RedGuy/AuthMeVelocity
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #170 from AlexProgrammerDE/master

Browse Source 
Fix forcelogin auth exploit
This commit is contained in:
Adrian 2024-08-24 23:43:50 -05:00 committed by GitHub
commit ccd2903de8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
velocity/src/main/java/io/github/_4drian3d/authmevelocity/velocity/listener/data/PluginMessageListener.java
View File

@ -58,15 +58,20 @@ public final class PluginMessageListener implements Listener<PluginMessageEvent>
public EventTask executeAsync(final PluginMessageEvent event) { public EventTask executeAsync(final PluginMessageEvent event) {
return EventTask.async(() -> { return EventTask.async(() -> {
plugin.logDebug(() -> "PluginMessageEvent | Start"); plugin.logDebug(() -> "PluginMessageEvent | Start");
if (notAllowedEvent(event)) { if (notHandledEvent(event)) {
plugin.logDebug(() -> "PluginMessageEvent | Not allowed"); plugin.logDebug(() -> "PluginMessageEvent | Not handled");
return; return;
} }
final ServerConnection connection = (ServerConnection) event.getSource(); // Set the result to handled, the message is dropped at the proxy
event.setResult(PluginMessageEvent.ForwardResult.handled()); event.setResult(PluginMessageEvent.ForwardResult.handled());
// Make sure the message is S -> P, NOT P -> S
if (!(event.getSource() instanceof ServerConnection connection)) {
plugin.logDebug("PluginMessageEvent | Not ServerConnection");
return;
}
final ByteArrayDataInput input = event.dataAsDataStream(); final ByteArrayDataInput input = event.dataAsDataStream();
final String message = input.readUTF(); final String message = input.readUTF();
final MessageType type = TYPES.valueOrThrow(message.toUpperCase(Locale.ROOT)); final MessageType type = TYPES.valueOrThrow(message.toUpperCase(Locale.ROOT));
@ -114,15 +119,11 @@ public final class PluginMessageListener implements Listener<PluginMessageEvent>
}); });
} }
private boolean notAllowedEvent(PluginMessageEvent event) { private boolean notHandledEvent(PluginMessageEvent event) {
if (!event.getResult().isAllowed()) { if (!event.getResult().isAllowed()) {
plugin.logDebug("PluginMessageEvent | Result not allowed"); plugin.logDebug("PluginMessageEvent | Result not allowed");
return true; return true;
} }
if (!(event.getSource() instanceof ServerConnection)) {
plugin.logDebug("PluginMessageEvent | Not ServerConnection");
return true;
}
final var identifier = event.getIdentifier(); final var identifier = event.getIdentifier();
if (!(identifier.equals(AuthMeVelocityPlugin.MODERN_CHANNEL) if (!(identifier.equals(AuthMeVelocityPlugin.MODERN_CHANNEL)
|| identifier.equals(AuthMeVelocityPlugin.LEGACY_CHANNEL))) { || identifier.equals(AuthMeVelocityPlugin.LEGACY_CHANNEL))) {