Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
此 PR 使用了新的 skinDomains 匹配方法,以规避原先方法可能带来的安全问题。
问题背景
API 元数据 中包含了一项名为
skinDomains
的属性,即材质白名单。仅当材质 URL 的域名匹配白名单中的规则时,Minecraft 才会下载这一材质。引入这一机制的原因见 MC-78491。目前,authlib-injector 使用的匹配方法沿用自原版 MC,具体为:材质域名须以白名单中的任意一项结尾。例如:
.example.com
匹配a.example.com
、b.a.example.com
,不匹配example.com
。example.com
匹配example.com
、a.example.com
、eexample.com
。如果您要匹配
example.com
下的子域名,您可以使用.example.com
规则,这并无问题;但若您要匹配example.com
这个顶级域名,您就必须使用example.com
规则,但example.com
与此同时也会匹配eexample.com
,而这就造成了潜在的安全问题。解决方法
将
skinDomains
的匹配方法修改为如下:.
(dot) 开头,则匹配以这一规则结尾的域名。.example.com
匹配a.example.com
、b.a.example.com
,不匹配example.com
。.
(dot) 开头,则匹配的域名须与规则完全相同。example.com
匹配example.com
,不匹配a.example.com
、eexample.com
。兼容性
由于新的匹配方法更为严格,因此可能造成兼容性问题。
如果您使用单条规则(如
example.com
)去同时匹配某个域名(如example.com
)及其下的子域名(如a.example.com
),这将不再有效。您需要使用example.com
(匹配顶级域名)和.example.com
(匹配子域名)两条规则。