Fix exploit

Redo config handler and add authentication.

Author: YoFuzzy3

CommandSyncClient/src/com/fuzzoland/CommandSyncClient/CSC.java

@@ -20,11 +20,13 @@ public class CSC extends JavaPlugin{
 	public List<String> oq = Collections.synchronizedList(new ArrayList<String>());
 	public Integer qc = 0;
 	public String spacer = "@#@";
+	public String user;
+	public String pass;
 
 	public void onEnable(){
 		String[] data = loadConfig();
-		if(data[3].equals("UNSET")){
-			System.out.println("[CommandSync] !!! YOU MUST SET THE SERVER'S NAME IN THE CONFIG BEFORE THE PLUGIN WILL WORK FOR THIS SERVER !!!");
+		if(data[3].equals("UNSET") || data[4].equals("UNSET") || data[5].equals("UNSET")){
+			System.out.println("[CommandSync] !!! THE CONFIG FILE CONTAINS UNSET VALUES - YOU MUST FIX THEM BEFORE THE PLUGIN WILL WORK !!! ");
 			return;
 		}
 		try{
@@ -33,6 +35,8 @@ public void onEnable(){
 		}catch(Exception e){
 			e.printStackTrace();
 		}
+		user = data[4];
+		pass = data[5];
 		loadData();
 		getCommand("Sync").setExecutor(new CommandSynchronize(this));
 	}
@@ -42,33 +46,29 @@ public void onDisable(){
 	}
 
 	private String[] loadConfig(){
-		String[] data = new String[4];
+		String[] defaults = new String[]{
+			"ip=localhost", "port=9190", "heartbeat=1000", "name=UNSET", "user=UNSET", "pass=UNSET"
+		};
+		String[] data = new String[defaults.length];
 		try{
-			File file = getDataFolder();
+			File file = new File(getDataFolder(), "config.txt");
 			if(!file.exists()){
-				file.mkdirs();
-				OutputStream os = new FileOutputStream(file + "/config.txt");
-				PrintStream ps = new PrintStream(os);
-				ps.println("ip=localhost");
-				ps.println("port=9190");
-				ps.println("heartbeat=1000");
-				ps.println("name=UNSET");
-				ps.close();
-				System.out.println("[CommandSync] New configuration file created.");
+				file.createNewFile();
 			}
-			BufferedReader br = new BufferedReader(new FileReader(file + "/config.txt"));
-			try{
+			PrintStream ps = new PrintStream(new FileOutputStream(file));
+			BufferedReader br = new BufferedReader(new FileReader(file));
+			for(int i = 0; i < defaults.length; i++){
 				String l = br.readLine();
-				Integer i = 0;
-				while(l != null){
+				if(l == null){
+					ps.println(defaults[i]);
+					data[i] = defaults[i].split("=")[1];
+				}else{
 					data[i] = l.split("=")[1];
-					i++;
-					l = br.readLine();
 				}
-				System.out.println("[CommandSync] Configuration file loaded.");
-			}finally{
-				br.close();
 			}
+			ps.close();
+			br.close();
+			System.out.println("[CommandSync] Configuration file loaded.");
 		}catch(IOException e){
 			e.printStackTrace();
 		}

CommandSyncClient/src/com/fuzzoland/CommandSyncClient/ClientThread.java

@@ -27,7 +27,7 @@ public ClientThread(CSC plugin, InetAddress ip, Integer port, Integer heartbeat,
 		this.port = port;
 		this.heartbeat = heartbeat;
 		this.name = name;
-		connect();
+		connect(false);
 	}
 
 	public void run(){
@@ -67,7 +67,7 @@ public void run(){
 					}					
 				}
 			}else{
-				connect();
+				connect(true);
 			}
 			try{
 				sleep(heartbeat);
@@ -77,14 +77,31 @@ public void run(){
 		}
 	}
 
-	private void connect(){
+	private void connect(Boolean sleep){
+		if(sleep){
+			try{
+				sleep(10000);
+			}catch(InterruptedException e){
+				e.printStackTrace();
+			}
+		}
 		try{
-			this.socket = new Socket(ip, port);
-			this.out = new PrintWriter(socket.getOutputStream(), true);
-			this.in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
-			this.connected = true;
+			socket = new Socket(ip, port);
+			out = new PrintWriter(socket.getOutputStream(), true);
+			in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
+			out.println(plugin.user);
+			out.println(plugin.pass);
+			if(in.readLine().equals("n")){
+				System.out.println("[CommandSync] Sent invalid username or password.");
+				return;
+			}
 			out.println(name);
-			System.out.println("[CommandSync] Connected to " + ip.getHostName() + ":" + String.valueOf(port) + ".");
+			if(in.readLine().equals("n")){
+				System.out.println("[CommandSync] Sent a name that is already connected.");
+				return;
+			}
+			connected = true;
+			System.out.println("[CommandSync] Connected to " + ip.getHostName() + ":" + String.valueOf(port) + " under name " + name + ".");
 		}catch(IOException e){
 			System.out.println("[CommandSync] Could not connect to the server.");
 		}

CommandSyncServer/src/com/fuzzoland/CommandSyncServer/CSS.java

@@ -13,9 +13,11 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Set;
 
 import com.fuzzoland.CommandSyncServer.Metrics.Graph;
 
@@ -24,20 +26,29 @@
 public class CSS extends Plugin{
 
 	public ServerSocket server;
+	public Set<String> c = Collections.synchronizedSet(new HashSet<String>());
 	public List<String> oq = Collections.synchronizedList(new ArrayList<String>());
 	public Map<String, List<String>> pq = Collections.synchronizedMap(new HashMap<String, List<String>>());
 	public Map<String, Integer> qc = Collections.synchronizedMap(new HashMap<String, Integer>());
 	public String spacer = "@#@";
+	public String user;
+	public String pass;
 
 	public void onEnable(){
 		String[] data = loadConfig();
+		if(data[3].equals("UNSET") || data[4].equals("UNSET")){
+			System.out.println("[CommandSync] !!! THE CONFIG FILE CONTAINS UNSET VALUES - YOU MUST FIX THEM BEFORE THE PLUGIN WILL WORK !!! ");
+			return;
+		}
 		try{
 			server = new ServerSocket(Integer.parseInt(data[1]), 50, InetAddress.getByName(data[0]));
 			System.out.println("[CommandSync] Opened server on " + data[0] + ":" + data[1] + ".");
 			new ClientListener(this, Integer.parseInt(data[2])).start();
 		}catch(Exception e){
 			e.printStackTrace();
 		}
+		user = data[3];
+		pass = data[4];
 		loadData();
 		try{
 		    Metrics metrics = new Metrics(this);
@@ -71,32 +82,29 @@ public void onDisable(){
 	}
 
 	private String[] loadConfig(){
-		String[] data = new String[3];
+		String[] defaults = new String[]{
+			"ip=localhost", "port=9190", "heartbeat=1000", "user=UNSET", "pass=UNSET"
+		};
+		String[] data = new String[defaults.length];
 		try{
-			File file = getDataFolder();
+			File file = new File(getDataFolder(), "config.txt");
 			if(!file.exists()){
-				file.mkdirs();
-				OutputStream os = new FileOutputStream(file + "/config.txt");
-				PrintStream ps = new PrintStream(os);
-				ps.println("ip=localhost");
-				ps.println("port=9190");
-				ps.println("heartbeat=1000");
-				ps.close();
-				System.out.println("[CommandSync] New configuration file created.");
+				file.createNewFile();
 			}
-			BufferedReader br = new BufferedReader(new FileReader(file + "/config.txt"));
-			try{
+			PrintStream ps = new PrintStream(new FileOutputStream(file));
+			BufferedReader br = new BufferedReader(new FileReader(file));
+			for(int i = 0; i < defaults.length; i++){
 				String l = br.readLine();
-				Integer i = 0;
-				while(l != null){
+				if(l == null){
+					ps.println(defaults[i]);
+					data[i] = defaults[i].split("=")[1];
+				}else{
 					data[i] = l.split("=")[1];
-					i++;
-					l = br.readLine();
 				}
-				System.out.println("[CommandSync] Configuration file loaded.");
-			}finally{
-				br.close();
 			}
+			ps.close();
+			br.close();
+			System.out.println("[CommandSync] Configuration file loaded.");
 		}catch(IOException e){
 			e.printStackTrace();
 		}

CommandSyncServer/src/com/fuzzoland/CommandSyncServer/ClientHandler.java

@@ -23,14 +23,32 @@ public class ClientHandler extends Thread{
 	public ClientHandler(CSS plugin, Socket socket, Integer heartbeat) throws IOException{
 		this.plugin = plugin;
 		this.socket = socket;
-		this.out = new PrintWriter(socket.getOutputStream(), true);
-		this.in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
 		this.heartbeat = heartbeat;
-		this.name = in.readLine();
+		out = new PrintWriter(socket.getOutputStream(), true);
+		in = new BufferedReader(new InputStreamReader(socket.getInputStream()));
+		System.out.println("[CommandSync] Received new connection from " + socket.getInetAddress().getHostName() + ":" + socket.getPort() + ".");
+		String user = in.readLine();
+		String pass = in.readLine();
+		if(!user.equals(plugin.user) || !pass.equals(plugin.pass)){
+			System.out.println("[" + socket.getInetAddress().getHostName() + ":" + socket.getPort() + "] [" + name + "] Provided invalid username or password.");
+			out.println("n");
+			socket.close();
+			return;
+		}
+		out.println("y");
+		name = in.readLine();
+		if(plugin.c.contains(name)){
+			System.out.println("[" + socket.getInetAddress().getHostName() + ":" + socket.getPort() + "] [" + name + "] Provided a name that is already connected.");
+			out.println("n");
+			socket.close();
+			return;
+		}
+		out.println("y");
 		if(!plugin.qc.containsKey(name)){
 			plugin.qc.put(name, 0);
 		}
-		System.out.println("[CommandSync] Received new connection from " + socket.getInetAddress().getHostName() + ":" + socket.getPort() + " under name " + name + ".");
+		plugin.c.add(name);
+		System.out.println("[CommandSync] Connection from " + socket.getInetAddress().getHostName() + ":" + socket.getPort() + " under name " + name + " has been authorised.");
 	}
 
 	public void run(){
@@ -39,6 +57,7 @@ public void run(){
 				out.println("heartbeat");
 				if(out.checkError()){
 					System.out.println("[CommandSync] Connection from " + socket.getInetAddress().getHostName() + ":" + socket.getPort() + " under name " + name + " has disconnected.");
+					plugin.c.remove(name);
 					return;
 				}
 				while(in.ready()){
@@ -106,9 +125,8 @@ public void run(){
 					plugin.qc.put(name, count);
 				}
 				sleep(heartbeat);
-			}catch(IOException e){
-				e.printStackTrace();
-			}catch(InterruptedException e){
+			}catch(Exception e){
+				plugin.c.remove(name);
 				e.printStackTrace();
 			}
 		}