Add an option to return completely empty "players":[] lists in (Internal/JsonFile)ClientUpdateComponent

Question

Add an option to return completely empty "players":[] lists in (Internal/JsonFile)ClientUpdateComponent

molor opened this issue 3 years ago · 5 comments

Hello. In our map, we are hidden the player list completely by removing handlers from JS. But the list is still can be accessed anyway via making a custom request to the [internal] web server, and that server every time responds with a JSON that contains ..., "players": [{..., "account": "Player name"}, ...] list so every player can see full list of connected players (vanished too).

I think that this is a security/privacy issue and it should be fixed

molor · Answer 1 · 2021-12-01T16:36:54.000Z

Still an issue :/

generrosity · Answer 2 · 2021-12-02T03:44:35.000Z

Interesting - I hope your players aren't abusing this ... are you running a compeditive server? So the setting only influences if the users are displayed on the internal web server default frontweb, rather than blocking the API requests.

I don't know how other front ends would handle it if this was to change, but it does sound reasonable. Or, being added to a settings area somewhere outside of the internal web server settings to change the API response.

If nothing else, when that custom request is issued, it checks the flag for the setting, and responds with a "501 Not Implimented"? Nice

FYI - 1.18 has just been released, so there is focus for the one dev over the last months with the RC to get these working (and the chunk format changes and the changes in the various mod systems).

molor · Answer 3 · 2021-12-03T09:58:18.000Z

are you running a compeditive server

Don't understand what is this, if external server like Apache — no, I'm using internal dynmap's Netty. And I don't know, are my players abusing this or not, but I got this report from one of players :c

responds with a "501 Not Implimented"?

Why just respond with empty [] like in issue title, I don't think that there maybe problems. I'm currently hidden the player list anyway from web GUI, so at least for me it's not a problem..

generrosity · Answer 4 · 2021-12-04T12:26:22.000Z

Looking in the config - you could have a empty 'whitelist' of users. An empty list would then return that [ ] empty list?

molor · Answer 5 · 2021-12-04T13:06:49.000Z

Hmm, I was set it to false and now it's return an empty list, exactly what I'm needed... so I'm wasted two months instead of.. but I don't have hiddenplayers.txt file inside dynmap folder and that's why I didn't know about this /:

Anyway, thanks @generrosity, I think that now this issue can be closed

Share to