From bd4a34e2ae07c0447ba5b17a4f6773714ebd506a Mon Sep 17 00:00:00 2001 From: Mike Primm Date: Fri, 24 Dec 2021 00:08:52 -0600 Subject: [PATCH] Shift string safely into Log class, finish hack substitution string --- .../java/org/dynmap/JsonFileClientUpdateComponent.java | 8 +++----- DynmapCore/src/main/java/org/dynmap/Log.java | 9 +++++++++ .../src/main/java/org/dynmap/SimpleWebChatComponent.java | 1 + .../main/java/org/dynmap/servlet/SendMessageServlet.java | 9 ++++----- fabric-1.14.4/src/main/resources/configuration.txt | 3 +++ fabric-1.15.2/src/main/resources/configuration.txt | 3 +++ fabric-1.16.4/src/main/resources/configuration.txt | 3 +++ fabric-1.17.1/src/main/resources/configuration.txt | 3 +++ fabric-1.18/src/main/resources/configuration.txt | 3 +++ forge-1.11.2/src/main/resources/configuration.txt | 3 +++ forge-1.12.2/src/main/resources/configuration.txt | 3 +++ forge-1.13.2/src/main/resources/configuration.txt | 3 +++ forge-1.14.4/src/main/resources/configuration.txt | 3 +++ forge-1.15.2/src/main/resources/configuration.txt | 3 +++ forge-1.16.5/src/main/resources/configuration.txt | 3 +++ forge-1.17.1/src/main/resources/configuration.txt | 3 +++ forge-1.18/src/main/resources/configuration.txt | 3 +++ spigot/src/main/resources/configuration.txt | 3 +++ 18 files changed, 59 insertions(+), 10 deletions(-) diff --git a/DynmapCore/src/main/java/org/dynmap/JsonFileClientUpdateComponent.java b/DynmapCore/src/main/java/org/dynmap/JsonFileClientUpdateComponent.java index 79f9d37d..0ca7f1f9 100644 --- a/DynmapCore/src/main/java/org/dynmap/JsonFileClientUpdateComponent.java +++ b/DynmapCore/src/main/java/org/dynmap/JsonFileClientUpdateComponent.java @@ -49,8 +49,6 @@ public class JsonFileClientUpdateComponent extends ClientUpdateComponent { private MapStorage storage; private File baseStandaloneDir; - private String safeString(String s) { return s.replaceAll("\\$", "_"); } - private static class FileToWrite { String filename; byte[] content; @@ -422,17 +420,17 @@ public class JsonFileClientUpdateComponent extends ClientUpdateComponent { isip = false; if(checkuserban) { if(core.getServer().isPlayerBanned(name)) { - Log.info("Ignore message from '" + ip + "' - banned player (" + safeString(name) + ")"); + Log.info("Ignore message from '" + ip + "' - banned player (" + name + ")"); ok = false; } } if(chat_perms && !core.getServer().checkPlayerPermission(name, "webchat")) { - Log.info("Rejected web chat from " + ip + ": not permitted (" + safeString(name) + ")"); + Log.info("Rejected web chat from " + ip + ": not permitted (" + name + ")"); ok = false; } } else if(requireplayerloginip) { - Log.info("Ignore message from '" + safeString(name) + "' - no matching player login recorded"); + Log.info("Ignore message from '" + name + "' - no matching player login recorded"); ok = false; } } diff --git a/DynmapCore/src/main/java/org/dynmap/Log.java b/DynmapCore/src/main/java/org/dynmap/Log.java index 1e75564d..9b8a7423 100644 --- a/DynmapCore/src/main/java/org/dynmap/Log.java +++ b/DynmapCore/src/main/java/org/dynmap/Log.java @@ -10,6 +10,9 @@ public class Log { private static String prefix = ""; private static DynmapLogger dlog = null; public static boolean verbose = false; + + public static String safeString(String s) { return s.replaceAll("[\\${}]", "_"); } + public static void setLogger(Logger logger, String pre) { log = logger; if((pre != null) && (pre.length() > 0)) @@ -24,6 +27,7 @@ public class Log { log.setParent(parent); } public static void info(String msg) { + msg = safeString(msg); if (dlog != null) { dlog.info(msg); } @@ -33,6 +37,7 @@ public class Log { } public static void verboseinfo(String msg) { if(verbose) { + msg = safeString(msg); if (dlog != null) { dlog.info(msg); } @@ -50,6 +55,7 @@ public class Log { } } public static void severe(String msg) { + msg = safeString(msg); if (dlog != null) { dlog.severe(msg); } @@ -58,6 +64,7 @@ public class Log { } } public static void severe(String msg, Throwable e) { + msg = safeString(msg); if (dlog != null) { dlog.severe(msg, e); } @@ -66,6 +73,7 @@ public class Log { } } public static void warning(String msg) { + msg = safeString(msg); if (dlog != null) { dlog.warning(msg); } @@ -74,6 +82,7 @@ public class Log { } } public static void warning(String msg, Throwable e) { + msg = safeString(msg); if (dlog != null) { dlog.warning(msg, e); } diff --git a/DynmapCore/src/main/java/org/dynmap/SimpleWebChatComponent.java b/DynmapCore/src/main/java/org/dynmap/SimpleWebChatComponent.java index cdbb9e64..0ca6511e 100644 --- a/DynmapCore/src/main/java/org/dynmap/SimpleWebChatComponent.java +++ b/DynmapCore/src/main/java/org/dynmap/SimpleWebChatComponent.java @@ -45,6 +45,7 @@ public class SimpleWebChatComponent extends Component { @Override public void chatEvent(DynmapPlayer p, String msg) { if(core.disable_chat_to_web) return; + msg = core.scanAndReplaceLog4JMacro(msg); if(core.mapManager != null) core.mapManager.pushUpdate(new Client.ChatMessage("player", "", p.getDisplayName(), msg, p.getName())); } diff --git a/DynmapCore/src/main/java/org/dynmap/servlet/SendMessageServlet.java b/DynmapCore/src/main/java/org/dynmap/servlet/SendMessageServlet.java index ae74de97..cd20acdc 100644 --- a/DynmapCore/src/main/java/org/dynmap/servlet/SendMessageServlet.java +++ b/DynmapCore/src/main/java/org/dynmap/servlet/SendMessageServlet.java @@ -52,7 +52,6 @@ public class SendMessageServlet extends HttpServlet { public DynmapCore core; public HashSet proxyaddress = new HashSet(); - private String safeString(String s) { return s.replaceAll("\\$", "_"); } @Override protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { byte[] bytes; @@ -66,7 +65,7 @@ public class SendMessageServlet extends HttpServlet { } else if(chat_requires_login && (!userID.equals(LoginServlet.USERID_GUEST)) && chat_perms && (!core.checkPermission(userID, "webchat"))) { - Log.info("Rejected web chat by " + safeString(userID) + ": not permitted"); + Log.info("Rejected web chat by " + userID + ": not permitted"); error = "not-permitted"; } else { @@ -119,20 +118,20 @@ public class SendMessageServlet extends HttpServlet { String id = ids.get(0); if (check_user_ban) { if (core.getServer().isPlayerBanned(id)) { - Log.info("Ignore message from '" + safeString(message.name) + "' - banned player (" + id + ")"); + Log.info("Ignore message from '" + message.name + "' - banned player (" + id + ")"); error = "not-allowed"; ok = false; } } if (chat_perms && !core.getServer().checkPlayerPermission(id, "webchat")) { - Log.info("Rejected web chat from '" + safeString(message.name) + "': not permitted (" + id + ")"); + Log.info("Rejected web chat from '" + message.name + "': not permitted (" + id + ")"); error = "not-allowed"; ok = false; } message.name = id; isip = false; } else if (require_player_login_ip) { - Log.info("Ignore message from '" + safeString(message.name) + "' - no matching player login recorded"); + Log.info("Ignore message from '" + message.name + "' - no matching player login recorded"); error = "not-allowed"; ok = false; } diff --git a/fabric-1.14.4/src/main/resources/configuration.txt b/fabric-1.14.4/src/main/resources/configuration.txt index 8b8072ac..60061af7 100644 --- a/fabric-1.14.4/src/main/resources/configuration.txt +++ b/fabric-1.14.4/src/main/resources/configuration.txt @@ -459,3 +459,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/fabric-1.15.2/src/main/resources/configuration.txt b/fabric-1.15.2/src/main/resources/configuration.txt index 8b8072ac..60061af7 100644 --- a/fabric-1.15.2/src/main/resources/configuration.txt +++ b/fabric-1.15.2/src/main/resources/configuration.txt @@ -459,3 +459,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/fabric-1.16.4/src/main/resources/configuration.txt b/fabric-1.16.4/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/fabric-1.16.4/src/main/resources/configuration.txt +++ b/fabric-1.16.4/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/fabric-1.17.1/src/main/resources/configuration.txt b/fabric-1.17.1/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/fabric-1.17.1/src/main/resources/configuration.txt +++ b/fabric-1.17.1/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/fabric-1.18/src/main/resources/configuration.txt b/fabric-1.18/src/main/resources/configuration.txt index 5d5b44a9..1c144124 100644 --- a/fabric-1.18/src/main/resources/configuration.txt +++ b/fabric-1.18/src/main/resources/configuration.txt @@ -465,3 +465,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.11.2/src/main/resources/configuration.txt b/forge-1.11.2/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/forge-1.11.2/src/main/resources/configuration.txt +++ b/forge-1.11.2/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.12.2/src/main/resources/configuration.txt b/forge-1.12.2/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/forge-1.12.2/src/main/resources/configuration.txt +++ b/forge-1.12.2/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.13.2/src/main/resources/configuration.txt b/forge-1.13.2/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/forge-1.13.2/src/main/resources/configuration.txt +++ b/forge-1.13.2/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.14.4/src/main/resources/configuration.txt b/forge-1.14.4/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/forge-1.14.4/src/main/resources/configuration.txt +++ b/forge-1.14.4/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.15.2/src/main/resources/configuration.txt b/forge-1.15.2/src/main/resources/configuration.txt index ea7f54a4..b53b60b7 100644 --- a/forge-1.15.2/src/main/resources/configuration.txt +++ b/forge-1.15.2/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.16.5/src/main/resources/configuration.txt b/forge-1.16.5/src/main/resources/configuration.txt index 8969bcb8..612dbbc5 100644 --- a/forge-1.16.5/src/main/resources/configuration.txt +++ b/forge-1.16.5/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.17.1/src/main/resources/configuration.txt b/forge-1.17.1/src/main/resources/configuration.txt index 8969bcb8..612dbbc5 100644 --- a/forge-1.17.1/src/main/resources/configuration.txt +++ b/forge-1.17.1/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/forge-1.18/src/main/resources/configuration.txt b/forge-1.18/src/main/resources/configuration.txt index 8969bcb8..612dbbc5 100644 --- a/forge-1.18/src/main/resources/configuration.txt +++ b/forge-1.18/src/main/resources/configuration.txt @@ -467,3 +467,6 @@ verbose: false # - class: org.dynmap.debug.LogDebugger # Debug: dump blocks missing render data dump-missing-blocks: false + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)" diff --git a/spigot/src/main/resources/configuration.txt b/spigot/src/main/resources/configuration.txt index 98af954b..3e4fb82a 100644 --- a/spigot/src/main/resources/configuration.txt +++ b/spigot/src/main/resources/configuration.txt @@ -501,3 +501,6 @@ dump-missing-blocks: false # your worlds before running with this setting enabled (set to true) # #migrate-chunks: true + +# Log4J defense: string substituted for attempts to use macros in web chat +hackAttemptBlurb: "(IaM5uchA1337Haxr-Ban Me!)"