Directory Traversal Vulnerability In ClientPlayNetworkHandler

The client is able to load local resource packs using the "level://" url scheme, whilst handling ClientboundResourcePackPacket, validateResourcePackUrl is called to ensure the scheme for level doesn't contain any ".." in its path, however, URLDecoder.decode is called on the path before it is parsed, meaning that if you URL encode the dots (%2e) they bypass this protection. The resulting path traversal allows the arbitrary checking of existance of files.

A server can send a ClientBoundResourcePackPacket with a url payload of "level://%2e%2e%2f%2e%2e%2faudacity%00/resources.zip" can be used to check if they have audacity installed, client will send a ServerboundResourcePackPacket.ACCEPTED if the folder exists, if not they will send a ServerboundResourcePackPacket.FAILED_DOWNLOAD.

The file terminator character %00 which is used to bypass the endsWith("/resources.zip") condition will only work on certain operating systems.

{}{}{}