SRTeam / SkinsRestorer
Ability to restore/change skins on servers! (Offline and Online Mode)

13.8.8

Release

SRTeam released this version on Jan 30, 2021

7.6 MB
Download

We are releasing version 13.8.8 after reading your reviews. We are sorry for the inconveniences that the last update has brought to you. As such:

  • We have added an option to the configuration file so that you can customize the list of allowed URLs to use:
# List of allowed direct image hosting URLs to be used in /skin set <url>
# Note that it cannot be empty (otherwise it will use the default values) nor be an '*' (asterisk).
AllowedUrls:
  - https://i.imgur.com
  - http://i.imgur.com
  - https://storage.googleapis.com
  - http://storage.googleapis.com
  - https://cdn.discordapp.com
  - http://cdn.discordapp.com
  - https://textures.minecraft.net
  - http://textures.minecraft.net

To get this option, you can either delete the config.yml file, and let it regenerate automatically, or paste this text at the very top of your file. If you are unsure of what to do, we recommend regenerating the configuration.

We have also changed the messages.yml file so that it has a clearer error message if the link is not allowed, so please let it regenerate too.

Other changes:

  • Velocity: fix (quite lengthy) error on non-premium player login;
  • Sponge: Build against latest recommended version of Sponge API (7.3.0);
  • Removed leftover config.conf from the plugin’s JAR file (it was never used anyway);
  • The check for the URL validity was rewritten for better performance.

We feel we should explain the “IP leak exploit” a bit better:

SkinsRestorer has to check if the image at the URL that is sent through the command is a Steve or an Alex skin, before sending it to the API we use to sign the skin, so the game accepts it. This means that, if you use an image host that tracks the IPs of those who accessed the URL and displays them to the uploader, you could end up having your backend server’s IP exposed. This is why we have created a list of allowed URLs; in this way, players can only use hosts that are safe to the server.

We hadn’t added a config option for this before the release of version 13.8.7, so some of you expressed their displease about this. Once again, we are sorry for the inconvenience, and we hope this update helps you to provide a better experience for your players.

If nothing goes critically wrong, this should be the last 13.x update. The next update will be 14.0.0, with many changes to the plugin, hopefully to the taste of you all!

Thank you for sticking with us for so long!

- Logics4 and the SRTeam

Dependencies