From 34e9e93210497d92a388e2ee31be7a5b25b5abe6 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Thu, 5 Jul 2018 19:59:08 +0100 Subject: [PATCH 1/3] PluginBase: fixed crashing on getConfig() when data dir doesn't exist I considered making this instead save the default config instead of creating an empty config file, but that would be (albeit minor) a behavioural change which therefore belongs in 3.1. --- src/pocketmine/plugin/PluginBase.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/pocketmine/plugin/PluginBase.php b/src/pocketmine/plugin/PluginBase.php index 3001b0a42..bba7231e9 100644 --- a/src/pocketmine/plugin/PluginBase.php +++ b/src/pocketmine/plugin/PluginBase.php @@ -256,6 +256,7 @@ abstract class PluginBase implements Plugin{ } public function reloadConfig(){ + @mkdir($this->dataFolder); $this->config = new Config($this->configFile); if(($configStream = $this->getResource("config.yml")) !== null){ $this->config->setDefaults(yaml_parse(Config::fixYAMLIndexes(stream_get_contents($configStream)))); From ee7c838040df9817eba7891212818fb6e5d35ebd Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Fri, 6 Jul 2018 12:54:43 +0100 Subject: [PATCH 2/3] LoginPacket: barf on finding extraData multiple times this fixes a potential exploit where clients could append JWTs signed with their own keys to the end of the chain containing fake XUID/UUID/username which would then overwrite the legitimate ones in earlier links. This stems from the fact that the final link of the vanilla chain contains the client's own pubkey, so the client is able to append its own data to the end of the chain. --- src/pocketmine/network/mcpe/protocol/LoginPacket.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/pocketmine/network/mcpe/protocol/LoginPacket.php b/src/pocketmine/network/mcpe/protocol/LoginPacket.php index 24f9c520d..67c70fc12 100644 --- a/src/pocketmine/network/mcpe/protocol/LoginPacket.php +++ b/src/pocketmine/network/mcpe/protocol/LoginPacket.php @@ -105,9 +105,15 @@ class LoginPacket extends DataPacket{ $buffer = new BinaryStream($this->getString()); $this->chainData = json_decode($buffer->get($buffer->getLInt()), true); + + $hasExtraData = false; foreach($this->chainData["chain"] as $chain){ $webtoken = Utils::decodeJWT($chain); if(isset($webtoken["extraData"])){ + if($hasExtraData){ + throw new \RuntimeException("Found 'extraData' multiple times in key chain"); + } + $hasExtraData = true; if(isset($webtoken["extraData"]["displayName"])){ $this->username = $webtoken["extraData"]["displayName"]; } From 70caa002664ba663da3b8227f90ec1432f418321 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Fri, 6 Jul 2018 12:59:02 +0100 Subject: [PATCH 3/3] disable dev flag for release --- src/pocketmine/PocketMine.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/pocketmine/PocketMine.php b/src/pocketmine/PocketMine.php index 7f0c76be5..4e1ee24c1 100644 --- a/src/pocketmine/PocketMine.php +++ b/src/pocketmine/PocketMine.php @@ -38,7 +38,7 @@ namespace pocketmine { const NAME = "PocketMine-MP"; const BASE_VERSION = "3.0.5"; - const IS_DEVELOPMENT_BUILD = true; + const IS_DEVELOPMENT_BUILD = false; const BUILD_NUMBER = 0; const MIN_PHP_VERSION = "7.2.0";