Require permission level for chase command#14034
Conversation
|
This should be a file patch, but it's worth noting this command is only enabled on servers which doubly opt into this; This is generally a debug tool, debug tools aren't expected to be enabled in environments where this is a concern; I'm not really sure if this is ours to fix |
|
Yeah this is a debug tool, which should not be enabled on production. |
|
And even if its enabled (what require the owner of the server to make that) you can still block the command with permission |
|
From what I've seen, when Mojang closes an issue as "Won't Fix", that's a sign that they're probably not going to fix it for a long time. By fixing the security flaw using a patch, you are preventing people from creating a vulnerability in their server. Even if "/chase" is a debug tool, it should still have a proper security configuration. |
In the base game for Java Edition, there is a security flaw with the "/chase" command. By default, it is available to all players, even if they don't have operator privileges. This allows any player with malicious intentions to abuse the tool. I reported this to Mojang, but they refused to address the issue (https://imgur.com/a/chase-exploit-jXYUTD0).
This patch changes the required permission level to 3. This ensures that the command is restricted to operators, which significantly reduces the risk of it being abused. However, the "minecraft.command.chase" permission node can still be used if a server owner wishes to customise who has access to "/chase".