Skip to content

Commit 5b5e08f

Browse files
rossnoahrossnoah
committed
update how permissions are checked to fix possible bypass
change package name, update authors, bump version
1 parent 72634c3 commit 5b5e08f

File tree

2 files changed

+88
-53
lines changed

2 files changed

+88
-53
lines changed

pom.xml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,16 @@
22
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
33
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
44
<modelVersion>4.0.0</modelVersion>
5-
<groupId>me.wikmor</groupId>
6-
<artifactId>lpc-vanillaplus</artifactId>
5+
<groupId>dev.noah</groupId>
6+
<artifactId>lpc-color</artifactId>
77
<name>LPC-color</name>
8-
<description>A chat formatting plugin for LuckPerms.</description>
9-
<version>3.6.0</version>
8+
<description>A chat formatting plugin for LuckPerms with support for color and formatting permissions.</description>
9+
<version>4.0.0</version>
1010
<packaging>jar</packaging>
1111

1212
<properties>
13-
<author>wikmor</author>
14-
<main.class>me.wikmor.lpc.LPC</main.class>
13+
<author>wikmor, noah</author>
14+
<main.class>dev.noah.lpc.LPC</main.class>
1515
<java.version>1.8</java.version>
1616
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
1717
</properties>
@@ -38,7 +38,7 @@
3838
<dependency>
3939
<groupId>org.spigotmc</groupId>
4040
<artifactId>spigot-api</artifactId>
41-
<version>1.19-R0.1-SNAPSHOT</version>
41+
<version>1.20.4-R0.1-SNAPSHOT</version>
4242
<scope>provided</scope>
4343
</dependency>
4444
<dependency>
@@ -75,8 +75,8 @@
7575
https://mvnrepository.com/artifact/org.apache.maven.plugins/maven-compiler-plugin -->
7676
<version>3.10.1</version>
7777
<configuration>
78-
<source>${java.version}</source>
79-
<target>${java.version}</target>
78+
<target>8</target>
79+
<source>8</source>
8080
</configuration>
8181
</plugin>
8282
<plugin>

src/main/java/me/wikmor/lpc/LPC.java renamed to src/main/java/dev/noah/lpc/LPC.java

Lines changed: 79 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
package me.wikmor.lpc;
1+
package dev.noah.lpc;
22

33
import me.clip.placeholderapi.PlaceholderAPI;
44
import net.luckperms.api.LuckPerms;
@@ -40,7 +40,7 @@ public boolean onCommand(final CommandSender sender, final Command command, fina
4040
if (args.length == 1 && "reload".equals(args[0])) {
4141
reloadConfig();
4242

43-
sender.sendMessage(colorize("&aLPC has been reloaded."));
43+
sender.sendMessage(unsafeColorize("&aLPC has been reloaded."));
4444
return true;
4545
}
4646

@@ -55,31 +55,6 @@ public List<String> onTabComplete(final CommandSender sender, final Command comm
5555
return new ArrayList<>();
5656
}
5757

58-
@EventHandler(priority = EventPriority.LOW)
59-
public void onLowChat(AsyncPlayerChatEvent event){
60-
Player player = event.getPlayer();
61-
if (!player.hasPermission("lpc.magic")) {
62-
event.setMessage(event.getMessage().replace("&k", ""));
63-
event.setMessage(event.getMessage().replace("&K", ""));
64-
}
65-
if (!player.hasPermission("lpc.bold")) {
66-
event.setMessage(event.getMessage().replace("&l", ""));
67-
event.setMessage(event.getMessage().replace("&L", ""));
68-
}
69-
if (!player.hasPermission("lpc.underline")) {
70-
event.setMessage(event.getMessage().replace("&n", ""));
71-
event.setMessage(event.getMessage().replace("&N", ""));
72-
}
73-
if (!player.hasPermission("lpc.strikethrough")) {
74-
event.setMessage(event.getMessage().replace("&m", ""));
75-
event.setMessage(event.getMessage().replace("&M", ""));
76-
}
77-
if (!player.hasPermission("lpc.italics")) {
78-
event.setMessage(event.getMessage().replace("&o", ""));
79-
event.setMessage(event.getMessage().replace("&O", ""));
80-
}
81-
82-
}
8358

8459
@EventHandler(priority = EventPriority.HIGHEST)
8560
public void onChat(final AsyncPlayerChatEvent event) {
@@ -90,9 +65,6 @@ public void onChat(final AsyncPlayerChatEvent event) {
9065
final CachedMetaData metaData = this.luckPerms.getPlayerAdapter(Player.class).getMetaData(player);
9166
final String group = metaData.getPrimaryGroup();
9267

93-
94-
95-
9668
String format = getConfig().getString(getConfig().getString("group-formats." + group) != null ? "group-formats." + group : "chat-format")
9769
.replace("{prefix}", metaData.getPrefix() != null ? metaData.getPrefix() : "")
9870
.replace("{suffix}", metaData.getSuffix() != null ? metaData.getSuffix() : "")
@@ -104,25 +76,88 @@ public void onChat(final AsyncPlayerChatEvent event) {
10476
.replace("{username-color}", metaData.getMetaValue("username-color") != null ? metaData.getMetaValue("username-color") : "")
10577
.replace("{message-color}", metaData.getMetaValue("message-color") != null ? metaData.getMetaValue("message-color") : "");
10678

107-
format = colorize(translateHexColorCodes(getServer().getPluginManager().isPluginEnabled("PlaceholderAPI") ? PlaceholderAPI.setPlaceholders(player, format) : format));
79+
format = unsafeColorize(translateHexColorCodes(getServer().getPluginManager().isPluginEnabled("PlaceholderAPI") ? PlaceholderAPI.setPlaceholders(player, format) : format));
10880

109-
String formattedMessage;
81+
event.setFormat(format.replace("{message}", colorize(message,player)).replace("%", "%%"));
82+
}
11083

111-
if (player.hasPermission("lpc.colorcodes") && player.hasPermission("lpc.rgbcodes")) {
112-
formattedMessage = colorize(translateHexColorCodes(message));
113-
} else if (player.hasPermission("lpc.colorcodes")) {
114-
formattedMessage = colorize(message);
115-
} else if (player.hasPermission("lpc.rgbcodes")) {
116-
formattedMessage = translateHexColorCodes(message);
117-
} else {
118-
formattedMessage = message;
84+
// Old colorize method without any checks
85+
private String unsafeColorize(final String message) {
86+
return ChatColor.translateAlternateColorCodes('&', message);
87+
}
88+
89+
private String colorize(final String message, Player player) {
90+
String output = message;
91+
//do each step / color on its own and check for permissions for each step
92+
if (player.hasPermission("lpc.colorcodes")) {
93+
//translate each color individually
94+
output = output.replace("&0", ChatColor.BLACK.toString());
95+
output = output.replace("&1", ChatColor.DARK_BLUE.toString());
96+
output = output.replace("&2", ChatColor.DARK_GREEN.toString());
97+
output = output.replace("&3", ChatColor.DARK_AQUA.toString());
98+
output = output.replace("&4", ChatColor.DARK_RED.toString());
99+
output = output.replace("&5", ChatColor.DARK_PURPLE.toString());
100+
output = output.replace("&6", ChatColor.GOLD.toString());
101+
output = output.replace("&7", ChatColor.GRAY.toString());
102+
output = output.replace("&8", ChatColor.DARK_GRAY.toString());
103+
output = output.replace("&9", ChatColor.BLUE.toString());
104+
105+
output = output.replace("&a", ChatColor.GREEN.toString());
106+
output = output.replace("&A", ChatColor.GREEN.toString());
107+
108+
output = output.replace("&b", ChatColor.AQUA.toString());
109+
output = output.replace("&B", ChatColor.AQUA.toString());
110+
111+
output = output.replace("&c", ChatColor.RED.toString());
112+
output = output.replace("&C", ChatColor.RED.toString());
113+
114+
output = output.replace("&d", ChatColor.LIGHT_PURPLE.toString());
115+
output = output.replace("&D", ChatColor.LIGHT_PURPLE.toString());
116+
117+
output = output.replace("&e", ChatColor.YELLOW.toString());
118+
output = output.replace("&E", ChatColor.YELLOW.toString());
119+
120+
output = output.replace("&f", ChatColor.WHITE.toString());
121+
output = output.replace("&F", ChatColor.WHITE.toString());
119122
}
120123

121-
event.setFormat(format.replace("{message}", formattedMessage).replace("%", "%%"));
122-
}
124+
if (player.hasPermission("lpc.magic")) {
125+
//translate magic
126+
output = output.replace("&k", ChatColor.MAGIC.toString());
127+
output = output.replace("&K", ChatColor.MAGIC.toString());
128+
}
129+
if(player.hasPermission("lpc.bold")) {
130+
//translate bold
131+
output = output.replace("&l", ChatColor.BOLD.toString());
132+
output = output.replace("&L", ChatColor.BOLD.toString());
133+
}
134+
if(player.hasPermission("lpc.underline")) {
135+
//translate underline
136+
output = output.replace("&n", ChatColor.UNDERLINE.toString());
137+
output = output.replace("&N", ChatColor.UNDERLINE.toString());
138+
}
139+
if(player.hasPermission("lpc.italics")) {
140+
//translate italics
141+
output = output.replace("&o", ChatColor.ITALIC.toString());
142+
output = output.replace("&O", ChatColor.ITALIC.toString());
143+
}
144+
if(player.hasPermission("lpc.strikethrough")) {
145+
//translate strikethrough
146+
output = output.replace("&m", ChatColor.STRIKETHROUGH.toString());
147+
output = output.replace("&M", ChatColor.STRIKETHROUGH.toString());
123148

124-
private String colorize(final String message) {
125-
return ChatColor.translateAlternateColorCodes('&', message);
149+
}
150+
if(player.hasPermission("lpc.reset")){
151+
//translate reset
152+
output = output.replace("&r", ChatColor.RESET.toString());
153+
output = output.replace("&R", ChatColor.RESET.toString());
154+
}
155+
156+
if(player.hasPermission("lpc.rgbcodes")){
157+
output = translateHexColorCodes(output);
158+
}
159+
160+
return output;
126161
}
127162

128163
private String translateHexColorCodes(final String message) {

0 commit comments

Comments
 (0)