Commands, Dedicated Server
Discovered while testing
Stopping a JFR report and clicking the link sent in the chat copies the path of the JFR report to the clipboard. However, this is copied when connected to an external server, exposing the full path of the server to anyone with the ability to run the /jfr stop command.
For testing, I set up a Minecraft server on an Ubuntu server, and when clicking the link sent in the chat after stopping the jfr profiling (on another device, just to make sure this was an issue), the following was copied to the clipboard:
This is full path and could potentially expose usernames or other personal information.
- Create a server
- Connect to the server
- Run /jfr start
- Run /jfr stop
- Click the link in the chat to copy the path to your clipboard
- Paste the link somewhere so that you can view it
The full path of the server is visible
The full path to the server is copied to the clipboard, even though the server is hosted from a different machine.
The full path of the server would not be copied to the clipboard, and instead the /jfr stop command would not provide a link at all if the report was created on a server.