Upstream
/
Multiverse-Core
mirror of https://github.com/Multiverse/Multiverse-Core.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix creation and import Exploit (#2353) 

Through this fix you can avoid deleting of important folders.
This commit is contained in:
xSavior_of_God 2021-05-16 06:56:14 +02:00 committed by GitHub
parent 28cee291c6
commit f72cc6764b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/main/java/com/onarandombox/MultiverseCore/commands/CreateCommand.java
View File

@ -47,9 +47,14 @@ public class CreateCommand extends MultiverseCommand {
this.worldManager = this.plugin.getMVWorldManager();
}
private String trimWorldName(String userInput) {
// Removes relative paths.
return userInput.replaceAll("^[./\\\\]+", "");
}
@Override
public void runCommand(CommandSender sender, List<String> args) {
String worldName = args.get(0);
String worldName = trimWorldName(args.get(0));
File worldFile = new File(this.plugin.getServer().getWorldContainer(), worldName);
String env = args.get(1);
String seed = CommandHandler.getFlag("-s", args);
@ -67,6 +72,12 @@ public class CreateCommand extends MultiverseCommand {
}
}
// Make sure the world name doesn't contain the words 'plugins' and '.dat'
if(worldName.contains("plugins")||worldName.contains(".dat")){
sender.sendMessage(ChatColor.RED + "Multiverse cannot create a world that contains 'plugins' or '.dat'");
return;
}
if (this.worldManager.isMVWorld(worldName)) {
sender.sendMessage(ChatColor.RED + "Multiverse cannot create " + ChatColor.GOLD + ChatColor.UNDERLINE
+ "another" + ChatColor.RESET + ChatColor.RED + " world named " + worldName);

6
src/main/java/com/onarandombox/MultiverseCore/commands/ImportCommand.java
View File

@ -82,6 +82,12 @@ public class ImportCommand extends MultiverseCommand {
return;
}
// Make sure the world name doesn't contain the words 'plugins' and '.dat'
if(worldName.contains("plugins")||worldName.contains(".dat")){
sender.sendMessage(ChatColor.RED + "Multiverse cannot create a world that contains 'plugins' or '.dat'");
return;
}
// Make sure we don't already know about this world.
if (this.worldManager.isMVWorld(worldName)) {
sender.sendMessage(ChatColor.GREEN + "Multiverse" + ChatColor.WHITE