From 289a18a0036789f2e408bd4ea578e555d9fbfe2c Mon Sep 17 00:00:00 2001 From: moo <48740106+moom0o@users.noreply.github.com> Date: Sun, 12 Dec 2021 22:43:27 -0500 Subject: [PATCH] 1.21.1 - Remove client side rce exploit fix --- README.md | 11 +++++++---- pom.xml | 2 +- .../patches/ProtocolLib.java | 17 ----------------- src/main/resources/config.yml | 1 - 4 files changed, 8 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 42c07763d..101bfbe92 100644 --- a/README.md +++ b/README.md @@ -65,9 +65,13 @@ alongside AEF to patch the majority of exploits. **All features listed here can be disabled or enabled in the config.** * Prevent NoCom exploit. - Prevent the 'NoCom' coordinate exploit -* Prevent log4j RCE (remote code execution) exploit for client side users. All messages sent to players are checked like - death messages, not just player made messages. **MAKE SURE TO USE [Papaya](https://github.com/moom0o/Papaya) FOR - SERVER SIDE OR YOU COULD POSSIBLY BE BACKDOORED!** + [//]: # (* Prevent log4j RCE (remote code execution) exploit for client side users. All messages sent to + players are checked like) + +[//]: # ( death messages, not just player made messages. **MAKE SURE TO USE [Papaya](https://github.com/moom0o/Papaya) FOR) + +[//]: # ( SERVER SIDE OR YOU COULD POSSIBLY BE BACKDOORED!**) + * Prevent BowBomb exploit. - Prevent an exploit where bows can instantly kill a player. * Prevent burrow hack - Where you step inside a block so crystals can't do any damage. * Prevent boatfly exploit - Prevent the futureclient/rusherhack boatfly exploit. @@ -157,7 +161,6 @@ LookForIllegalsInShulkers: false # WARNING: DO NOT ENABLE IF YOU DON'T WANT A DU # Bugfixes PreventNoComCoordinateExploit: true NoComMaxDistance: 64 # Recommended not to increase -PreventRCEClientSideExploit: true # CLIENTSIDE ONLY - SERVER IS STILL VULNERABLE Blocks all messages containing "${" make sure you are using mojang's patch (https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition) or updated Papaya to patch this exploit on the server side, OTHERWISE YOU CAN BE BACKDOORED. PreventEndGatewayCrashExploit: true PreventDispenserCrashExploit: true PreventSnowBallExploit: true diff --git a/pom.xml b/pom.xml index e22224c01..ca1d91ba6 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ me.moomoo anarchyexploitfixes - 1.21.0 + 1.21.1 jar AnarchyExploitFixes diff --git a/src/main/java/me/moomoo/anarchyexploitfixes/patches/ProtocolLib.java b/src/main/java/me/moomoo/anarchyexploitfixes/patches/ProtocolLib.java index 7c0dbb167..ffcf4f81f 100644 --- a/src/main/java/me/moomoo/anarchyexploitfixes/patches/ProtocolLib.java +++ b/src/main/java/me/moomoo/anarchyexploitfixes/patches/ProtocolLib.java @@ -47,23 +47,6 @@ public void onPacketReceiving(PacketEvent event) { }); } - if (plugin.getConfig().getBoolean("PreventRCEClientSideExploit")) { - protocolManager.addPacketListener( - new PacketAdapter(plugin, ListenerPriority.NORMAL, PacketType.Play.Server.CHAT) { - @Override - public void onPacketSending(PacketEvent event) { - if (event.getPacketType() == PacketType.Play.Server.CHAT) { - String message = event.getPacket().getChatComponents().read(0).getJson(); - if (message.toLowerCase().contains("${")) { - plugin.getLogger().info(message); - plugin.getLogger().warning("Blocked RCE vulnerability attempt!"); - event.setCancelled(true); - } - } - } - }); - } - if (plugin.getConfig().getBoolean("PreventPacketFly")) { protocolManager.addPacketListener( new PacketAdapter(plugin, ListenerPriority.HIGHEST, PacketType.Play.Client.TELEPORT_ACCEPT) { diff --git a/src/main/resources/config.yml b/src/main/resources/config.yml index 5efefcb63..5a2a46fd5 100644 --- a/src/main/resources/config.yml +++ b/src/main/resources/config.yml @@ -28,7 +28,6 @@ LookForIllegalsInShulkers: false # WARNING: DO NOT ENABLE IF YOU DON'T WANT A DU # Bugfixes PreventNoComCoordinateExploit: true NoComMaxDistance: 64 # Recommended not to increase -PreventRCEClientSideExploit: true # CLIENTSIDE ONLY - SERVER IS STILL VULNERABLE Blocks all messages containing "${" make sure you are using mojang's patch (https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition) or updated Papaya to patch this exploit on the server side, OTHERWISE YOU CAN BE BACKDOORED. PreventEndGatewayCrashExploit: true PreventDispenserCrashExploit: true PreventSnowBallExploit: true