Archiviert
13
0

Arbitrary code execution is very dangerous. Limit to debug mode.

The filter command allows users with sufficient permission (or OPs) to
execute arbitrary JavaScript (no sandboxing). This is fine for a
debug and testing, but could potentially be exploited in a
production environment. 

Instead, we disable this command by default and force users to enable it
specifically in the configuration file (not through commands). If
someone has access to the config.yml file, they probably also have
access to the plugins/ folder and thus the ability to install plugins
with arbitrary code execution as well.
Dieser Commit ist enthalten in:
Kristian 2013-04-07 15:57:01 +02:00
Ursprung 15980d70fb
Commit 3ee38d7b6d
4 geänderte Dateien mit 41 neuen und 4 gelöschten Zeilen

Datei anzeigen

@ -221,12 +221,16 @@ public class CommandFilter extends CommandBase {
// Owner plugin // Owner plugin
private final Plugin plugin; private final Plugin plugin;
// Whether or not the command is enabled
private ProtocolConfig config;
// Script engine // Script engine
private ScriptEngine engine; private ScriptEngine engine;
public CommandFilter(ErrorReporter reporter, Plugin plugin) { public CommandFilter(ErrorReporter reporter, Plugin plugin, ProtocolConfig config) {
super(reporter, CommandBase.PERMISSION_ADMIN, NAME, 2); super(reporter, CommandBase.PERMISSION_ADMIN, NAME, 2);
this.plugin = plugin; this.plugin = plugin;
this.config = config;
// Start the engine // Start the engine
initalizeScript(); initalizeScript();
@ -264,13 +268,18 @@ public class CommandFilter extends CommandBase {
// Pass! // Pass!
return true; return true;
} }
/* /*
* Description: Adds or removes a simple packet listener. * Description: Adds or removes a simple packet listener.
Usage: /<command> add|remove name [packet IDs] Usage: /<command> add|remove name [packet IDs]
*/ */
@Override @Override
protected boolean handleCommand(CommandSender sender, String[] args) { protected boolean handleCommand(CommandSender sender, String[] args) {
if (!config.isDebug()) {
sender.sendMessage(ChatColor.RED + "Debug mode must be enabled in the configuration first!");
return true;
}
final SubCommand command = parseCommand(args, 0); final SubCommand command = parseCommand(args, 0);
final String name = args[1]; final String name = args[1];

Datei anzeigen

@ -40,6 +40,8 @@ class ProtocolConfig {
private static final String IGNORE_VERSION_CHECK = "ignore version check"; private static final String IGNORE_VERSION_CHECK = "ignore version check";
private static final String BACKGROUND_COMPILER_ENABLED = "background compiler"; private static final String BACKGROUND_COMPILER_ENABLED = "background compiler";
private static final String DEBUG_MODE_ENABLED = "debug";
private static final String INJECTION_METHOD = "injection method"; private static final String INJECTION_METHOD = "injection method";
private static final String UPDATER_NOTIFY = "notify"; private static final String UPDATER_NOTIFY = "notify";
@ -140,6 +142,24 @@ class ProtocolConfig {
public void setAutoDownload(boolean value) { public void setAutoDownload(boolean value) {
updater.set(UPDATER_DOWNLAD, value); updater.set(UPDATER_DOWNLAD, value);
} }
/**
* Determine whether or not debug mode is enabled.
* <p>
* This grants access to the filter command.
* @return TRUE if it is, FALSE otherwise.
*/
public boolean isDebug() {
return global.getBoolean(DEBUG_MODE_ENABLED, false);
}
/**
* Set whether or not debug mode is enabled.
* @param value - TRUE if it is enabled, FALSE otherwise.
*/
public void setDebug(boolean value) {
global.set(DEBUG_MODE_ENABLED, value);
}
/** /**
* Retrieve the amount of time to wait until checking for a new update. * Retrieve the amount of time to wait until checking for a new update.

Datei anzeigen

@ -130,6 +130,11 @@ public class ProtocolLibrary extends JavaPlugin {
} }
} }
// Print the state of the debug mode
if (config.isDebug()) {
logger.warning("Debug mode is enabled!");
}
try { try {
// Check for other versions // Check for other versions
checkConflictingVersions(); checkConflictingVersions();
@ -162,7 +167,7 @@ public class ProtocolLibrary extends JavaPlugin {
// Initialize command handlers // Initialize command handlers
commandProtocol = new CommandProtocol(detailedReporter, this, updater, config); commandProtocol = new CommandProtocol(detailedReporter, this, updater, config);
commandFilter = new CommandFilter(detailedReporter, this); commandFilter = new CommandFilter(detailedReporter, this, config);
commandPacket = new CommandPacket(detailedReporter, this, logger, commandFilter, protocolManager); commandPacket = new CommandPacket(detailedReporter, this, logger, commandFilter, protocolManager);
// Send logging information to player listeners too // Send logging information to player listeners too

Datei anzeigen

@ -18,4 +18,7 @@ global:
ignore version check: ignore version check:
# Override the starting injecting method # Override the starting injecting method
injection method: injection method:
# Whether or not to enable the filter command
debug: false