Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue #11

Open
ghost opened this issue Jan 26, 2024 · 1 comment
Open

Potential security issue #11

ghost opened this issue Jan 26, 2024 · 1 comment

Comments

@ghost
Copy link

ghost commented Jan 26, 2024

RPGHorses/RPGHorsesPlugin/src/main/java/org/plugins/rpghorses/listeners/InventoryClickListener.java

Line 402 in 45d5674

} else if (horseOwner.getCurrentHorse() != null && e.getView().getTitle().equals(horseOwner.getCurrentHorse().getHorse().getName()) && e.getView().getTopInventory() == e.getClickedInventory() && e.getSlot() == 0) {

Checking event.getView().getTitle() to see whether your custom inventory is being used is unsafe, as renaming a chest in an anvil allows users to set their own inventory titles. The correct way to check if your custom inventory is involved with an event is by using custom holders, see here: https://docs.papermc.io/paper/dev/custom-inventory-holder
@7rory768
Copy link
Owner

7rory768 commented Feb 6, 2024

I wouldn't really call this a security issue, more like a rare bug. This just prevents the user from modifying the saddle in slot 0 of the horses inventory, I could just change it to check inventory type though sure. All it does is cancel the click.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@7rory768