Comments (7)
Hey,
thanks for using Cirrus & your help.
Dragging is not handled by Protocolize at all - So handling it won't be possible without altering it.
Looking on the Spigot side: Currently, we are not handling it here either. In the time we used Cirrus in production it did not cause any issue so far.
However, we look to further improve Cirrus. Did I understand correctly that you suggest canceling the InventoryDragEvent? We are also open to PR.
Regards,
Leonhard
from cirrus.
I'm not really using it, I have my own library for that at least on the Bukkit side and hence am just always interested in how others handle similar cases. (And adding them to the spigot wiki page on inventory GUIs)
Not cancelling/handling the drag event is unfortunately very common as most people don't realise that it's not the same as a click or how easy it is to happen accidentally and that it opens up potential exploits in plugins so I tend to point it out to everyone with such a library that doesn't properly handle this case so that they and their users don't fall prey to such exploits.
from cirrus.
Alright as it did not cause any issue in ~3 years of usage even on servers w/800 current players we will just leave it as it is right now if there is no PR with some reproducible issue.
from cirrus.
Well I just hope nobody else is using this library for anything important because this is pretty irresponsible... duping exploits aren't a non-issue and you will only realise that it's being abused when it's too late.
from cirrus.
You were unable to explain any sort of "exploits" when I asked you to do so. The only "exploit" you elaborated on was that the menu could become unresponsive. We checked this and no, dragging won't make it possible to move items to the inventory of players.
The code behind this has been in use for ~3 years and there was no problem so far.
If you have any improvement to make just create a PR.
Btw: If you really think that this would allow for "duping exploits" it would be irresponsible from your side to not open up a PR / further explain your position.
from cirrus.
I am not responsible for the security of your software/services. Of course if you can provide me with a link regarding how you/your company handles responsible disclosure and your vulnerability reward program I am absolutely willing to build a working exploit for you if that's really what you want me to do.
I just feel like it would be a lot faster (even than if I would have to familiarise myself with your project in order to open a PR) if you added a listener that does what you want in the context of your project and be done with it...
from cirrus.
As you might have been able to see we already added this listener as we don't want to take any chance with security issues.
I never said you were responsible for our security. See
We obviously don't have a vulnerability reward program. And if the issue is that common why would it take a reward program to come up with a vulnerability?
It would have been great if you would have been able to provide anything specific than the vague explanations you made.
Anyhow, thanks for your help.
In the future, we have to find a better way of communicating as I feel like we wasted a lot of time over nothing here.
from cirrus.
Related Issues (14)
- ProtocolizeItemStackConverter HOT 1
- not an error
- MultiPage Menu Example causes NullPointerException HOT 1
- customActionHandler not triggered on 2.0.0 and current master branch HOT 3
- Compatibility Cirrus Tooling HOT 2
- Casting Error on 1.13+ HOT 1
- Clicking any item inside gui with off-hand causes duplication! HOT 1
- example plugin menu error. HOT 2
- Documented Fix for Velocity Users
- Simplixsoft Public Maven Repository returns 404
- item disappears when bottomContainer is built HOT 1
- Usage note.
- Method not found: setTag HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cirrus.