Uploaded image for project: 'Minecraft (Bedrock codebase)'
  1. Minecraft (Bedrock codebase)
  2. MCPE-92635

Players can evaluate @s selector without cheats


    • Icon: Bug Bug
    • Resolution: Fixed
    • 1.16.220, Beta
    • Beta, 1.16.1, Beta
    • None
    • Confirmed
    • Windows
    • 422538

      Players can use the @s selector in commands like /tell, even when cheats are disabled. This allows them to get information they should not have access to.

      Information marked with  is potentially sensitive, the others are not really valuable information, but still should not be accessible.

      Parameter(s) Example Leaked Information
      x y z r rm dx dy dz /tell @s[x=0,z=0,r=10] hi Their own location, even if the server owner wishes this information to be private.
      scores /tell @s[scores=\{something=15..}] hi Internal scoreboard objective names and personal scores.
      tag /tell @s[tag=blah] hi Internal tag names and personal tags.
      Note that the tag parameter is not suggested when cheats are disabled, but if it's typed manually, its potential values are still suggested and it can still be evaluated.
      l lm /tell @s[lm=30] hi Amount of levels.
      m /tell @s[m=0] hi Internal gamemode IDs.
      ry rym rx rxm /tell @s[rxm=0,rx=0] hi Facing direction.


      Expected Behavior
      Same as attempting to evaluate any other selector without cheats: Insufficient permissions error

            tryashtar [Mod] tryashtar
            4 Vote for this issue
            2 Start watching this issue