Tighten Security

[ToruiDev]

While Talking with @Ekwav we came up with a couple security enhancements.

So this is a RFC for how to further improve security:

1.) Execute:
Currently, even though unused, there is the ability for the server to execute any command as the player while connected.
To mitigate this security nightmare it can either be completely blocked off from the server, even though #1 requested it.
A (maybe) better way might be to have a white/black list of commands.
e.g. blacklist:

• op
• deop
• kick
• kill
• pm
• say

2.) every message written to the chat having a "onClick" should in their "hover" list the command about to be executed

Any other ideas or comments on this?

[Ekwav]

1.)
I prefer blacklisting "bad" commands, while this leaves it somewhat vornable it doesn't require a mod update if a new useful command gets implemented.
2.)
Only that I would like that to be toggle-able so a normal non security-geek user doesn't get overwhelmed by to much text.

[ToruiDev]

1.) That seems reasonable, but would require an extensive blacklist, which i'm not in the loop enough to create outside of vanilla commands.

2.) Seems reasonable.
I Could add a settings file which allows you to toggle this behaviour.
Perhaps also with a command like /cofl[_settings] showCommands (true|false)?
Would there be other mod specific settings worth implementing?

[matthias-luger]

sounds good

[abhithedev200]

Instead of making whitelist etc, we could warn an use if they are not connecting to the official cofl endpoints hm?