From a97a3f3177e07ec3647ecd119e0bf2bc4275eed9 Mon Sep 17 00:00:00 2001
From: Lemon <oxlemonxo@users.noreply.github.com>
Date: Sun, 28 Jul 2019 13:36:06 +0500
Subject: [PATCH 1/3] :okretard: marco

---
 .../httpd/module/Module_schematic.java          | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java b/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java
index f83e8677..92e1d8ee 100644
--- a/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java
+++ b/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java
@@ -1,5 +1,7 @@
 package me.totalfreedom.totalfreedommod.httpd.module;
 
+import com.sk89q.worldedit.extent.clipboard.io.ClipboardFormat;
+import com.sk89q.worldedit.extent.clipboard.io.ClipboardFormats;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
@@ -190,11 +192,16 @@ public class Module_schematic extends HTTPDModule
             throw new SchematicTransferException("Can't resolve original file name.");
         }
 
-        if (tempFile.length() > FileUtils.ONE_MB )
+        if (tempFile.length() > FileUtils.ONE_MB)
         {
             throw new SchematicTransferException("Schematic is too big (1mb max).");
         }
 
+        if (plugin.web.getWorldEditPlugin() == null)
+        {
+            throw new SchematicTransferException("WorldEdit is not on the server.");
+        }
+
         if (!SCHEMATIC_FILENAME_LC.matcher(origFileName.toLowerCase()).find())
         {
             throw new SchematicTransferException("File name must be alphanumeric, between 1 and 30 characters long (inclusive), and have a \".schematic\" extension.");
@@ -206,10 +213,18 @@ public class Module_schematic extends HTTPDModule
             throw new SchematicTransferException("Schematic already exists on the server.");
         }
 
+
         try
         {
             FileUtils.copyFile(tempFile, targetFile);
+            ClipboardFormat format = ClipboardFormats.findByFile(targetFile);
+            if (format == null)
+            {
+                FileUtils.deleteQuietly(targetFile);
+                throw new SchematicTransferException("Schematic is not a valid schematic.");
+            }
             FLog.info(remoteAddress + " uploaded schematic: " + targetFile.getName());
+
         }
         catch (IOException ex)
         {

From de1fbde20ad97af1b51582d8e5bbaae5b321bec8 Mon Sep 17 00:00:00 2001
From: Lemon <oxlemonxo@users.noreply.github.com>
Date: Sun, 28 Jul 2019 14:57:10 +0500
Subject: [PATCH 2/3] Fix [TotalFreedomMod] showing up in the logs instead of
 the proper message

---
 src/main/java/me/totalfreedom/totalfreedommod/ChatManager.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/me/totalfreedom/totalfreedommod/ChatManager.java b/src/main/java/me/totalfreedom/totalfreedommod/ChatManager.java
index a36045ef..9856b06c 100644
--- a/src/main/java/me/totalfreedom/totalfreedommod/ChatManager.java
+++ b/src/main/java/me/totalfreedom/totalfreedommod/ChatManager.java
@@ -145,7 +145,7 @@ public class ChatManager extends FreedomService
     public void adminChat(CommandSender sender, String message)
     {
         Displayable display = plugin.rm.getDisplay(sender);
-        FLog.info("[ADMIN] " + sender.getName() + " " + display.getTag() + ": " + message);
+        FLog.info("[ADMIN] " + sender.getName() + " " + display.getTag() + ": " + message, true);
 
         for (Player player : server.getOnlinePlayers())
         {

From 27aaa5406d3e0a60abbb561ec2e3d35a6571e14b Mon Sep 17 00:00:00 2001
From: Lemon <minecraftoxlemonxo@gmail.com>
Date: Sun, 28 Jul 2019 17:39:00 +0500
Subject: [PATCH 3/3] fine if you think you can still exploit it then good luck
 now

---
 .../httpd/module/Module_schematic.java               | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java b/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java
index 92e1d8ee..a7dcca64 100644
--- a/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java
+++ b/src/main/java/me/totalfreedom/totalfreedommod/httpd/module/Module_schematic.java
@@ -2,7 +2,9 @@ package me.totalfreedom.totalfreedommod.httpd.module;
 
 import com.sk89q.worldedit.extent.clipboard.io.ClipboardFormat;
 import com.sk89q.worldedit.extent.clipboard.io.ClipboardFormats;
+import com.sk89q.worldedit.extent.clipboard.io.ClipboardReader;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -223,6 +225,16 @@ public class Module_schematic extends HTTPDModule
                 FileUtils.deleteQuietly(targetFile);
                 throw new SchematicTransferException("Schematic is not a valid schematic.");
             }
+            try
+            {
+                ClipboardReader reader = format.getReader(new FileInputStream(targetFile));
+            }
+            catch (IOException e)
+            {
+                FileUtils.deleteQuietly(targetFile);
+                throw new SchematicTransferException("Schematic is not a valid schematic.");
+            }
+
             FLog.info(remoteAddress + " uploaded schematic: " + targetFile.getName());
 
         }