From 59be901efe6b7833e69e638e0e1497051ce96fa7 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Wed, 28 Dec 2022 20:42:33 +0000 Subject: [PATCH 01/20] Fixed unauthenticated sessions taking up player slots --- src/network/Network.php | 4 ++++ src/network/NetworkSessionManager.php | 24 ++++++++++++++++++- src/network/mcpe/NetworkSession.php | 1 + .../mcpe/handler/LoginPacketHandler.php | 2 +- 4 files changed, 29 insertions(+), 2 deletions(-) diff --git a/src/network/Network.php b/src/network/Network.php index 04a84e91f..8e60d416c 100644 --- a/src/network/Network.php +++ b/src/network/Network.php @@ -80,6 +80,10 @@ class Network{ return $this->sessionManager->getSessionCount(); } + public function getValidConnectionCount() : int{ + return $this->sessionManager->getValidSessionCount(); + } + public function tick() : void{ foreach($this->interfaces as $interface){ $interface->tick(); diff --git a/src/network/NetworkSessionManager.php b/src/network/NetworkSessionManager.php index de1b7bfe3..1336b53cc 100644 --- a/src/network/NetworkSessionManager.php +++ b/src/network/NetworkSessionManager.php @@ -32,12 +32,25 @@ class NetworkSessionManager{ /** @var NetworkSession[] */ private array $sessions = []; + /** @var NetworkSession[] */ + private array $pendingLoginSessions = []; + /** * Adds a network session to the manager. This should only be called on session creation. */ public function add(NetworkSession $session) : void{ $idx = spl_object_id($session); $this->sessions[$idx] = $session; + $this->pendingLoginSessions[$idx] = $session; + } + + /** + * Marks the session as having sent a login request. After this point, they are counted towards the total player + * count. + */ + public function markLoginReceived(NetworkSession $session) : void{ + $idx = spl_object_id($session); + unset($this->pendingLoginSessions[$idx]); } /** @@ -47,15 +60,24 @@ class NetworkSessionManager{ public function remove(NetworkSession $session) : void{ $idx = spl_object_id($session); unset($this->sessions[$idx]); + unset($this->pendingLoginSessions[$idx]); } /** - * Returns the number of known connected sessions. + * Returns the number of known connected sessions, including sessions which have not yet sent a login request. */ public function getSessionCount() : int{ return count($this->sessions); } + /** + * Returns the number of connected sessions which have either sent a login request, or have already completed the + * login sequence. + */ + public function getValidSessionCount() : int{ + return count($this->sessions) - count($this->pendingLoginSessions); + } + /** @return NetworkSession[] */ public function getSessions() : array{ return $this->sessions; } diff --git a/src/network/mcpe/NetworkSession.php b/src/network/mcpe/NetworkSession.php index 8e76bced5..8bef42c36 100644 --- a/src/network/mcpe/NetworkSession.php +++ b/src/network/mcpe/NetworkSession.php @@ -229,6 +229,7 @@ class NetworkSession{ $this->info = $info; $this->logger->info("Player: " . TextFormat::AQUA . $info->getUsername() . TextFormat::RESET); $this->logger->setPrefix($this->getLogPrefix()); + $this->manager->markLoginReceived($this); }, function(bool $isAuthenticated, bool $authRequired, ?string $error, ?string $clientPubKey) : void{ $this->setAuthenticationStatus($isAuthenticated, $authRequired, $error, $clientPubKey); diff --git a/src/network/mcpe/handler/LoginPacketHandler.php b/src/network/mcpe/handler/LoginPacketHandler.php index 11e5b4af4..80f162697 100644 --- a/src/network/mcpe/handler/LoginPacketHandler.php +++ b/src/network/mcpe/handler/LoginPacketHandler.php @@ -123,7 +123,7 @@ class LoginPacketHandler extends PacketHandler{ $this->session->getPort(), $this->server->requiresAuthentication() ); - if($this->server->getNetwork()->getConnectionCount() > $this->server->getMaxPlayers()){ + if($this->server->getNetwork()->getValidConnectionCount() > $this->server->getMaxPlayers()){ $ev->setKickReason(PlayerPreLoginEvent::KICK_REASON_SERVER_FULL, KnownTranslationKeys::DISCONNECTIONSCREEN_SERVERFULL); } if(!$this->server->isWhitelisted($playerInfo->getUsername())){ From 466f7e98ed339681b46eea5a323bebbf07077721 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Wed, 28 Dec 2022 21:01:47 +0000 Subject: [PATCH 02/20] Release 4.12.3 --- changelogs/4.12.md | 8 ++++++++ src/VersionInfo.php | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/changelogs/4.12.md b/changelogs/4.12.md index eaf4c8d25..99ac50e54 100644 --- a/changelogs/4.12.md +++ b/changelogs/4.12.md @@ -30,3 +30,11 @@ Released 15th December 2022. ## Dependencies - Updated BedrockProtocol to [17.1.0](https://github.com/pmmp/BedrockProtocol/releases/tag/17.1.0+bedrock-1.19.50). This adds some missing `LevelSoundEvent` constants and fixes the values for `ContainerUIIds`. + +# 4.12.3 +Released 28th December 2022. + +## Fixes +- Fixed unauthenticated connections taking up player count slots, preventing players from joining. +- Fixed a possible crash in `World->tickChunk()` when plugins unload chunks during some events. +- `/gamemode` will now report a failure to change game mode if the player is already in the requested game mode. \ No newline at end of file diff --git a/src/VersionInfo.php b/src/VersionInfo.php index 54fde8a37..62116b664 100644 --- a/src/VersionInfo.php +++ b/src/VersionInfo.php @@ -32,7 +32,7 @@ use function str_repeat; final class VersionInfo{ public const NAME = "PocketMine-MP"; public const BASE_VERSION = "4.12.3"; - public const IS_DEVELOPMENT_BUILD = true; + public const IS_DEVELOPMENT_BUILD = false; public const BUILD_CHANNEL = "stable"; private function __construct(){ From 90beaeaeb4afd90b9ad44d41d48bd534a1fd6d1d Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Wed, 28 Dec 2022 21:01:50 +0000 Subject: [PATCH 03/20] 4.12.4 is next --- src/VersionInfo.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/VersionInfo.php b/src/VersionInfo.php index 62116b664..4b59607a6 100644 --- a/src/VersionInfo.php +++ b/src/VersionInfo.php @@ -31,8 +31,8 @@ use function str_repeat; final class VersionInfo{ public const NAME = "PocketMine-MP"; - public const BASE_VERSION = "4.12.3"; - public const IS_DEVELOPMENT_BUILD = false; + public const BASE_VERSION = "4.12.4"; + public const IS_DEVELOPMENT_BUILD = true; public const BUILD_CHANNEL = "stable"; private function __construct(){ From 61933624d23a2f18019c957e71576073c5e15756 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Fri, 30 Dec 2022 22:06:23 +0000 Subject: [PATCH 04/20] NetworkSession: Lift batch limit to 1300 to allow shift-click crafting to work correctly the theoretical limit for transactions in this case is 64x9 (inputs) + 64x9 (output on crafting grid) + 64 (outputs to main slot) + 64 CraftingEventPackets = 1280. This is an extreme case which assumes that a recipe could generate up to 64x10 (640) output items per iteration, filling every slot of the output grid, which should never occur in any reasonable circumstances. --- src/network/mcpe/NetworkSession.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/network/mcpe/NetworkSession.php b/src/network/mcpe/NetworkSession.php index 8bef42c36..188b2fcae 100644 --- a/src/network/mcpe/NetworkSession.php +++ b/src/network/mcpe/NetworkSession.php @@ -366,7 +366,7 @@ class NetworkSession{ } try{ - foreach((new PacketBatch($decompressed))->getPackets($this->packetPool, $this->packetSerializerContext, 500) as [$packet, $buffer]){ + foreach((new PacketBatch($decompressed))->getPackets($this->packetPool, $this->packetSerializerContext, 1300) as [$packet, $buffer]){ if($packet === null){ $this->logger->debug("Unknown packet: " . base64_encode($buffer)); throw new PacketHandlingException("Unknown packet received"); From b312e93176d3ee2c4a0091ac9a8f438de60f455c Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Mon, 2 Jan 2023 22:59:48 +0000 Subject: [PATCH 05/20] Limit list max size in transactions this duct tape is to limit the impact of a security vulnerability being actively exploited. --- src/network/mcpe/handler/InGamePacketHandler.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/network/mcpe/handler/InGamePacketHandler.php b/src/network/mcpe/handler/InGamePacketHandler.php index 2c8451839..30e7a9573 100644 --- a/src/network/mcpe/handler/InGamePacketHandler.php +++ b/src/network/mcpe/handler/InGamePacketHandler.php @@ -254,6 +254,9 @@ class InGamePacketHandler extends PacketHandler{ $useItemTransaction = $packet->getItemInteractionData(); if($useItemTransaction !== null){ + if(count($useItemTransaction->getTransactionData()->getActions()) > 100){ + throw new PacketHandlingException("Too many actions in item use transaction"); + } if(!$this->handleUseItemTransaction($useItemTransaction->getTransactionData())){ $packetHandled = false; $this->session->getLogger()->debug("Unhandled transaction in PlayerAuthInputPacket (type " . $useItemTransaction->getTransactionData()->getActionType() . ")"); @@ -264,6 +267,9 @@ class InGamePacketHandler extends PacketHandler{ $blockActions = $packet->getBlockActions(); if($blockActions !== null){ + if(count($blockActions) > 100){ + throw new PacketHandlingException("Too many block actions in PlayerAuthInputPacket"); + } foreach($blockActions as $k => $blockAction){ $actionHandled = false; if($blockAction instanceof PlayerBlockActionStopBreak){ @@ -310,6 +316,10 @@ class InGamePacketHandler extends PacketHandler{ public function handleInventoryTransaction(InventoryTransactionPacket $packet) : bool{ $result = true; + if(count($packet->trData->getActions()) > 100){ + throw new PacketHandlingException("Too many actions in inventory transaction"); + } + $this->inventoryManager->addPredictedSlotChanges($packet->trData->getActions()); if($packet->trData instanceof NormalTransactionData){ From b095f606c144ca375a69a8a0f0f289a9b3602629 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Tue, 3 Jan 2023 19:29:47 +0000 Subject: [PATCH 06/20] Release 4.12.4 --- changelogs/4.12.md | 8 +++++++- src/VersionInfo.php | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/changelogs/4.12.md b/changelogs/4.12.md index 99ac50e54..066a5ec0b 100644 --- a/changelogs/4.12.md +++ b/changelogs/4.12.md @@ -37,4 +37,10 @@ Released 28th December 2022. ## Fixes - Fixed unauthenticated connections taking up player count slots, preventing players from joining. - Fixed a possible crash in `World->tickChunk()` when plugins unload chunks during some events. -- `/gamemode` will now report a failure to change game mode if the player is already in the requested game mode. \ No newline at end of file +- `/gamemode` will now report a failure to change game mode if the player is already in the requested game mode. + +# 4.12.4 +Released 3rd January 2023. + +## Fixes +- Added workarounds for an active exploit being used to deny service to servers. \ No newline at end of file diff --git a/src/VersionInfo.php b/src/VersionInfo.php index 4b59607a6..a361232b3 100644 --- a/src/VersionInfo.php +++ b/src/VersionInfo.php @@ -32,7 +32,7 @@ use function str_repeat; final class VersionInfo{ public const NAME = "PocketMine-MP"; public const BASE_VERSION = "4.12.4"; - public const IS_DEVELOPMENT_BUILD = true; + public const IS_DEVELOPMENT_BUILD = false; public const BUILD_CHANNEL = "stable"; private function __construct(){ From 588c9b114b052b56ffa694d8e6acdd906f33858e Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Tue, 3 Jan 2023 19:30:02 +0000 Subject: [PATCH 07/20] 4.12.5 is next --- src/VersionInfo.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/VersionInfo.php b/src/VersionInfo.php index a361232b3..95668c9d2 100644 --- a/src/VersionInfo.php +++ b/src/VersionInfo.php @@ -31,8 +31,8 @@ use function str_repeat; final class VersionInfo{ public const NAME = "PocketMine-MP"; - public const BASE_VERSION = "4.12.4"; - public const IS_DEVELOPMENT_BUILD = false; + public const BASE_VERSION = "4.12.5"; + public const IS_DEVELOPMENT_BUILD = true; public const BUILD_CHANNEL = "stable"; private function __construct(){ From 0e4b79ea77a9723a503ef0daf9b95001267c6437 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Tue, 3 Jan 2023 19:43:21 +0000 Subject: [PATCH 08/20] =?UTF-8?q?InGamePacketHandler:=20fixed=20client-sid?= =?UTF-8?q?e=20predictions=20not=20getting=20rolled=20back=20for=20block?= =?UTF-8?q?=20placement=C3=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/network/mcpe/handler/InGamePacketHandler.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/network/mcpe/handler/InGamePacketHandler.php b/src/network/mcpe/handler/InGamePacketHandler.php index 30e7a9573..7b0fbb885 100644 --- a/src/network/mcpe/handler/InGamePacketHandler.php +++ b/src/network/mcpe/handler/InGamePacketHandler.php @@ -257,6 +257,7 @@ class InGamePacketHandler extends PacketHandler{ if(count($useItemTransaction->getTransactionData()->getActions()) > 100){ throw new PacketHandlingException("Too many actions in item use transaction"); } + $this->inventoryManager->addPredictedSlotChanges($useItemTransaction->getTransactionData()->getActions()); if(!$this->handleUseItemTransaction($useItemTransaction->getTransactionData())){ $packetHandled = false; $this->session->getLogger()->debug("Unhandled transaction in PlayerAuthInputPacket (type " . $useItemTransaction->getTransactionData()->getActionType() . ")"); From db07976aabcd90e2ca068087c14237e5b3a7aa6d Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Tue, 3 Jan 2023 23:50:31 +0000 Subject: [PATCH 09/20] TypeConverter: do not send useless meta to the client --- src/network/mcpe/convert/TypeConverter.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/network/mcpe/convert/TypeConverter.php b/src/network/mcpe/convert/TypeConverter.php index b1f5f1f38..2c7a3415e 100644 --- a/src/network/mcpe/convert/TypeConverter.php +++ b/src/network/mcpe/convert/TypeConverter.php @@ -175,6 +175,7 @@ class TypeConverter{ $nbt = new CompoundTag(); } $nbt->setInt(self::DAMAGE_TAG, $itemStack->getDamage()); + $meta = 0; }elseif($isBlockItem && $itemStack->getMeta() !== 0){ //TODO HACK: This foul-smelling code ensures that we can correctly deserialize an item when the //client sends it back to us, because as of 1.16.220, blockitems quietly discard their metadata @@ -183,6 +184,7 @@ class TypeConverter{ $nbt = new CompoundTag(); } $nbt->setInt(self::PM_META_TAG, $itemStack->getMeta()); + $meta = 0; } } From fc63c5411684ef0e0b52b60d3de37ee25ba775de Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Wed, 4 Jan 2023 00:32:26 +0000 Subject: [PATCH 10/20] CraftingManager: more detailed type information for shapelessRecipes and shapedRecipes --- src/crafting/CraftingManager.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/crafting/CraftingManager.php b/src/crafting/CraftingManager.php index 0b37080fa..8edfaf3aa 100644 --- a/src/crafting/CraftingManager.php +++ b/src/crafting/CraftingManager.php @@ -34,9 +34,15 @@ use function usort; class CraftingManager{ use DestructorCallbackTrait; - /** @var ShapedRecipe[][] */ + /** + * @var ShapedRecipe[][] + * @phpstan-var array> + */ protected $shapedRecipes = []; - /** @var ShapelessRecipe[][] */ + /** + * @var ShapelessRecipe[][] + * @phpstan-var array> + */ protected $shapelessRecipes = []; /** @@ -133,6 +139,7 @@ class CraftingManager{ /** * @return ShapelessRecipe[][] + * @phpstan-return array> */ public function getShapelessRecipes() : array{ return $this->shapelessRecipes; @@ -140,6 +147,7 @@ class CraftingManager{ /** * @return ShapedRecipe[][] + * @phpstan-return array> */ public function getShapedRecipes() : array{ return $this->shapedRecipes; From 33d1755eae25ae818036baf9d3aa9d159be5d8e1 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Wed, 4 Jan 2023 01:28:25 +0000 Subject: [PATCH 11/20] Player: fixed not receiving slot updates for small crafting grid I'm not really sure why this tracking logic is here and not in InventoryManager, but for now it is what it is. --- src/player/Player.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/player/Player.php b/src/player/Player.php index 4ba1c81ae..3ef6a5e86 100644 --- a/src/player/Player.php +++ b/src/player/Player.php @@ -2448,7 +2448,7 @@ class Player extends Human implements CommandSender, ChunkListener, IPlayer{ $this->cursorInventory = new PlayerCursorInventory($this); $this->craftingGrid = new PlayerCraftingInventory($this); - $this->addPermanentInventories($this->inventory, $this->armorInventory, $this->cursorInventory, $this->offHandInventory); + $this->addPermanentInventories($this->inventory, $this->armorInventory, $this->cursorInventory, $this->offHandInventory, $this->craftingGrid); //TODO: more windows } From 64e505defbd13da1ae42296a4a906e87b78bc28c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Jan 2023 20:05:34 +0000 Subject: [PATCH 12/20] Bump phpstan/phpstan from 1.9.4 to 1.9.6 (#5492) Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.9.4 to 1.9.6. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/1.9.x/CHANGELOG.md) - [Commits](https://github.com/phpstan/phpstan/compare/1.9.4...1.9.6) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- composer.json | 2 +- composer.lock | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/composer.json b/composer.json index 90c838f18..b226bb434 100644 --- a/composer.json +++ b/composer.json @@ -54,7 +54,7 @@ "webmozart/path-util": "^2.3" }, "require-dev": { - "phpstan/phpstan": "1.9.4", + "phpstan/phpstan": "1.9.6", "phpstan/phpstan-phpunit": "^1.1.0", "phpstan/phpstan-strict-rules": "^1.2.0", "phpunit/phpunit": "^9.2" diff --git a/composer.lock b/composer.lock index fd1325531..b6983e6e5 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "393c7921d03d080d3ef3b836f90b4415", + "content-hash": "feabd6ecb468f20308e27ef98a8cb0fd", "packages": [ { "name": "adhocore/json-comment", @@ -1821,16 +1821,16 @@ }, { "name": "phpstan/phpstan", - "version": "1.9.4", + "version": "1.9.6", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "d03bccee595e2146b7c9d174486b84f4dc61b0f2" + "reference": "ef38a25950e5d0e6c95eedf49d8a784272f8dc5e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/d03bccee595e2146b7c9d174486b84f4dc61b0f2", - "reference": "d03bccee595e2146b7c9d174486b84f4dc61b0f2", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/ef38a25950e5d0e6c95eedf49d8a784272f8dc5e", + "reference": "ef38a25950e5d0e6c95eedf49d8a784272f8dc5e", "shasum": "" }, "require": { @@ -1860,7 +1860,7 @@ ], "support": { "issues": "https://github.com/phpstan/phpstan/issues", - "source": "https://github.com/phpstan/phpstan/tree/1.9.4" + "source": "https://github.com/phpstan/phpstan/tree/1.9.6" }, "funding": [ { @@ -1876,7 +1876,7 @@ "type": "tidelift" } ], - "time": "2022-12-17T13:33:52+00:00" + "time": "2023-01-03T13:40:32+00:00" }, { "name": "phpstan/phpstan-phpunit", From 433f5451d782478413f84e7d42e8c19715ba91dd Mon Sep 17 00:00:00 2001 From: IvanCraft623 <57236932+IvanCraft623@users.noreply.github.com> Date: Wed, 4 Jan 2023 15:11:55 -0500 Subject: [PATCH 13/20] Improve World::notifyNeighbourBlockUpdate() doc (#5491) --- src/world/World.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/world/World.php b/src/world/World.php index 54fd7863b..09795fd2f 100644 --- a/src/world/World.php +++ b/src/world/World.php @@ -1321,7 +1321,9 @@ class World implements ChunkManager{ /** * Notify the blocks at and around the position that the block at the position may have changed. - * This will cause onNeighbourBlockUpdate() to be called for these blocks. + * This will cause onNearbyBlockChange() to be called for these blocks. + * + * @see Block::onNearbyBlockChange() */ public function notifyNeighbourBlockUpdate(Vector3 $pos) : void{ $this->tryAddToNeighbourUpdateQueue($pos); From 9a47c1d401811c8ff9d5865636b61cb94d3cc570 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 4 Jan 2023 20:15:11 +0000 Subject: [PATCH 14/20] Bump shivammathur/setup-php from 2.22.0 to 2.23.0 (#5474) Bumps [shivammathur/setup-php](https://github.com/shivammathur/setup-php) from 2.22.0 to 2.23.0. - [Release notes](https://github.com/shivammathur/setup-php/releases) - [Commits](https://github.com/shivammathur/setup-php/compare/2.22.0...2.23.0) --- updated-dependencies: - dependency-name: shivammathur/setup-php dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/discord-release-notify.yml | 2 +- .github/workflows/draft-release.yml | 2 +- .github/workflows/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/discord-release-notify.yml b/.github/workflows/discord-release-notify.yml index a1ef20982..595b7374a 100644 --- a/.github/workflows/discord-release-notify.yml +++ b/.github/workflows/discord-release-notify.yml @@ -13,7 +13,7 @@ jobs: - uses: actions/checkout@v3 - name: Setup PHP and tools - uses: shivammathur/setup-php@2.22.0 + uses: shivammathur/setup-php@2.23.0 with: php-version: 8.0 diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index c8cc68bf7..f73bc5f28 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -18,7 +18,7 @@ jobs: submodules: true - name: Setup PHP - uses: shivammathur/setup-php@2.22.0 + uses: shivammathur/setup-php@2.23.0 with: php-version: 8.0 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 653a56496..a24e3db20 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -195,7 +195,7 @@ jobs: - uses: actions/checkout@v3 - name: Setup PHP and tools - uses: shivammathur/setup-php@2.22.0 + uses: shivammathur/setup-php@2.23.0 with: php-version: 8.0 tools: php-cs-fixer:3.11 From a513cca5824dfbb21ffd29f4a4072d6d4b5625a0 Mon Sep 17 00:00:00 2001 From: Dylan T Date: Thu, 5 Jan 2023 16:45:22 +0000 Subject: [PATCH 15/20] Stop Dependabot from creating PRs for locale-data minor and major versions --- .github/dependabot.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9bc4bc073..e2015e066 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,6 +6,12 @@ updates: interval: daily time: "10:00" open-pull-requests-limit: 10 + ignore: + #only allow patch updates for locale-data - this has to be updated manually due to codegen + - dependency-name: pocketmine/locale-data + update-type: + - "version-update:semver-major" + - "version-update:semver-minor" - package-ecosystem: gitsubmodule directory: "/" From e9ca25c1cbea963de6c433c88bc3d201f1acc293 Mon Sep 17 00:00:00 2001 From: Dylan T Date: Thu, 5 Jan 2023 16:45:56 +0000 Subject: [PATCH 16/20] typo --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e2015e066..518a26c70 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -9,7 +9,7 @@ updates: ignore: #only allow patch updates for locale-data - this has to be updated manually due to codegen - dependency-name: pocketmine/locale-data - update-type: + update-types: - "version-update:semver-major" - "version-update:semver-minor" From c02bead12bf831fc2da83359a9604fed326c0134 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 5 Jan 2023 16:46:45 +0000 Subject: [PATCH 17/20] Bump phpstan/phpstan from 1.9.6 to 1.9.7 (#5495) Bumps [phpstan/phpstan](https://github.com/phpstan/phpstan) from 1.9.6 to 1.9.7. - [Release notes](https://github.com/phpstan/phpstan/releases) - [Changelog](https://github.com/phpstan/phpstan/blob/1.9.x/CHANGELOG.md) - [Commits](https://github.com/phpstan/phpstan/compare/1.9.6...1.9.7) --- updated-dependencies: - dependency-name: phpstan/phpstan dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- composer.json | 2 +- composer.lock | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/composer.json b/composer.json index b226bb434..68a22e7f1 100644 --- a/composer.json +++ b/composer.json @@ -54,7 +54,7 @@ "webmozart/path-util": "^2.3" }, "require-dev": { - "phpstan/phpstan": "1.9.6", + "phpstan/phpstan": "1.9.7", "phpstan/phpstan-phpunit": "^1.1.0", "phpstan/phpstan-strict-rules": "^1.2.0", "phpunit/phpunit": "^9.2" diff --git a/composer.lock b/composer.lock index b6983e6e5..a2f6c207e 100644 --- a/composer.lock +++ b/composer.lock @@ -4,7 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "This file is @generated automatically" ], - "content-hash": "feabd6ecb468f20308e27ef98a8cb0fd", + "content-hash": "76c6b5521d8f88d9070e8dec1c0ae144", "packages": [ { "name": "adhocore/json-comment", @@ -1821,16 +1821,16 @@ }, { "name": "phpstan/phpstan", - "version": "1.9.6", + "version": "1.9.7", "source": { "type": "git", "url": "https://github.com/phpstan/phpstan.git", - "reference": "ef38a25950e5d0e6c95eedf49d8a784272f8dc5e" + "reference": "0501435cd342eac7664bd62155b1ef907fc60b6f" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/phpstan/phpstan/zipball/ef38a25950e5d0e6c95eedf49d8a784272f8dc5e", - "reference": "ef38a25950e5d0e6c95eedf49d8a784272f8dc5e", + "url": "https://api.github.com/repos/phpstan/phpstan/zipball/0501435cd342eac7664bd62155b1ef907fc60b6f", + "reference": "0501435cd342eac7664bd62155b1ef907fc60b6f", "shasum": "" }, "require": { @@ -1860,7 +1860,7 @@ ], "support": { "issues": "https://github.com/phpstan/phpstan/issues", - "source": "https://github.com/phpstan/phpstan/tree/1.9.6" + "source": "https://github.com/phpstan/phpstan/tree/1.9.7" }, "funding": [ { @@ -1876,7 +1876,7 @@ "type": "tidelift" } ], - "time": "2023-01-03T13:40:32+00:00" + "time": "2023-01-04T21:59:57+00:00" }, { "name": "phpstan/phpstan-phpunit", From 3baa5ab71214f96e6e7ab12cb9beef08118473b5 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Fri, 6 Jan 2023 00:41:57 +0000 Subject: [PATCH 18/20] InGamePacketHandler: removed obsolete workaround --- .../mcpe/handler/InGamePacketHandler.php | 59 ++-------------- .../mcpe/handler/StupidJsonDecodeTest.php | 68 ------------------- 2 files changed, 6 insertions(+), 121 deletions(-) delete mode 100644 tests/phpunit/network/mcpe/handler/StupidJsonDecodeTest.php diff --git a/src/network/mcpe/handler/InGamePacketHandler.php b/src/network/mcpe/handler/InGamePacketHandler.php index 7b0fbb885..2c566fd51 100644 --- a/src/network/mcpe/handler/InGamePacketHandler.php +++ b/src/network/mcpe/handler/InGamePacketHandler.php @@ -112,7 +112,6 @@ use function array_push; use function base64_encode; use function count; use function fmod; -use function implode; use function in_array; use function is_bool; use function is_infinite; @@ -122,12 +121,9 @@ use function json_encode; use function max; use function mb_strlen; use function microtime; -use function preg_match; use function sprintf; use function strlen; use function strpos; -use function substr; -use function trim; use const JSON_THROW_ON_ERROR; /** @@ -875,60 +871,17 @@ class InGamePacketHandler extends PacketHandler{ //TODO: make APIs for this to allow plugins to use this information return $this->player->onFormSubmit($packet->formId, null); }elseif($packet->formData !== null){ - return $this->player->onFormSubmit($packet->formId, self::stupid_json_decode($packet->formData, true)); + try{ + $responseData = json_decode($packet->formData, true, self::MAX_FORM_RESPONSE_DEPTH, JSON_THROW_ON_ERROR); + }catch(\JsonException $e){ + throw PacketHandlingException::wrap($e, "Failed to decode form response data"); + } + return $this->player->onFormSubmit($packet->formId, $responseData); }else{ throw new PacketHandlingException("Expected either formData or cancelReason to be set in ModalFormResponsePacket"); } } - /** - * Hack to work around a stupid bug in Minecraft W10 which causes empty strings to be sent unquoted in form responses. - * - * @return mixed - * @throws PacketHandlingException - */ - private static function stupid_json_decode(string $json, bool $assoc = false){ - if(preg_match('/^\[(.+)\]$/s', $json, $matches) > 0){ - $raw = $matches[1]; - $lastComma = -1; - $newParts = []; - $inQuotes = false; - for($i = 0, $len = strlen($raw); $i <= $len; ++$i){ - if($i === $len || ($raw[$i] === "," && !$inQuotes)){ - $part = substr($raw, $lastComma + 1, $i - ($lastComma + 1)); - if(trim($part) === ""){ //regular parts will have quotes or something else that makes them non-empty - $part = '""'; - } - $newParts[] = $part; - $lastComma = $i; - }elseif($raw[$i] === '"'){ - if(!$inQuotes){ - $inQuotes = true; - }else{ - $backslashes = 0; - for(; $backslashes < $i && $raw[$i - $backslashes - 1] === "\\"; ++$backslashes){} - if(($backslashes % 2) === 0){ //unescaped quote - $inQuotes = false; - } - } - } - } - - $fixed = "[" . implode(",", $newParts) . "]"; - try{ - return json_decode($fixed, $assoc, self::MAX_FORM_RESPONSE_DEPTH, JSON_THROW_ON_ERROR); - }catch(\JsonException $e){ - throw PacketHandlingException::wrap($e, "Failed to fix JSON (original: $json, modified: $fixed)"); - } - } - - try{ - return json_decode($json, $assoc, self::MAX_FORM_RESPONSE_DEPTH, JSON_THROW_ON_ERROR); - }catch(\JsonException $e){ - throw PacketHandlingException::wrap($e); - } - } - public function handleServerSettingsRequest(ServerSettingsRequestPacket $packet) : bool{ return false; //TODO: GUI stuff } diff --git a/tests/phpunit/network/mcpe/handler/StupidJsonDecodeTest.php b/tests/phpunit/network/mcpe/handler/StupidJsonDecodeTest.php deleted file mode 100644 index 6a48bd1ba..000000000 --- a/tests/phpunit/network/mcpe/handler/StupidJsonDecodeTest.php +++ /dev/null @@ -1,68 +0,0 @@ -stupidJsonDecodeFunc = (new \ReflectionMethod(InGamePacketHandler::class, 'stupid_json_decode'))->getClosure(); - } - - /** - * @return mixed[][] - * @phpstan-return list - */ - public function stupidJsonDecodeProvider() : array{ - return [ - ["[\n \"a\",\"b,c,d,e\\\" \",,0,1,2, false, 0.001]", ['a', 'b,c,d,e" ', '', 0, 1, 2, false, 0.001]], - ["0", 0], - ["false", false], - ["null", null], - ['["\",,\"word","a\",,\"word2",]', ['",,"word', 'a",,"word2', '']], - ['["\",,\"word","a\",,\"word2",""]', ['",,"word', 'a",,"word2', '']], - ['["Hello,, PocketMine"]', ['Hello,, PocketMine']], - ['[,]', ['', '']], - ['[]', []] - ]; - } - - /** - * @dataProvider stupidJsonDecodeProvider - * - * @param mixed $expect - * - * @throws \ReflectionException - */ - public function testStupidJsonDecode(string $brokenJson, $expect) : void{ - $decoded = ($this->stupidJsonDecodeFunc)($brokenJson, true); - self::assertEquals($expect, $decoded); - } -} From d146175d278f2790bfcf319cda9c2961addf4637 Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Fri, 6 Jan 2023 00:44:58 +0000 Subject: [PATCH 19/20] Release 4.12.5 --- changelogs/4.12.md | 8 +++++++- src/VersionInfo.php | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/changelogs/4.12.md b/changelogs/4.12.md index 066a5ec0b..16e23dc6a 100644 --- a/changelogs/4.12.md +++ b/changelogs/4.12.md @@ -43,4 +43,10 @@ Released 28th December 2022. Released 3rd January 2023. ## Fixes -- Added workarounds for an active exploit being used to deny service to servers. \ No newline at end of file +- Added workarounds for an active exploit being used to deny service to servers. + +# 4.12.5 +Released 6th January 2023. + +## Fixes +- Removed a workaround for an old client bug in custom form responses. The code contained a denial-of-service vulnerability. diff --git a/src/VersionInfo.php b/src/VersionInfo.php index 95668c9d2..31791daa0 100644 --- a/src/VersionInfo.php +++ b/src/VersionInfo.php @@ -32,7 +32,7 @@ use function str_repeat; final class VersionInfo{ public const NAME = "PocketMine-MP"; public const BASE_VERSION = "4.12.5"; - public const IS_DEVELOPMENT_BUILD = true; + public const IS_DEVELOPMENT_BUILD = false; public const BUILD_CHANNEL = "stable"; private function __construct(){ From f43ca405d4ad7a68a299bc9c7e231fb3b057ef7a Mon Sep 17 00:00:00 2001 From: "Dylan K. Taylor" Date: Fri, 6 Jan 2023 00:44:58 +0000 Subject: [PATCH 20/20] 4.12.6 is next --- src/VersionInfo.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/VersionInfo.php b/src/VersionInfo.php index 31791daa0..384a63ae7 100644 --- a/src/VersionInfo.php +++ b/src/VersionInfo.php @@ -31,8 +31,8 @@ use function str_repeat; final class VersionInfo{ public const NAME = "PocketMine-MP"; - public const BASE_VERSION = "4.12.5"; - public const IS_DEVELOPMENT_BUILD = false; + public const BASE_VERSION = "4.12.6"; + public const IS_DEVELOPMENT_BUILD = true; public const BUILD_CHANNEL = "stable"; private function __construct(){