mirror of
https://github.com/GameServerManagers/LinuxGSM.git
synced 2026-04-25 06:05:57 +03:00
[GH-ISSUE #3306] Clear-Text Password Revealed in Valheim PostDetails Command #2284
Labels
No labels
Atomic
Epic
cannot reproduce
command: backup
command: console
command: debug
command: details
command: fast-dl
command: install
command: mods
command: monitor
command: post-details
command: restart
command: send
command: start
command: stop
command: update
command: update-lgsm
command: validate
command: wipe
distro: AlmaLinux
distro: Arch Linux
distro: CentOS
distro: Debian
distro: Fedora
distro: RedHat
distro: Rocky Linux
distro: Ubuntu
distro: openSUSE
engine: goldsrc
engine: source
game: 7 Days to Die
game: ARMA 3
game: Ark: Survival Evolved
game: Assetto Corsa
game: Avorion
game: BATTALION: Legacy
game: Barotrauma
game: Battalion 1944
game: Battlefield 1942
game: Black Mesa: Deathmatch
game: Blade Symphony
game: Call of Duty 2
game: Call of Duty 4
game: Call of Duty: United Offensive
game: Counter-Strike 1.6
game: Counter-Strike 2
game: Counter-Strike: Global Offensive
game: Counter-Strike: Source
game: Day of Infamy
game: Dayz
game: Death Match Classic
game: Don't Starve Together
game: ET: Legacy
game: Eco
game: Factorio
game: Factorio
game: Garry's Mod
game: Half-Life
game: Hurtword
game: Insurgecy
game: Insurgecy
game: Insurgency: Sandstorm
game: Just Cause 3
game: Killing Floor
game: Killing Floor 2
game: Left 4 Dead 2
game: Minecraft
game: Minecraft Bedrock
game: Mordhau
game: Multi Theft Auto
game: Mumble
game: Natural Selection 2
game: No More Room in Hell
game: Pavlov VR
game: Post Scriptum
game: Project Zomboid
game: Quake 3
game: QuakeWorld
game: Red Orchestra: Ostfront 41-45
game: Return to Castle Wolfenstein
game: Rising World
game: Rust
game: San Andreas Multiplayer
game: Satisfactory
game: Soldat
game: Soldier of Fortune 2
game: Squad
game: Squad 44
game: Starbound
game: Stationeers
game: Sven Co-op
game: Team Fortress 2
game: Teamspeak 3
game: Teeworlds
game: Terraria
game: The Front
game: Unreal Tournament 2004
game: Unreal Tournament 3
game: Unreal Tournament 99
game: Unturned
game: Valheim
game: Wurm Unlimited
game: Zombie Master Reborn
game: label missing
good first issue
help wanted
info: alerts
info: dependency
info: docker
info: docs
info: email
info: query
info: steamcmd
info: systemd
info: tmux
info: website
info: website
needs more info
outcome: duplicate
outcome: issue resolved
outcome: issue resolved
outcome: issue unresolved
outcome: pr accepted
outcome: pr rejected
outcome: unconfirmed
outcome: wontfix
outcome: wrong forum
potential-duplicate
priority
pull-request
type: bug
type: feature
type: feature
type: feature request
type: game server request
type: refactor
waiting response
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/LinuxGSM#2284
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @PoppaShell on GitHub (Feb 25, 2021).
Original GitHub issue: https://github.com/GameServerManagers/LinuxGSM/issues/3306
User Story
When using the postdetails command on vhserver, it says it will remove passwords. And is does in the "Valheim Server Details" section where the Server Password is redacted. But in the "Command-line Parameters", the password is revealed since the password is part of the command line to launch Valheim.
Basic info
Further Information
What the postdetails command is used, it submits it to termbin.com and returns an associated termbin url for your details. When this command is used, it is supposed to redact the password. But as described above, it does not. Because the password it also in the "Command-line Parameters" section of Details. My off the cuff idea to fix this would be to create a function that will take the server password during setup and securely store it in a config file (preferably not in clear-text) and then be able call that password into the launch command via a variable. That way the command-line only shows the variable and not clear-text password. Then when postdetails is used, it can use the current function to redact it and not have to work about it being reveled elsewhere. And if you also want to have it revealed on the terminal through the Details command, you can still do that by calling it from said function to reveal it. And if a user needs to change the password, you would also just need to leverage the original setup function to collect the password from the user and update it in the secured (non-cleartext) location.
To Reproduce
Steps to reproduce the behaviour:
Expected behaviour
For the clear-text password not to be publicly revealed anywhere unintentionally.
@PoppaShell commented on GitHub (Feb 25, 2021):
Looks like this was already submitted a few days ago in https://github.com/GameServerManagers/LinuxGSM/issues/3286.
I gave a few more details/ideas of how it could be more properly handled. So I decided to leave this open and see if those ideas are helpful.
@PoppaShell commented on GitHub (Feb 25, 2021):
Here is a fun google search if you need more "proof". =)
https://www.google.com/search?q=site:termbin.com+%22vhserver%22
@dgibbs64 commented on GitHub (Mar 1, 2021):
#3286
It is disappointing that termbin is allowing the indexing of pastes. It should not do this. I will need to contact termbin about this issue to see if they will prevent indexing from happening. If they do not then I will look at other options moving forward.
I have also resolved the serverpassword issue with this pr #3315
The fix however does not obfuscate a password if a user directly copies a password into the start parameters.