From bbf37c133d002558a9e031cf699579d96ded9e3c Mon Sep 17 00:00:00 2001 From: Zach Brown Date: Mon, 18 Jul 2016 17:57:36 -0500 Subject: [PATCH] Less strict skull validation Spigot's solution removes all unsigned skins from Skulls. While this does work to achieve its original goal, it is often overzealous and removes many plugin created and other skulls. We can be more specific in our checks to avoid this. This does technically reveal how the exploit works, however given that it already appears to be well-known throughout malicious communities, and the current solution breaks legitimate skulls, we don't feel particularly bad about it this time. diff --git a/src/main/java/net/minecraft/server/ItemSkull.java b/src/main/java/net/minecraft/server/ItemSkull.java index 4a9cb67..b2af87a 100644 --- a/src/main/java/net/minecraft/server/ItemSkull.java +++ b/src/main/java/net/minecraft/server/ItemSkull.java @@ -135,11 +135,24 @@ public class ItemSkull extends Item { boolean valid = true; NBTTagList textures = nbttagcompound.getCompound("SkullOwner").getCompound("Properties").getList("textures", 10); // Safe due to method contracts + // Paper start - Less strict validation + for (NBTBase texture : textures.list) { + if (texture instanceof NBTTagCompound && !((NBTTagCompound) texture).hasKeyOfType("Signature", 8)) { + if (((NBTTagCompound) texture).getString("Value").trim().length() > 0) { + continue; + } + + valid = false; + } + } + /* for (int i = 0; i < textures.size(); i++) { if (textures.get(i) instanceof NBTTagCompound && !((NBTTagCompound) textures.get(i)).hasKeyOfType("Signature", 8)) { valid = false; } } + */ + // Paper end if (!valid) { nbttagcompound.remove("SkullOwner"); -- 2.9.2.windows.1