forked from MirrorHub/authlib-injector
Fix skinDomains can match unwanted domains
This commit is contained in:
parent
6f236dceeb
commit
edd40f394d
2 changed files with 76 additions and 7 deletions
|
@ -19,16 +19,13 @@ package moe.yushi.authlibinjector.transform.support;
|
||||||
import static org.objectweb.asm.Opcodes.ALOAD;
|
import static org.objectweb.asm.Opcodes.ALOAD;
|
||||||
import static org.objectweb.asm.Opcodes.ASM7;
|
import static org.objectweb.asm.Opcodes.ASM7;
|
||||||
import static org.objectweb.asm.Opcodes.IRETURN;
|
import static org.objectweb.asm.Opcodes.IRETURN;
|
||||||
|
|
||||||
import java.net.URI;
|
import java.net.URI;
|
||||||
import java.net.URISyntaxException;
|
import java.net.URISyntaxException;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Optional;
|
import java.util.Optional;
|
||||||
import java.util.concurrent.CopyOnWriteArrayList;
|
import java.util.concurrent.CopyOnWriteArrayList;
|
||||||
|
|
||||||
import org.objectweb.asm.ClassVisitor;
|
import org.objectweb.asm.ClassVisitor;
|
||||||
import org.objectweb.asm.MethodVisitor;
|
import org.objectweb.asm.MethodVisitor;
|
||||||
|
|
||||||
import moe.yushi.authlibinjector.transform.CallbackMethod;
|
import moe.yushi.authlibinjector.transform.CallbackMethod;
|
||||||
import moe.yushi.authlibinjector.transform.CallbackSupport;
|
import moe.yushi.authlibinjector.transform.CallbackSupport;
|
||||||
import moe.yushi.authlibinjector.transform.TransformContext;
|
import moe.yushi.authlibinjector.transform.TransformContext;
|
||||||
|
@ -36,6 +33,18 @@ import moe.yushi.authlibinjector.transform.TransformUnit;
|
||||||
|
|
||||||
public class SkinWhitelistTransformUnit implements TransformUnit {
|
public class SkinWhitelistTransformUnit implements TransformUnit {
|
||||||
|
|
||||||
|
public static boolean domainMatches(String pattern, String domain) {
|
||||||
|
// for security concern, empty pattern matches nothing
|
||||||
|
if (pattern.isEmpty()) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (pattern.startsWith(".")) {
|
||||||
|
return domain.endsWith(pattern);
|
||||||
|
} else {
|
||||||
|
return domain.equals(pattern);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private static final String[] DEFAULT_WHITELISTED_DOMAINS = {
|
private static final String[] DEFAULT_WHITELISTED_DOMAINS = {
|
||||||
".minecraft.net",
|
".minecraft.net",
|
||||||
".mojang.com"
|
".mojang.com"
|
||||||
|
@ -56,13 +65,13 @@ public class SkinWhitelistTransformUnit implements TransformUnit {
|
||||||
throw new IllegalArgumentException("Invalid URL '" + url + "'");
|
throw new IllegalArgumentException("Invalid URL '" + url + "'");
|
||||||
}
|
}
|
||||||
|
|
||||||
for (String whitelisted : DEFAULT_WHITELISTED_DOMAINS) {
|
for (String pattern : DEFAULT_WHITELISTED_DOMAINS) {
|
||||||
if (domain.endsWith(whitelisted)) {
|
if (domainMatches(pattern, domain)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
for (String whitelisted : WHITELISTED_DOMAINS) {
|
for (String pattern : WHITELISTED_DOMAINS) {
|
||||||
if (domain.endsWith(whitelisted)) {
|
if (domainMatches(pattern, domain)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,60 @@
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2020 Haowei Wen <yushijinhun@gmail.com> and contributors
|
||||||
|
*
|
||||||
|
* This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
package moe.yushi.authlibinjector.test;
|
||||||
|
|
||||||
|
import static moe.yushi.authlibinjector.transform.support.SkinWhitelistTransformUnit.domainMatches;
|
||||||
|
import static org.junit.Assert.assertFalse;
|
||||||
|
import static org.junit.Assert.assertTrue;
|
||||||
|
import org.junit.Test;
|
||||||
|
|
||||||
|
public class SkinWhitelistTest {
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testEmptyPattern() {
|
||||||
|
assertFalse(domainMatches("", "example.com"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDotMatchesSubdomain() {
|
||||||
|
assertTrue(domainMatches(".example.com", "a.example.com"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDotMatchesSubdomain2() {
|
||||||
|
assertTrue(domainMatches(".example.com", "b.a.example.com"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testDotNotMatchesToplevel() {
|
||||||
|
assertFalse(domainMatches(".example.com", "example.com"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testNonDotMatchesToplevel() {
|
||||||
|
assertTrue(domainMatches("example.com", "example.com"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testNonDotNotMatchesSubdomain() {
|
||||||
|
assertFalse(domainMatches("example.com", "a.example.com"));
|
||||||
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testNonDotNotMatchesOther() {
|
||||||
|
assertFalse(domainMatches("example.com", "eexample.com"));
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue