From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Zach Brown <1254957+zachbr@users.noreply.github.com> Date: Mon, 18 Jul 2016 17:57:36 -0500 Subject: [PATCH] Less strict skull validation Spigot's solution removes all unsigned skins from Skulls. While this does work to achieve its original goal, it is often overzealous and removes many plugin created and other skulls. We can be more specific in our checks to avoid this. This does technically reveal how the exploit works, however given that it already appears to be well-known throughout malicious communities, and the current solution breaks legitimate skulls, we don't feel particularly bad about it this time. diff --git a/src/main/java/net/minecraft/server/ItemSkull.java b/src/main/java/net/minecraft/server/ItemSkull.java index 0000000000000000000000000000000000000000..0000000000000000000000000000000000000000 100644 --- a/src/main/java/net/minecraft/server/ItemSkull.java +++ b/src/main/java/net/minecraft/server/ItemSkull.java @@ -0,0 +0,0 @@ public class ItemSkull extends Item { boolean valid = true; NBTTagList textures = nbttagcompound.getCompound("SkullOwner").getCompound("Properties").getList("textures", 10); // Safe due to method contracts + // Paper start - Less strict validation + for (NBTBase texture : textures.list) { + if (texture instanceof NBTTagCompound && !((NBTTagCompound) texture).hasKeyOfType("Signature", 8)) { + if (((NBTTagCompound) texture).getString("Value").trim().length() > 0) { + continue; + } + + valid = false; + } + } + /* for (int i = 0; i < textures.size(); i++) { if (textures.get(i) instanceof NBTTagCompound && !((NBTTagCompound) textures.get(i)).hasKeyOfType("Signature", 8)) { valid = false; } } + */ + // Paper end if (!valid) { nbttagcompound.remove("SkullOwner"); --