From 10293aa5429938d67eabf73c1c7771f78f8fba0b Mon Sep 17 00:00:00 2001
From: Andrew Steinborn <git@steinborn.me>
Date: Fri, 14 Dec 2018 14:41:46 -0500
Subject: [PATCH] Fix login with IPv6 and other potential security issues

---
 .../proxy/connection/client/LoginSessionHandler.java        | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/proxy/src/main/java/com/velocitypowered/proxy/connection/client/LoginSessionHandler.java b/proxy/src/main/java/com/velocitypowered/proxy/connection/client/LoginSessionHandler.java
index 1771e6b2e..15ee1b3bf 100644
--- a/proxy/src/main/java/com/velocitypowered/proxy/connection/client/LoginSessionHandler.java
+++ b/proxy/src/main/java/com/velocitypowered/proxy/connection/client/LoginSessionHandler.java
@@ -6,6 +6,7 @@ import static com.velocitypowered.proxy.connection.VelocityConstants.VELOCITY_IP
 import static com.velocitypowered.api.network.ProtocolVersion.*;
 
 import com.google.common.base.Preconditions;
+import com.google.common.net.UrlEscapers;
 import com.velocitypowered.api.event.connection.LoginEvent;
 import com.velocitypowered.api.event.connection.PostLoginEvent;
 import com.velocitypowered.api.event.connection.PreLoginEvent;
@@ -15,7 +16,6 @@ import com.velocitypowered.api.event.player.GameProfileRequestEvent;
 import com.velocitypowered.api.proxy.InboundConnection;
 import com.velocitypowered.api.proxy.server.RegisteredServer;
 import com.velocitypowered.api.util.GameProfile;
-import com.velocitypowered.api.network.ProtocolVersion;
 import com.velocitypowered.proxy.VelocityServer;
 import com.velocitypowered.proxy.connection.MinecraftConnection;
 import com.velocitypowered.proxy.connection.MinecraftSessionHandler;
@@ -121,7 +121,9 @@ public class LoginSessionHandler implements MinecraftSessionHandler {
           .generateServerId(decryptedSharedSecret, serverKeyPair.getPublic());
 
       String playerIp = ((InetSocketAddress) inbound.getRemoteAddress()).getHostString();
-      String url = String.format(MOJANG_HASJOINED_URL, login.getUsername(), serverId, playerIp);
+      String url = String.format(MOJANG_HASJOINED_URL,
+          UrlEscapers.urlFormParameterEscaper().escape(login.getUsername()), serverId,
+          UrlEscapers.urlFormParameterEscaper().escape(playerIp));
       server.getHttpClient()
           .get(new URL(url))
           .thenAcceptAsync(profileResponse -> {