Malicious players can change paintings/graffities to hidden motives for everyone #96
Description
Description
A player, who modifies the code of the mod on the client, can use any motive regardless of whether the motives are hidden or whether that player is op. This is because setting the motive of an entity is not checked server side (see Method receive(PlayerEntity e) in immersive_paintings.network.c2s.PaintingModifyRequest.java). A PaintingModifyRequest then sets that motive for the server, which in turn updates every player via a PaintingModifyMessage.
The abuse potential is fairly low since all motives uploaded to the server are shared with any client connected to the server anyways & this requires a motive to be uploaded (although set to hidden). So the priority should not be that high either.
Steps to reproduce
- Modify line 683 in
immersive_paintings.client.gui.ImmersivePaintingScreen.javaof MethodupdateSearch()from.filter(v -> page != Page.PLAYERS || !v.getValue().datapack) && (!v.getValue().hidden || isOp()))to for example.filter(v -> page != Page.PLAYERS || !v.getValue().datapack) - Recompile and use the mod (Forge or Fabric does not matter).
- Join a server with an unmodified version of the mod and existing hidden motives.
- Use any item added by Immersive Paintings and enter the GUI.
- Navigate to "Players" tab and discover hidden motives.
- Click hidden motives and discover that the entity changes to the motive for everyone in the server.
Expected behavior
It should not be possible for a client to set an entity to a hidden motive & get it to update for other players/the server. The motive should either be set and/or verified server side and the entity should not change for other player in case the player setting the motive is not allowed (or rather able) to do so.
Screenshots
Hidden motive of any other player
Hidden motive displayed in GUI of malicious player
Malicious player sets painting to hidden motive
Other players can see the hidden motive set by a malicious player
