[MC-190478] Commands that exceed chat length limit can still be executed in servers that have disabled command blocks

The Bug

Players can access commands longer than the chat character limit using custom signs. This can be used to execute long commands that can't normally be executed without the use of command blocks.

How to reproduce

Open a Creative world where you have operator permissions (it could be a brand new single player world, it doesn't matter).
Use a command block to give yourself a sign that executes a special command when clicked. To properly reproduce this bug, make sure that the command stored in the sign is one of the Examples included at the bottom of this report.
Save this pre-filled sign in a slot in one of your Saved Hotbars.
Join a server in which you have operator permissions and are in Creative mode.
Load in the Saved Hotbar.
Place the sign(s) down. They should have the same text as was programmed before.
Right click the sign.

Notice how the command that usually would not be accessible on a server with command blocks disabled could execute properly here.

Example commands

Example 1: Give yourself a custom player head (561 characters)

/give @p minecraft:oak_sign{BlockEntityTag:{Text1:'{"text":"Custom Head!","clickEvent":{"action":"run_command","value":"give @p minecraft:player_head{display:{Name:\\"{\\\\\\"text\\\\\\":\\\\\\"Exhausted Bee\\\\\\"}\\"},SkullOwner:{Id:\\"54087a9e-d70d-4fb4-9fe1-042ae7449847\\",Properties:{textures:[{Value:\\"eyJ0ZXh0dXJlcyI6eyJTS0lOIjp7InVybCI6Imh0dHA6Ly90ZXh0dXJlcy5taW5lY3JhZnQubmV0L3RleHR1cmUvNmNjOTM2Yjk0MTgwODcyNzY3MDA4ZTNjNDI3NTRjN2FjN2FjMzQ4ZDRlMjJlOTI0ODI3MzQ0ZWMyYTY2ZjJiNCJ9fX0=\\"}]}}} 1"},"italic":true}'},display:{Name:'{"text":"Custom Head!"}'}}

Example 2: Give yourself a sword with powerful enchantments (421 characters)

/give @p minecraft:oak_sign{BlockEntityTag:{Text1:'{"text":"Custom Sword!","clickEvent":{"action":"run_command","value":"give @s diamond_sword{Enchantments:[{id:sharpness,lvl:32767},{id:unbreaking,lvl:32767},{id:knockback,lvl:10},{id:fire_aspect,lvl:32767},{id:looting,lvl:10},{id:sweeping_edge,lvl:10},{id:mending,lvl:1},{id:bane_of_arthropods,lvl:32767}]} 1"},"italic":true}'},display:{Name:'{"text":"Custom Sword!"}'}}

Example 3: Spam chat with big bold underlined italicized red text (4050 characters)

/give @p minecraft:oak_sign{BlockEntityTag:{Text1:'{"text":"Tellraw @a!","clickEvent":{"action":"run_command","value":"tellraw @a {\\"text\\":\\"MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!MOJIRA!MC-190478!\\",\\"bold\\":true,\\"italic\\":true,\\"underlined\\":true,\\"color\\":\\"red\\",\\"clickEvent\\":{\\"action\\":\\"open_url\\",\\"value\\":\\"https://bugs.mojang.com/browse/MC-190478\\"}}"}}'},display:{Name:'{"text":"Tellraw @a"}'}}

Linked issues

relates to 2

MC-114692 Toolbar restore feature can be used to obtain unobtainable items Reopened

MC-200900 Every command executed from a sign-clickEvent requires operator-permissions Open

Comments 11

SlicedBlock 2020-06-19T00:41:23Z

This is Invalid

[Mod] markderickson 2020-06-19T00:42:20Z

What is invalid about it?

violine1101 2020-06-19T08:07:18Z

I don't understand what's the difference to MC-114692 is supposed to be, can you elaborate?

[Mod] markderickson 2020-06-19T15:40:41Z

Hi there!

Using command signs is different from MC-114692 because it actually allows players to access longer commands in servers that have command blocks disabled. This is because the chat command line has a limit to the characters, but command block limits are much longer, and the signs can contain commands that allow players who usually can't access these longer commands to do so.

MC-114692 only allows players to access specific items while this bug allows players to access commands that they usually wouldn't have access to.

galaxy_2alex 2020-06-22T11:46:29Z

Please provide the exact details of the sign you are using in your example, including how to spawn it in.

1 more comments

[Mod] markderickson 2020-06-22T14:04:34Z

Hi there!

This is an older version of the example commands. Please see the description for newer commands.

I have a few examples for this. The first example is more of a way that players can use to access different gamemodes in servers that aren't necessarily theirs. The second example is a give command, allowing players who don't have access to long commands to access them here. Example 2 relates more to MC-114692, but also allows for obtaining these special items even if the player is deopped at a later time.

Example 1:

Create a command sign with the command /gamemode creative, for example. The command to create this sign (from minecraft.tools) is in the command 1 area at the bottom of this comment.
Hide the sign away, underground for example, in a world download of something like a survival world spawn.
Post, submit, or share the world download to a website or person creating a server. If someone downloads and incorporates the world download into their server, you and anyone else who knows about the sign can click it and access creative mode.

Example 2:

Create a command sign to receive a custom player head or a 32k item (any command, these are just ones I have examples for). I've listed the commands to get these signs for each of these actions in the command area at the bottom of the page, Command 2 for the custom player head and Command 3 for a 32k item.
Run one or both of these commands in a creative world using command blocks. When you receive the sign(s), save them to a slot in one of your toolbars.
Join a server where you have operator permissions. Then, place the signs down. Even if this operator status is only temporary, you can still access and click these signs as much as you want even if you're deopped. Other people who know about the signs can also use these signs to access these features.

**EDIT: Apparently, the way that Jira formatted the commands made them not work anymore. I've replaced the broken commands with working commands.

Command 1:

/give @p minecraft:oak_sign{BlockEntityTag:{Text1:'{"text":"Creative","clickEvent":{"action":"run_command","value":"gamemode creative"},"italic":true}'},display:{Name:'{"text":"Creative Mode"}'}}

Command 2:

/give @p minecraft:oak_sign{BlockEntityTag:{Text1:'{"text":"Custom Head!","clickEvent":{"action":"run_command","value":"give @p minecraft:player_head{display:{Name:\\"{\\\\\\"text\\\\\\":\\\\\\"Exhausted Bee\\\\\\"}\\"},SkullOwner:{Id:\\"54087a9e-d70d-4fb4-9fe1-042ae7449847\\",Properties:{textures:[{Value:\\"eyJ0ZXh0dXJlcyI6eyJTS0lOIjp7InVybCI6Imh0dHA6Ly90ZXh0dXJlcy5taW5lY3JhZnQubmV0L3RleHR1cmUvNmNjOTM2Yjk0MTgwODcyNzY3MDA4ZTNjNDI3NTRjN2FjN2FjMzQ4ZDRlMjJlOTI0ODI3MzQ0ZWMyYTY2ZjJiNCJ9fX0=\\"}]}}} 1"},"italic":true}'},display:{Name:'{"text":"Custom Head!"}'}}

Command 3:

/give @p minecraft:oak_sign{BlockEntityTag:{Text1:'{"text":"Custom Sword!","clickEvent":{"action":"run_command","value":"give @s diamond_sword{Enchantments:[{id:sharpness,lvl:32767},{id:unbreaking,lvl:32767},{id:knockback,lvl:10},{id:fire_aspect,lvl:32767},{id:looting,lvl:10},{id:sweeping_edge,lvl:10},{id:mending,lvl:1},{id:bane_of_arthropods,lvl:32767}]} 1"},"italic":true}'},display:{Name:'{"text":"Custom Sword!"}'}}

If any of these commands don't work for you, simply add a comment saying so and I'll do my best to fix it.

Thanks!

[Mod] markderickson 2020-06-24T14:14:24Z

I think the fix for this bug is to add a line to the server.properties file that either allows or denies access to these command signs. Normally, I think it should be set to off, but if server owners would like to enable them, they could do so.

It should be a separate server.properties line than allowing command blocks.

marcono1234 2020-08-27T15:15:11Z

Could you please clean up this report a little bit, it appears you are reporting (including the comments) multiple bugs:

"Toolbars allows players to execute commands using custom signs and books" (the title)
Books are not as problematic as signs since they act like running the command from chat which limits the length of the command and checks that the executor has the correct rights. Therefore since your setup described above requires being OP in the first place I don't think that is an issue.
"Saved Hotbars (through signs) allowing longer commands than chat would allow" (description of this issue)
Not sure if that is really that problematic. There are for sure dangerous enough commands which can also directly be executed from chat. Also relying on the chat length limit for security is probably not a good idea and you should also only give OP to players you trust.
"Example 1" and "Example 2" above (for keeping signs around after being deopped) is not specific to Saved Hotbars (you could just directly use /setblock) and also affects command blocks the same way (assuming they are enabled).

[Mod] markderickson 2020-08-27T16:39:57Z

Hello!

The issue is about players being able to execute commands that are longer than chat limit on a server in which command blocks are disabled. These commands could usually require command blocks to run, but if they are disabled, players can still get around this limitation by saving a toolbar with a sign and then copying it over to a server/world. I'll change the title too, if you'd like. When I created the report, books were not included, but then Chandler modified it to include books.

I should've cleared up the part about saved toolbars. In the current state, I'm realizing that this report is probably a duplicate of MC-114692. What I meant to report was the fact that commands that are longer than chat limit length could be used in servers/worlds that did not allow command blocks. I'll change the description too.

Finally, please disregard example 1 from the comment (I'll remove it). Commands 2 and 3 are the ones that actually are specific to this report. I'll also fix up the examples for this change.

Thank you for the feedback! Let me know if the updated report is clearer (I'll start updating now). 🙂

marcono1234 2020-08-27T19:09:49Z

Thanks for these changes, the report is clearer now. I have made some minor edits mostly to use the term "Saved Hotbars" since that is what the game calls them.

uyp 2021-01-14T17:35:46Z

Does it matter that operators can exceed the chat limit?

Examples 1 and 2 can already be achieved by getting the items from the saved hotbar directly, or using /data modify to construct the items using multiple commands, e.g.

data modify block ~ ~ ~ Items[].tag.Enchantments append value {id:sharpness,lvl:32767}

to add an arbitrary amount of nbt tags.

Spamming the chat can be done by /execute as @e as @e run tellraw <...>

If anything, shortening the command limit for signs would just make it annoying for mapmakers to use them.

This issue is rather about the ability to execute op-level-2 commands, after being deopped, or after having access to the world files.