Mojira Archive
MC-137689

Commands can store arbitrary text into the Command tag

The bug

Commands are able to store text in the Command tag of a command block or command block minecart. If a datapack or command block structure is set up to allow modifying or setting that tag in some way, this can lead to non opped players running arbitrary commands.

How to reproduce

  1. Take a book and quill, write a command in it and hold it
  2. Place a command block below you 
    /setblock ~ ~-1 ~ command_block
  3. Run the following command 
    /data modify block ~ ~-1 ~ Command set from entity @s SelectedItem.tag.pages[0]

    Notice that the command in the command block has been set to the text in the book

Works As Intended

[Helper] Misode

2018-10-24, 10:54 PM

2020-10-13, 10:30 AM

2020-10-13, 10:30 AM

1

3

Confirmed

Commands

/data-modify

Minecraft 18w43b - 1.15.2Minecraft 18w43b, Minecraft 18w43c, Minecraft 18w44a, Minecraft 18w48a, Minecraft 18w48b, Minecraft 18w49a, Minecraft 18w50a, Minecraft 19w12b, Minecraft 19w13b, Minecraft 19w14a, Minecraft 1.14, Minecraft 1.14.1 Pre-Release 1, Minecraft 1.14.1 Pre-Release 2, 1.15.1, 1.15.2

-