Description
Type of bug
Exploit
/ess dump all output
https://essentialsx.net/dump.html?id=a37828c4cf6946daa5103059ff358ae6
Error log (if applicable)
No response
Bug description
When a playerX accepts a tpa request /tpaccept, if playerX has multiple requests, the first request is accepted rather than the latest (expected behaviour). Players are using this to maliciously spam a few requests out and hope the requested players get a second request from some trusted player and accept. (which would then accept their request).
A temporary sort of bandaid fix for my case is to set tpa-accept-cancellation to 5 rather then our usual 60. Shortening this window allows for less abuse.
I should note that if playerX has 2 requests and the first times out and the second is still live, when the playerX accepts, the first message they receive is that the first players request has timed out followed by a message indicating they accepted the second players request; the tpa of the second player goes through.
Steps to reproduce
PlayerX, PlayerY, PlayerZ
- PlayerY executes
/tpa PlayerX - PlayerZ executes
/tpa PlayerX
Both requests should not be timed out so settpa-accept-cancellationaccordingly - PlayerX executes
/tpaccept
Expected behaviour
PlayerZ's request should be granted.
Actual behaviour
PlayerY's request is granted
Activity
Fix teleport request queue being reversed order (#4755)