Exploit Patches

Aviso

These docs were written for SpongeAPI 7 and are likely out of date. If you feel like you can help update them, please submit a PR!

As builds mais recentes do SpongeForge (974+) e do SpongeVanilla contêm defesas contra alguns bugs que o cliente pode explorar. Sempre que as implementações detectam um usuário a executar um exploit, kicka-os do servidor com uma mensagem a explicar o motivo pelo qual foram expulsos. Se ativado, uma mensagem de registo também é mostrada na consola. No futuro, poderão ser adicionadas mais correções contra a exploração de bugs.

Nota

If you know about an exploit we currently don’t cover, please let us know! You can contact us via exploits@spongepowered.org or PM a staff member on the forums. Please DO NOT post exploits publicly on IRC, our GitHub repos or the forums, if they’re still unknown. This prevents abuse until we get the issues fixed.

Exploits Patched implemented in Sponge

  1. Sign command exploit where a client could run a command such as ‘op’

  2. Client could force the server to make the user respawn invisible

  3. Client could set an itemstack’s display name and cause it to exceed the character limit

Nota que estas correções não podem ser desativadas, apenas o registo no log é configurável neste momento.

Aviso

The invisibility exploit patch has been disabled in recent Sponge builds due to the detection method falsely accusing users of performing the exploit.

Controlo de mensagens de log

As mensagens de registo podem ser controladas individualmente no ficheiro de configuração do Sponge. Por favor, leia a página global.conf para mais informações. Aqui está um pequeno resumo das opções disponíveis:

# Log when server receives exploited packet with itemstack name exceeding string limit.
exploit-itemstack-name-overflow=false

# Log when player attempts to respawn invisible to surrounding players.
exploit-respawn-invisibility=false

# Log when server receives exploited packet to update a sign containing commands from player with no permission.
exploit-sign-command-updates=false

Dica

Log messages can also be controlled via a command, instead of directly editing the config file. For example, to enable the sign command exploit logging, type sponge config -g logging.exploit-sign-command-updates true in the console (You can also type the commands in-game if you are an op).