Player name prompt could be used to find files on the filesystem.
Robert French (https://robertdfrench.me) found:
I can tell the stable boy that my name is "../../../etc/passwd", and I
get an error saying "this user already exists". So that's not a
content leak, but it would allow someone to check for the existence of
a file, which might give them more information about potential
vulnerabilities.
Specifically, I can say "../../../etc/lsb-release" and get a different
error than if I say "../../../etc/redhat-release", so that gives me
info about your platform. Maybe not a big deal since this is open
source and someone could figure out just as much by looking at your
Docker file.
This was fixed by adding a check in the name
function which prevents non-letter chracters.
Edited by Caleb Cooper