Uploaded image for project: 'Minecraft (Bedrock codebase)'
  1. Minecraft (Bedrock codebase)
  2. MCPE-92635

Players can evaluate @s selector without cheats

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Resolution: Fixed
    • Affects Version/s: 1.16.100.55 Beta, 1.16.1, 1.16.100.59 Beta
    • Fix Version/s: 1.16.220, 1.16.220.50 Beta
    • Labels:
      None
    • Confirmation Status:
      Confirmed
    • Platform:
      Windows 10 - PC
    • ADO:
      422538

      Description

      Players can use the @s selector in commands like /tell, even when cheats are disabled. This allows them to get information they should not have access to.

      Information marked with  is potentially sensitive, the others are not really valuable information, but still should not be accessible.

      Parameter(s) Example Leaked Information
      x y z r rm dx dy dz /tell @s[x=0,z=0,r=10] hi Their own location, even if the server owner wishes this information to be private.
      scores /tell @s[scores=\{something=15..}] hi Internal scoreboard objective names and personal scores.
      tag /tell @s[tag=blah] hi Internal tag names and personal tags.
      Note that the tag parameter is not suggested when cheats are disabled, but if it's typed manually, its potential values are still suggested and it can still be evaluated.
      l lm /tell @s[lm=30] hi Amount of levels.
      m /tell @s[m=0] hi Internal gamemode IDs.
      ry rym rx rxm /tell @s[rxm=0,rx=0] hi Facing direction.

       

      Expected Behavior
      Same as attempting to evaluate any other selector without cheats: Insufficient permissions error

        Attachments

          Issue Links

            Activity

              People

              Reporter:
              tryashtar [Mod] tryashtar
              Votes:
              4 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                CHK: