Uploaded image for project: 'Minecraft (Bedrock codebase)'
  1. Minecraft (Bedrock codebase)
  2. MCPE-92635

Players can evaluate @s selector without cheats

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • 1.16.220, 1.16.220.50 Beta
    • 1.16.100.55 Beta, 1.16.1, 1.16.100.59 Beta
    • None
    • Confirmed
    • Windows
    • 422538

    Description

      Players can use the @s selector in commands like /tell, even when cheats are disabled. This allows them to get information they should not have access to.

      Information marked with  is potentially sensitive, the others are not really valuable information, but still should not be accessible.

      Parameter(s) Example Leaked Information
      x y z r rm dx dy dz /tell @s[x=0,z=0,r=10] hi Their own location, even if the server owner wishes this information to be private.
      scores /tell @s[scores=\{something=15..}] hi Internal scoreboard objective names and personal scores.
      tag /tell @s[tag=blah] hi Internal tag names and personal tags.
      Note that the tag parameter is not suggested when cheats are disabled, but if it's typed manually, its potential values are still suggested and it can still be evaluated.
      l lm /tell @s[lm=30] hi Amount of levels.
      m /tell @s[m=0] hi Internal gamemode IDs.
      ry rym rx rxm /tell @s[rxm=0,rx=0] hi Facing direction.

       

      Expected Behavior
      Same as attempting to evaluate any other selector without cheats: Insufficient permissions error

      Attachments

        Activity

          People

            tryashtar [Mod] tryashtar
            Votes:
            4 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:
              CHK: