Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-240534

Clicking a JFR link copies full server-side path to clipboard


    • Icon: Bug Bug
    • Resolution: Fixed
    • 1.18 Pre-release 1
    • 21w44a
    • None
    • Confirmed
    • Commands, Dedicated Server
    • Very Important

      Discovered while testing MC-240502.

      The bug

      Stopping a JFR report and clicking the link sent in the chat copies the path of the JFR report to the clipboard. However, this is copied when connected to an external server, exposing the full path of the server to anyone with the ability to run the /jfr stop command.

      For testing, I set up a Minecraft server on an Ubuntu server, and when clicking the link sent in the chat after stopping the jfr profiling (on another device, just to make sure this was an issue), the following was copied to the clipboard:


      This is full path and could potentially expose usernames or other personal information.

      How to reproduce

      1. Create a server
      2. Connect to the server
      3. Run /jfr start
      4. Run /jfr stop
      5. Click the link in the chat to copy the path to your clipboard
      6. Paste the link somewhere so that you can view it
        The full path of the server is visible

      Observed behavior

      The full path to the server is copied to the clipboard, even though the server is hosted from a different machine.

      Expected behavior

      The full path of the server would not be copied to the clipboard, and instead the /jfr stop command would not provide a link at all if the report was created on a server.

            billy.sjoberg [Mojang] Billy Sjöberg
            markderickson [Mod] markderickson
            2 Vote for this issue
            4 Start watching this issue