Uploaded image for project: 'Minecraft: Java Edition'
  1. Minecraft: Java Edition
  2. MC-240534

Clicking a JFR link copies full server-side path to clipboard

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • 1.18 Pre-release 1
    • 21w44a
    • None
    • Confirmed
    • Commands, Dedicated Server
    • Very Important

    Description

      Discovered while testing MC-240502.

      The bug

      Stopping a JFR report and clicking the link sent in the chat copies the path of the JFR report to the clipboard. However, this is copied when connected to an external server, exposing the full path of the server to anyone with the ability to run the /jfr stop command.

      For testing, I set up a Minecraft server on an Ubuntu server, and when clicking the link sent in the chat after stopping the jfr profiling (on another device, just to make sure this was an issue), the following was copied to the clipboard:

      /home/ubuntu/mcservers/21w44a/debug/server-2021-11-03-214926.jfr

      This is full path and could potentially expose usernames or other personal information.

      How to reproduce

      1. Create a server
      2. Connect to the server
      3. Run /jfr start
      4. Run /jfr stop
      5. Click the link in the chat to copy the path to your clipboard
      6. Paste the link somewhere so that you can view it
        The full path of the server is visible

      Observed behavior

      The full path to the server is copied to the clipboard, even though the server is hosted from a different machine.

      Expected behavior

      The full path of the server would not be copied to the clipboard, and instead the /jfr stop command would not provide a link at all if the report was created on a server.

      Attachments

        Issue Links

          Activity

            People

              billy.sjoberg [Mojang] Billy Sjöberg
              markderickson [Mod] markderickson
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                CHK: