Username not omitted from JVM flags exposing Linux home folder prior to uploading.
Ampflower opened this issue ยท 0 comments
Description
The home folder is exposed in the resulting dump when viewing the JVM flags on spark.lucko.me, exposing the username in the process.
Reproduction Steps
- Launch the client (or a server with a dummy flag set.)
- If it matters, PrismLauncher.
- Use
/sparkc profiler start
(or/spark profiler start
in singleplayer) - Open the dump and navigate to JVM Flags.
Expected Behaviour
For any usernames to not be shown, i.e. for example, you'd get -Xms512m -Xmx4096m -Duser.language=en -Djava.library.path=$HOME/.local/share/PrismLauncher/instances/1.21/natives
for JVM flags.
Platform Information
- Minecraft Version: 1.21
- Platform Type: Client
- Platform Brand: Fabric
- Platform Version: Fabric 0.15.11
- Launcher: Prism Launcher 8.3
Spark Version
v1.10.73
Logs and Configs
No response
Extra Details
I am using Linux, but with a quick test, it appears that C:\Users\Username
and /Users/Username
for Windows and MacOS aren't properly omitted/replaced as well. I don't have easy access to either to know if it would still not be omitted properly otherwise.
It'd be best for it to be omitted before ever uploading, although the backend should ideally also scrub for older Spark clients, not allowing any download to have the exposed path.