[PMC] Potentially undesired command accessability to players on Creative.

[XkinOEC]

Tonight it was brought to my attention by Eehee2000 that the "/give" command is still accessible to not only moderators, but also to common players.

 

He informed me that earlier today someone was spawning items into his inventory. He got curious and looked into just what they did to access the command because if you type "/give" you get an error, however if you type the FULL syntax "/give [username] [item id] [quantity] " it does not give the error and instead works entirely as the command would be expected. 

 

I was around the last time this command was allowed, back during rev 12, it was a mess for players especially during the times of item spawning flightless creative. I'd also like to make note that about 3 months back, a hacker mass used this command on me, they were banned, however it tells me that the command indeed existed in a client mod, and clearly could be the next means of attacking the server and disgruntling players on the server.

I suggest that we fix the problems associated with the command before things turn ugly. I did not post it in the technical problems section to avoid abuse.

 

If need be, please check the logs to see who initially did this to Eehee, as he cannot remember their username. 

[Cyotie911]

2014-01-31 21:59:53 | CH: Running original command on player admanta ----> /give eehee2000 407 512

2014-01-31 22:00:05 | CH: Running original command on player admanta ----> /give eehee2000 46 512

[tompreuss]

According to the code that's published on our github, /give isn't restricted on creative.
 
To head off spam/abuse, totemo added a line six months ago that notified the recipient of who the giver was.  I tested just now on P and giving items to a player with /give notifies them who the giver was.  I also tested syntax, and

/give
/give playername

both fail with permission errors but

/give playername item
/give playername item quantity

work successfully.
 
The usage instructions not showing properly is because of a typo in the code, which I've fixed in this pull request.  After that is merged, we should be good.
 
 

2014-01-31 21:59:53 | CH: Running original command on player admanta ----> /give eehee2000 407 512
2014-01-31 22:00:05 | CH: Running original command on player admanta ----> /give eehee2000 46 512

 
Yeah, except prior to that, Eehee had what appear to be successful gives to admanta and several others:

2014-01-31 21:57:20 | CH: Running original command on player EeHee2000 ----> /give Admanta 14 3289
2014-01-31 21:57:23 | CH: Running original command on player EeHee2000 ----> /give Admanta 14 3289
2014-01-31 21:57:25 | CH: Running original command on player EeHee2000 ----> /give Admanta 14 3289
2014-01-31 21:57:25 | CH: Running original command on player EeHee2000 ----> /give Admanta 14 3289
2014-01-31 21:57:26 | CH: Running original command on player EeHee2000 ----> /give Admanta 14 3289
2014-01-31 21:57:39 | CH: Running original command on player EeHee2000 ----> /give knapp 14 3289
2014-01-31 21:57:43 | CH: Running original command on player EeHee2000 ----> /give knapp 14 3289
2014-01-31 21:58:08 | CH: Running original command on player EeHee2000 ----> /give Dia 18 9834
2014-01-31 21:58:30 | CH: Running original command on player EeHee2000 ----> /give Dmbo 18 9834
2014-01-31 21:58:34 | CH: Running original command on player EeHee2000 ----> /give Dumbo 18 9834
2014-01-31 21:58:46 | CH: Running original command on player EeHee2000 ----> /give Mrl 21 9834
2014-01-31 21:58:56 | CH: Running original command on player admanta ----> /give nevastop leaves 512
2014-01-31 21:59:11 | CH: Running original command on player EeHee2000 ----> /give NEVA 21 9834
2014-01-31 21:59:18 | CH: Running original command on player EeHee2000 ----> /give gsand 21 9834
2014-01-31 21:59:30 | CH: Running original command on player admanta ----> /give nevastop 407 512

And going back 20 days, there's over 400 instances of /give usage or attempts to use it by many players.

[XkinOEC]

Can I ask why it is even possible to use such a command to begin with? We have no reason for it, and plenty of reason against it(especially on c). Why is it completely allowed at the player level?

[Dumbo52]

I recall this issue having surfaced a while ago, but I thought it had been fixed. Regardless, let's at least restrict using /give on other players on Creative since there's no good reason for having this enabled. Thanks for bringing this up, Nick.

[Trooprm32]

Also a current issue on creative; Spamming of splash potions should be restricted or limited to survival mode.