-
Bug
-
Resolution: Unresolved
-
None
-
Minecraft 14w26c, Minecraft 14w29b, Minecraft 1.8.4, Minecraft 1.9, Minecraft 1.9.4, Minecraft 1.10, Minecraft 1.11, Minecraft 1.13.2, Minecraft 18w48a, Minecraft 18w48b, Minecraft 18w49a, Minecraft 18w50a, 1.15.2, 1.16.2, 20w51a, 21w15a, 23w43b, 23w45a, 23w46a, 1.20.5, 1.20.6, 1.21
-
Confirmed
-
Commands, Dedicated Server
-
Low
-
Platform
The bug
Signs that contain a clickEvent are only checked for operator permissions if clicked inside of spawn-protection area set by server.properties.
Note: Signs being able to execute commands regardless of executor permissions is likely widely used in adventure maps. It does not directly impose a security vulnerability because placing such signs with clickEvent requires operator permissions. It is similar to placing a command block containing a command: Placing the command block requires operator permissions, but anyone can afterwards place redstone next to it to activate it.
How to reproduce
- Start a Minecraft server.
- Set the spawn-protection field in the server.properties file to 10.
- Run:
/give @p oak_sign[custom_name='{"text":"MC-59653"}',block_entity_data={id:"minecraft:oak_sign",front_text:{messages:['{"text":"Click me","clickEvent":{"action":"run_command","value":"fill ~ ~1 ~ ~ ~2 ~ redstone_block"}}','{"text":""}','{"text":""}','{"text":""}']}}] 2 - Place one sign inside the spawn-protection area and one sign outside the spawn-protection area.
- Deop yourself, but make sure theres atleast one other player opped, so spawn protection is active.
- Click the sign inside the spawn protection area.
→
Sign unsuccessfully used, no blocks were placed - Click the sign outside the spawn protection area.
→
Sign succesfully used, two redstone blocks are placed above the sign
- is duplicated by
-
- Resolved
-
- Resolved
-
- Resolved
- relates to
-
- Open
-
- Reopened
-
- Reopened