Headline
CVE-2022-29215: Patch the hole · kaidomc-pm-pl/RegionProtect@0060d42
RegionProtect is a plugin that allows users to manage certain events in certain regions of the world. Versions prior to 1.1.0 contain a YAML injection vulnerability that can cause an instant server crash if the passed arguments are not matched. Version 1.1.0 contains a patch for this issue. As a workaround, restrict operator permissions to untrusted people and avoid entering arguments likely to cause a crash.
@@ -122,6 +122,10 @@ private function getBasicForm(Player $sender): void {
if ($result === null) {
return;
}
if (!preg_match('/^[\w]+$/’, $result[2])) {
This comment has been minimized.
Sign in to view
Copy link
****SOF3** May 11, 2022**
Author Contributor
I think the best solution is to not use user-provided strings in filenames at all. Why not just store all data in a SQLite3 database?
This comment has been minimized.
Sign in to view
Copy link
****NhanAZ** May 11, 2022**
Author Member
You see. This is just a temporary solution on a temporary branch. Looks like @kaidoMC is very busy fixing this, so this is only a temporary solution to the best of my ability.
$sender->sendMessage(TextFormat::RED . “Invalid region name! Only alphanumeric characters allowed.”);
return;
}
if ($result[2] != null and $result[3] != null) {
$this->getVectorAdjust()->setLocation($sender, $result[2], $result[3], [$X1, $Y1, $Z1], [$X2, $Y2, $Z2]);
} else {