Non op players in creative mode can query tile entity NBT data

The bug

The following is based on decompiled version of Minecraft 1.9 using MCP 9.24 beta. All method and class names are the names used in the decompiled version.

A non op player in creative mode sending a CPacketCreativeInventoryAction packet with coordinates of a tile entity in the BlockEntityTag tag can get NBT data of tile entities to which he would normally have no access to.
This is because the method net.minecraft.network.NetHandlerPlayServer.processCreativeInventoryAction(CPacketCreativeInventoryAction) sets the NBT data of the BlockEntityTag to the NBT data of an already existing tile entity if the x, y and z values are provided. This way it is not tested if the player is allowed to receive this NBT data, whereas the method net.minecraft.entity.player.EntityPlayerMP.func_184824_a(TileEntityCommandBlock) tests this before it sends a packet containing the NBT data of the command block.

How to reproduce

1. Op yourself
2. Place a command block and enter a command
3. Deop yourself

   /deop @s
   

4. CTRL + middle click the command block to get the block with the NBT data
5. Throw the item on the ground
6. Op yourself and use the following command, or use it directly in the console

   /data get entity @e[type=item,limit=1,nbt={Item:{id:"minecraft:command_block"}}]
   

   → It shows that the command block item contains the command even though it should not

How to reproduce (modded client)

1. Send a CPacketCreativeInventoryAction packet with x, y and z values of a command block
   Example

   ItemStack itemStack = new ItemStack(Item.getItemFromBlock(Blocks.command_block));
   net.minecraft.nbt.NBTTagCompound nbtCompound = new net.minecraft.nbt.NBTTagCompound();
   nbtCompound.setInteger("x", -2);
   nbtCompound.setInteger("y", 56);
   nbtCompound.setInteger("z", 7);
   itemStack.setTagInfo("BlockEntityTag", nbtCompound);
   this.netClientHandler.addToSendQueue(new CPacketCreativeInventoryAction(36, itemStack));
   

2. Update your inventory in some way, for example by dropping the item in the first hotbar slot
3. The method net.minecraft.client.network.NetHandlerPlayClient.handleSetSlot(SPacketSetSlot) for example receives an ItemStack with the NBT data of the command block