A modified client can perform illegal player inventory item swaps

A modified game client can perform item swap actions within the player inventory which bypass container slot conditions on an unmodified server. Specifically, the armor slots which have functionality to restrict item insertion and removal.

The relevant code path being exploited is the behavior that allows hovering over a slot in the inventory and being able to press F or 1-9 number keys to swap the hovering item with offhand or hotbar slot respectively.

The exploit may be accomplished by sending ServerboundContainerClickPacket of ClickType.SWAP type with "buttonNum" referring to the target slot which accesses the player inventory directly instead of through the container. The intended functionality only performs this swap with "buttonNum" either a hotbar slot (0..8) or offhand (40). These slots have no restrictions built in so there is no observable affect from not consulting the container slot. However, a modified client may perform a swap with "buttonNum" referring to an armor slot (or any), which is permitted by the server, allowing the slot logic bypass. As the logic is accessing the player inventory directly, non-player container slot restrictions are not affected by this exploit.

In specific terms, instead of where the client would send ClickType.SWAP packet "slotNum" = slot.index, and "buttonNum" = 40, the reverse order would be "slotNum" = 45, and "buttonNum " = slot.getContainerSlot()

This has not always been exploitable, investigation showed this was introduced in 1.16-pre3 in the fix implemented for MC-84610 which removed the serverside condition that "buttonNum" must refer to a hotbar slot.

A proposed simple fix would be reintroducing a restriction for "buttonNum" as before but including offhand. However, that leaves the underlying lack of container slot consideration, which could become relevant if those slots were to gain functionality.