-
-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BungeeResourcePack disconnecting users on login due to resource pack packet exploitation attempt #55
Comments
Imo. Purpur should provide an option for that protection. Fixing this in the plugin wouldn't be trivial and would require something like preventing that the status packets gets sent through the Bungee. (Something some people might even want so it would need an option too) Also generally speaking I'm a bit sceptical why that check is even necessary in the server directly. Plugins that care about that case can easily handle that exact logic themselves and not trigger when they didn't send a pack. |
Sorry about that. That feature was definitely supposed to be behind a config option. This has been rectified in build 1287. As for why we do this check @Phoenix616 its because Purpur has the option to put a player into invulnerable mode while they are accepting/downloading a server resource pack. This check was put into place to prevent modded clients from abusing this feature to gain unlimited vulnerability. You can send the resource pack through @mibby Make sure you disable the |
You can send the resource pack through ServerPlayer#sendTexturePack or
manually set Purpur's ServerPlayer#acceptingResourcePack flag to make this
plugin compatible with this feature.
Well that's not really possible in that case as the plugin sends the pack
from the proxy :)
…On Sun, Jul 18, 2021, 17:10 BillyGalbreath ***@***.***> wrote:
Sorry about that. That feature was definitely supposed to be behind a
config option. This has been rectified in build 1287.
As for why we do this check @Phoenix616 <https://github.com/Phoenix616>
its because Purpur has the option to put a player into invulnerable mode
while they are accepting/downloading a server resource pack. This check was
put into place to prevent modded clients from abusing this feature to gain
unlimited vulnerability. You can send the resource pack through
ServerPlayer#sendTexturePack or manually set Purpur's
ServerPlayer#acceptingResourcePack flag to make this plugin compatible
with this feature.
@mibby <https://github.com/mibby> Make sure you disable the
player.invulnerable-while-accepting-resource-pack option in purpur.yml
until this plugin becomes compatible with the feature.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABMAMTJZZ6M2H3M5OK4BU3TTYL4HVANCNFSM5ASB2FVA>
.
|
Shouldn't the plugin on the proxy swallow the responses then? |
No, this plugin doesn't handle the responses at all. And even if I don't
believe they should be swallowed, if they would then plugins behind the
proxy wouldn't be able to listen on the status or check the
`Player#hasResourcepack` to see if the player has a pack.
…On Sun, Jul 18, 2021, 20:10 BillyGalbreath ***@***.***> wrote:
Well that's not really possible in that case as the plugin sends the pack
from the proxy :)
Shouldn't the plugin on the proxy swallow the responses then?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#55 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABMAMTLFJTVGMZWAKX4YSZLTYMRJRANCNFSM5ASB2FVA>
.
|
Closing this seeing as there now is a work around (even though it might not be ideal in most situations).
Out of curiosity though: Why are you not freezing the player when the pack request is sent instead of when the |
Used Version
BungeeResourcepacks version 1.8.6-SNAPSHOT (build 433) by Phoenix616
Config
Environment description
Waterfall dev 445 (BungeeCord 1.17.1)
Purpur dev 1285 (Paper 1.17.1)
Full Log
BungeeCord log
Server log
What other programs/plugins are you running?
What is happening?
Disconnect from server due to BungeeResourcepack triggering resource pack packet exploitation attempts. Even if your resource pack is disabled in the multiplayer menu, BRP sends a packet check to the client that disconnects the user.
What did you expect to happen?
Being able to login without being disconnected.
Additional context
Delaying the pack sending delays the disconnect but doesn't fix the problem. Only fully removing BungeeResourcepacks from BungeeCord fixes the problem.
The text was updated successfully, but these errors were encountered: