Skip to content
Permalink
Browse files Browse the repository at this point in the history
Patch the hole
Thanks to @SOF3 for finding this vulnerability!

Co-Authored-By: Jonathan Chan Kwan Yin <sofe2038@gmail.com>
  • Loading branch information
NhanAZ and SOF3 committed May 11, 2022
1 parent a1be839 commit 0060d42
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/kaidoMC/RegionProtect/RegionProtect.php
Expand Up @@ -122,6 +122,10 @@ private function getBasicForm(Player $sender): void {
if ($result === null) {
return;
}
if (!preg_match('/^[\w]+$/', $result[2])) {

This comment has been minimized.

Copy link
@SOF3

SOF3 May 11, 2022

Author Contributor

I think the best solution is to not use user-provided strings in filenames at all. Why not just store all data in a SQLite3 database?

This comment has been minimized.

Copy link
@NhanAZ

NhanAZ May 11, 2022

Author Contributor

You see. This is just a temporary solution on a temporary branch. Looks like @kaidoMC is very busy fixing this, so this is only a temporary solution to the best of my ability.

$sender->sendMessage(TextFormat::RED . "Invalid region name! Only alphanumeric characters allowed.");
return;
}
if ($result[2] != null and $result[3] != null) {
$this->getVectorAdjust()->setLocation($sender, $result[2], $result[3], [$X1, $Y1, $Z1], [$X2, $Y2, $Z2]);
} else {
Expand Down

0 comments on commit 0060d42

Please sign in to comment.