Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security] Disable BungeeCord hook if the proxy is disable in Spigot (#…
…2572 from @Ghost-chu) If Spigot is running without a proxy, an incoming BungeeCord can also originate from a malicious player. This happens, because there is no proxy preventing this message. There appears to be no method to check if this message comes from a trusted source from the Bukkit side. This implementation checks if BungeeCord support is enabled in Spigot. This means that we notify them that we actually expect a proxy enabled configuration for this feature. This solves the issue, where the hook was enabled, because the server was earlier configured with proxies in mind, but they are no longer used. **Nevertheless** this doesn't fully solve the issue, because in misconfigured setups, where the Spigot server is publicly accessible, it's still possible. However this is always a recommended configuration step. Alternative solutions were rejected like: 1) Check on incoming BungeeCord message, if we received BungeeCord forwarding data during login This data can be fully faked by the player too. 2) Check the connection properties if the appearing proxy is local. While this is possible, there instance that the proxy is not on the same network although it's legitimate. Although it could be possible to introduce this with a configuration option, but it would increase the complexity for users. Related #2559 Related #2571
- Loading branch information