Skip to content

Commit

Permalink
Security improvements
Browse files Browse the repository at this point in the history
  • Loading branch information
@xism4
xism4 committed Feb 28, 2022
1 parent 22aca14 commit e2bb557
Show file tree
Hide file tree
Showing 2 changed files with 185 additions and 26 deletions.
26 changes: 0 additions & 26 deletions patches/server/0208-Isma-SportPaper.patch
View file

This file was deleted.

185 changes: 185 additions & 0 deletions patches/server/0210-Some-security-checks-flamepaper-backport.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
From f9fd8b3eae46d6bf53c70dd352ab28d26e9b2ef5 Mon Sep 17 00:00:00 2001
From: xIsm4 <minelatinsoporte@gmail.com>
Date: Tue, 1 Mar 2022 00:09:22 +0100
Subject: [PATCH] Some security checks & flamepaper backport


diff --git a/src/main/java/net/minecraft/server/LoginListener.java b/src/main/java/net/minecraft/server/LoginListener.java
index 1160f45e..e5c622e5 100644
--- a/src/main/java/net/minecraft/server/LoginListener.java
+++ b/src/main/java/net/minecraft/server/LoginListener.java
@@ -169,7 +169,10 @@ public class LoginListener implements PacketLoginInListener, IUpdatePlayerListBo
}

public String d() {
- return this.i != null ? this.i.toString() + " (" + this.networkManager.getSocketAddress().toString() + ")" : String.valueOf(this.networkManager.getSocketAddress());
+ //FlamePaper start
+ String socketAddress = networkManager == null ? null : (networkManager.getSocketAddress() == null ? null : networkManager.getSocketAddress().toString());
+ return this.i != null ? this.i.toString() + " (" + socketAddress + ")" : socketAddress;
+ //FlamePaper start
}

public void a(PacketLoginInStart packetlogininstart) {
diff --git a/src/main/java/net/minecraft/server/NetworkManager.java b/src/main/java/net/minecraft/server/NetworkManager.java
index 9e35715a..f520a4d5 100644
--- a/src/main/java/net/minecraft/server/NetworkManager.java
+++ b/src/main/java/net/minecraft/server/NetworkManager.java
@@ -323,7 +323,10 @@ public class NetworkManager extends SimpleChannelInboundHandler<Packet> {
}

protected void channelRead0(ChannelHandlerContext channelhandlercontext, Packet object) throws Exception { // CraftBukkit - fix decompile error
- this.a(channelhandlercontext, (Packet) object);
+ // FlamePaper - Check if channel is opened before reading packet
+ if (g()) {
+ this.a(channelhandlercontext, object);
+ }
}

static class QueuedPacket {
diff --git a/src/main/java/net/minecraft/server/PacketDataSerializer.java b/src/main/java/net/minecraft/server/PacketDataSerializer.java
index e2eb3054..5dd50a00 100644
--- a/src/main/java/net/minecraft/server/PacketDataSerializer.java
+++ b/src/main/java/net/minecraft/server/PacketDataSerializer.java
@@ -167,7 +167,7 @@ public class PacketDataSerializer extends ByteBuf {
return null;
} else {
this.readerIndex(i);
- return NBTCompressedStreamTools.a((DataInput) (new ByteBufInputStream(this)), new NBTReadLimiter(2097152L));
+ return NBTCompressedStreamTools.a((DataInput) (new ByteBufInputStream(this)), new NBTReadLimiter(45000)); //No way spigot is using 2mb XD
}
}

diff --git a/src/main/java/org/bukkit/craftbukkit/inventory/CraftMetaBook.java b/src/main/java/org/bukkit/craftbukkit/inventory/CraftMetaBook.java
index 0b5ada01..9fc4727d 100644
--- a/src/main/java/org/bukkit/craftbukkit/inventory/CraftMetaBook.java
+++ b/src/main/java/org/bukkit/craftbukkit/inventory/CraftMetaBook.java
@@ -33,8 +33,10 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
static final ItemMetaKey BOOK_PAGES = new ItemMetaKey("pages");
static final ItemMetaKey RESOLVED = new ItemMetaKey("resolved");
static final ItemMetaKey GENERATION = new ItemMetaKey("generation");
- static final int MAX_PAGE_LENGTH = Short.MAX_VALUE; // TODO: Check me
- static final int MAX_TITLE_LENGTH = 0xffff;
+ static final int MAX_PAGE_LENGTH = 340; // FlamePaper - Limit max page length to 320
+ static final int MAX_TITLE_LENGTH = 32; // FlamePaper - Limit max title length to 32
+ static final int MAX_PAGES = 50; // FlamePaper - Limit pages to 50
+ static final int MAX_AUTHOR_LENGTH = 16; // FlamePaper - Limit author name length to 16

protected String title;
protected String author;
@@ -61,11 +63,11 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
super(tag);

if (tag.hasKey(BOOK_TITLE.NBT)) {
- this.title = limit( tag.getString(BOOK_TITLE.NBT), 1024 ); // Spigot
+ this.title = limit( tag.getString(BOOK_TITLE.NBT), MAX_TITLE_LENGTH ); // flamepaper
}

if (tag.hasKey(BOOK_AUTHOR.NBT)) {
- this.author = limit( tag.getString(BOOK_AUTHOR.NBT), 1024 ); // Spigot
+ this.author = limit( tag.getString(BOOK_AUTHOR.NBT), MAX_AUTHOR_LENGTH ); // flamepaper
}

boolean resolved = false;
@@ -80,7 +82,7 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
if (tag.hasKey(BOOK_PAGES.NBT) && handlePages) {
NBTTagList pages = tag.getList(BOOK_PAGES.NBT, 8);

- for (int i = 0; i < pages.size(); i++) {
+ for (int i = 0; i < Math.min(pages.size(), MAX_PAGES); i++) {
String page = pages.getString(i);
if (resolved) {
try {
@@ -90,7 +92,7 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
// Ignore and treat as an old book
}
}
- addPage( limit( page, 2048 ) ); // Spigot
+ addPage( limit( page, MAX_PAGE_LENGTH ) ); // flamepaper
}
}
}
@@ -104,9 +106,16 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {

Iterable<?> pages = SerializableMeta.getObject(Iterable.class, map, BOOK_PAGES.BUKKIT, true);
if(pages != null) {
+ int pageCount = 0;
for (Object page : pages) {
- if (page instanceof String) {
- addPage((String) page);
+ if (pageCount < MAX_PAGES) {
+ if (page instanceof String) {
+ addPage((String) page);
+ }
+
+ pageCount++;
+ } else {
+ break;
}
}
}
@@ -187,11 +196,10 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
if (title == null) {
this.title = null;
return true;
- } else if (title.length() > MAX_TITLE_LENGTH) {
- return false;
+ }else{
+ this.title = title.substring(0, Math.min(title.length(), MAX_PAGE_LENGTH)); //FlamePaper
}

- this.title = title;
return true;
}

@@ -213,7 +221,7 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
throw new IllegalArgumentException("Invalid page number " + page + "/" + pages.size());
}

- String newText = text == null ? "" : text.length() > MAX_PAGE_LENGTH ? text.substring(0, MAX_PAGE_LENGTH) : text;
+ String newText = text == null ? "" : text.substring(0, Math.min(text.length(), MAX_PAGE_LENGTH));
pages.set(page - 1, CraftChatMessage.fromString(newText, true)[0]);
}

@@ -224,14 +232,21 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {
}

public void addPage(final String... pages) {
- for (String page : pages) {
- if (page == null) {
- page = "";
- } else if (page.length() > MAX_PAGE_LENGTH) {
- page = page.substring(0, MAX_PAGE_LENGTH);
- }
+ for (int i = 0; i < Math.min(pages.length, MAX_PAGES); i++) {
+ // FlamePaper - Apply page limit
+ if (getPageCount() < MAX_PAGES) {
+ String page = pages[i];
+
+ if (page == null) {
+ page = "";
+ } else if (page.length() > MAX_PAGE_LENGTH) {
+ page = page.substring(0, MAX_PAGE_LENGTH);
+ }

- this.pages.add(CraftChatMessage.fromString(page, true)[0]);
+ this.pages.add(CraftChatMessage.fromString(page, true)[0]);
+ } else {
+ break;
+ }
}
}

@@ -257,9 +272,7 @@ public class CraftMetaBook extends CraftMetaItem implements BookMeta {

public void setPages(List<String> pages) {
this.pages.clear();
- for (String page : pages) {
- addPage(page);
- }
+ addPage(pages.toArray(new String[0]));
}

private boolean isValidPage(int page) {
--
2.34.1.windows.1

0 comments on commit e2bb557

Please sign in to comment.