Client does not verify received cached chunks

The client does not validate chunks it receives through the chunk caching protocol, not at all, therefore allowing malicious servers to poison any servers chunk data by sending data with the same hash. This also allows people to send completely random data to the client in order to increase the blob_cache folder size to extremely high values like 2gb+, technically not being limited. It also allows for servers to purposefully swap out chunks from other servers, for example Minecraft Featured servers, to replace their entire lobby with a flat world or any world they desire.

For a player to be affected by this, they need to join any malicious server that sends these packets in order to modify the chunk cache.

This can also affect developers working on chunk caching that might accidentally break things during dev because of this, maybe even for other servers.

 

To resolve the issue, the client should validate the chunk data it receives for a cache miss by calculating the xxhash64 for the data itself, then comparing the calculated hash with the hash for the miss to determine whether it was sent truthful information.