Not escaping semicolons & colons in item display names #5
Description
I've spotted a vulnerability that could lead to arbitrary item fabrication. It's an injection in to the display name of an item you store in the cloaker inventory. I've confirmed that with an anvil you can exploit this.
These consist of adding a ":" or ";" character in to the display name of the object. When the server restarts the inventory will be serialised and deserialised. The lines which split on those characters should then allow us to change the item with ":" or add new items with ";".
If I can get a colon in a display name, I can change the item however I want. e.g. adding ":t@57:a@64:b@" to the end of the name will transform the item in to 64 diamond blocks.
If I can put semicolon in a display name, I could fabricate an inventory of my choice and still keep the item. All I'd have to do would be to add something like ";5#t@57:a@64:b@" to put 64 diamond blocks in slot 5.
The last "b@" is to eat the = which the code adds to the end of display names, mangling number parsing. If you leave off the b@, it permanently corrupts the cloaker save file.
Name the item like so:
http://imgur.com/IqB63tW
Put in cloaker:
http://imgur.com/Evczijw
Restart server and this happens:
http://imgur.com/bu7uojy