Command Injection via Resource Pack

Summary:

Between versions 20w20a and 23w04a, Minecraft used LWJGL's provided TinyFileDialogs library to open a file picker dialog, specifically in the "import world settings" setting in world creation. The library had behavior where on Linux platforms, the title of the file picker would evaluate environment variables and command expansions. Since this title comes from the resource pack, a resource pack can cause arbitrary system commands to run when the user clicks on the button on Linux platforms in these versions.

This no longer affects the latest release, but these older versions are still affected. See the attached resource pack and below comment for a fully working reproduction demo.

Original Description:

Just to prefix this, the affects version field can't put anything other than the latest snapshot, future update, or current version so I put 23w40a but this actually affects 20w20a to 23w04a

Hello,

I was recently made aware of a security vulnerability in a library called TinyFileDialogs as part of that I let the author know and they made a fix, as part of my research I have also been searching for things that have used it and found that Minecraft in versions 20w20a to 23w04a had used TinyFileDialogs via LWJGL, Minecraft had used these insecurely by taking a translations output and inputting that into the title of the dialog as such a person can specially craft a resource pack with a translation file that can execute terminal commands when an unsuspecting user uses said resource pack and then presses the "Import Settings" button in the world creation screen.

This is a big problem as the translation is only ever used in the dialog title as such there is no way for the user to know that a command could possibly be executed even if they knew about such an exploit unless they opened the translation file, as such many data pack developers use resource packs and data packs together meaning that users can be easily socially engineered into running a resource pack and then creating a world.

I will also note that this is not a problem on Windows computers as the library handed all dialog creation off to the Windows native systems instead of handling it themselves.

I've attached a video of the vulnerability in action.

I do hope this can get resolved in some manner as this puts a great number of users at risk.

Thanks,
Brady