GMS-2021-54: Inability to de-op players if listed in ops.txt with non-lowercase letters
Impact
Originally reported in iTXTech/Genisys#1188
PotterHarry98
potterharry98
deop PotterHarry98
will remove potterharry98 from the ops.txt but not PotterHarry98.
Operator permissions are checked using Config->exists() with lowercase=true, which will result in a match:
https://github.com/pmmp/PocketMine-MP/blob/22bb1ce8e03dba57173debf0415390511d68e045/src/utils/Config.php#L449
This means that it’s possible to make yourself impossible to de-op (using commands) by adding your name to ops.txt with uppercase letters.
Patches
4d37b79ff7f9d9452e988387f97919a9a1c4954e
Workarounds
This can be easily addressed by removing the offending lines from ops.txt manually.
For more information
If you have any questions or comments about this advisory:
- Open an issue in pmmp/PocketMine-MP
- Email us at team@pmmp.io
References
Code Behaviors & Features
Detect and mitigate GMS-2021-54 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →