Stop using insecure UUIDs from non-XBL players

closes #4076 I opted for the minimal approach of replacing only UUIDs for non-XBL players, since most servers are using XBL anyway (as they should).
2025-09-06 09:56:06 +00:00 · 2023-05-27 18:00:54 +01:00
parent 473c062b40
commit 9baf59702b
3 changed files with 21 additions and 3 deletions
--- a/src/network/mcpe/handler/LoginPacketHandler.php
+++ b/src/network/mcpe/handler/LoginPacketHandler.php
@ -95,7 +95,7 @@ class LoginPacketHandler extends PacketHandler{
 		}else{
 			$playerInfo = new PlayerInfo(
 				$extraData->displayName,
-				$uuid,
+				null, //we can't trust UUIDs of non-XBL players - replace this with a server-generated UUID
 				$skin,
 				$clientData->LanguageCode,
 				(array) $clientData
--- a/src/player/PlayerInfo.php
+++ b/src/player/PlayerInfo.php
@ -25,24 +25,42 @@ namespace pocketmine\player;

 use pocketmine\entity\Skin;
 use pocketmine\utils\TextFormat;
+use Ramsey\Uuid\Uuid;
 use Ramsey\Uuid\UuidInterface;

 /**
 * Encapsulates data needed to create a player.
 */
 class PlayerInfo{
+	/**
+	 * Namespace for server-generated UUIDs for unauthenticated (non-XBL) players.
+	 * This must not be changed.
+	 */
+	private const UNAUTHENTICATED_PLAYER_UUID_NS = '6a6424c0-a26f-43b7-8e72-4176d051748d';
+
+	private UuidInterface $uuid;
 	/**
 	 * @param mixed[] $extraData
 	 * @phpstan-param array<string, mixed> $extraData
 	 */
 	public function __construct(
 		private string $username,
-		private UuidInterface $uuid,
+		?UuidInterface $uuid,
 		private Skin $skin,
 		private string $locale,
 		private array $extraData = []
 	){
 		$this->username = TextFormat::clean($username);
+		$this->uuid = $uuid ?? self::generateServerAuthoritativeUuid($this->username);
+	}
+
+	/**
+	 * Generates a UUID based on the player's username. This is used for any non-authenticated player, as we can't
+	 * trust UUIDs sent by unauthenticated players.
+	 */
+	public static function generateServerAuthoritativeUuid(string $username) : UuidInterface{
+		//TODO: should we be cleaning the username here?
+		return Uuid::uuid5(self::UNAUTHENTICATED_PLAYER_UUID_NS, TextFormat::clean($username));
 	}

 	public function getUsername() : string{
--- a/src/player/XboxLivePlayerInfo.php
+++ b/src/player/XboxLivePlayerInfo.php
@ -48,7 +48,7 @@ final class XboxLivePlayerInfo extends PlayerInfo{
 	public function withoutXboxData() : PlayerInfo{
 		return new PlayerInfo(
 			$this->getUsername(),
-			$this->getUuid(),
+			null, //we can't trust UUIDs of non-XBL players - replace this with a server-generated UUID
 			$this->getSkin(),
 			$this->getLocale(),
 			$this->getExtraData()