Fiks av skadelige bugs
Advarsel
These docs were written for SpongeAPI 7 and are likely out of date. If you feel like you can help update them, please submit a PR!
In recent Sponge builds (SpongeForge 974+), SpongeForge and SpongeVanilla patch a few client-server exploits. Whenever the implementations detect a user performing an exploit, they are kicked from the server with a message explaining why they were kicked. If enabled, a log message is also sent to the console. More exploit patches may be added in the future.
Obs
If you know about an exploit we currently don’t cover, please let us know! You can contact us via exploits@spongepowered.org or PM a staff member on the forums. Please DO NOT post exploits publicly on IRC, our GitHub repos or the forums, if they’re still unknown. This prevents abuse until we get the issues fixed.
Exploits Patched implemented in Sponge
Sign command exploit where a client could run a command such as ’op’
Client could force the server to make the user respawn invisible
Client could set an itemstack’s display name and cause it to exceed the character limit
Note that these patches can’t be disabled, only the logging is configurable as of now.
Advarsel
The invisibility exploit patch has been disabled in recent Sponge builds due to the detection method falsely accusing users of performing the exploit.
Log Message Control
Log messages for the exploit patches can be individually controlled in the Sponge config file. Please read the global.conf page for more information. Here’s a short overview of available options:
# Log when server receives exploited packet with itemstack name exceeding string limit.
exploit-itemstack-name-overflow=false
# Log when player attempts to respawn invisible to surrounding players.
exploit-respawn-invisibility=false
# Log when server receives exploited packet to update a sign containing commands from player with no permission.
exploit-sign-command-updates=false
Tips
Log messages can also be controlled via a command, instead of directly editing the config file. For example, to
enable the sign command exploit logging, type sponge config -g logging.exploit-sign-command-updates true
in
the console (You can also type the commands in-game if you are an op).