The home folder is exposed in the resulting dump when viewing the JVM flags on spark.lucko.me, exposing the username in the process.
Reproduction Steps
Launch the client (or a server with a dummy flag set.)
If it matters, PrismLauncher.
Use /sparkc profiler start (or /spark profiler start in singleplayer)
Open the dump and navigate to JVM Flags.
Expected Behaviour
For any usernames to not be shown, i.e. for example, you'd get -Xms512m -Xmx4096m -Duser.language=en -Djava.library.path=$HOME/.local/share/PrismLauncher/instances/1.21/natives for JVM flags.
Platform Information
Minecraft Version: 1.21
Platform Type: Client
Platform Brand: Fabric
Platform Version: Fabric 0.15.11
Launcher: Prism Launcher 8.3
Spark Version
v1.10.73
Logs and Configs
No response
Extra Details
I am using Linux, but with a quick test, it appears that C:\Users\Username and /Users/Username for Windows and MacOS aren't properly omitted/replaced as well. I don't have easy access to either to know if it would still not be omitted properly otherwise.
It'd be best for it to be omitted before ever uploading, although the backend should ideally also scrub for older Spark clients, not allowing any download to have the exposed path.
Description
The home folder is exposed in the resulting dump when viewing the JVM flags on spark.lucko.me, exposing the username in the process.
Reproduction Steps
/sparkc profiler start(or/spark profiler startin singleplayer)Expected Behaviour
For any usernames to not be shown, i.e. for example, you'd get
-Xms512m -Xmx4096m -Duser.language=en -Djava.library.path=$HOME/.local/share/PrismLauncher/instances/1.21/nativesfor JVM flags.Platform Information
Spark Version
v1.10.73
Logs and Configs
No response
Extra Details
I am using Linux, but with a quick test, it appears that
C:\Users\Usernameand/Users/Usernamefor Windows and MacOS aren't properly omitted/replaced as well. I don't have easy access to either to know if it would still not be omitted properly otherwise.It'd be best for it to be omitted before ever uploading, although the backend should ideally also scrub for older Spark clients, not allowing any download to have the exposed path.