOGGER.warn("{} tried to set an invalid carried item", this.player.getName().getString());
+ this.disconnect("Invalid hotbar selection (Hacking?)");
+ return;
+ }
+ this.player.getInventory().pickSlot(packet.getSlot()); // Paper - Diff above if changed
+ // Paper end - validate pick item position
this.player.connection.send(new ClientboundContainerSetSlotPacket(-2, 0, this.player.getInventory().selected, this.player.getInventory().getItem(this.player.getInventory().selected)));
this.player.connection.send(new ClientboundContainerSetSlotPacket(-2, 0, packet.getSlot(), this.player.getInventory().getItem(packet.getSlot())));
this.player.connection.send(new ClientboundSetCarriedItemPacket(this.player.getInventory().selected));