Description

The home folder is exposed in the resulting dump when viewing the JVM flags on spark.lucko.me, exposing the username in the process.

Reproduction Steps

• Launch the client (or a server with a dummy flag set.)
  • If it matters, PrismLauncher.
• Use /sparkc profiler start (or /spark profiler start in singleplayer)
• Open the dump and navigate to JVM Flags.

Expected Behaviour

For any usernames to not be shown, i.e. for example, you'd get -Xms512m -Xmx4096m -Duser.language=en -Djava.library.path=$HOME/.local/share/PrismLauncher/instances/1.21/natives for JVM flags.

Platform Information

• Minecraft Version: 1.21
• Platform Type: Client
• Platform Brand: Fabric
• Platform Version: Fabric 0.15.11
• Launcher: Prism Launcher 8.3

Spark Version

v1.10.73

Logs and Configs

No response

Extra Details

I am using Linux, but with a quick test, it appears that C:\Users\Username and /Users/Username for Windows and MacOS aren't properly omitted/replaced as well. I don't have easy access to either to know if it would still not be omitted properly otherwise.

It'd be best for it to be omitted before ever uploading, although the backend should ideally also scrub for older Spark clients, not allowing any download to have the exposed path.