themaster1970sf/TShock
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Merge commit from fork

Browse source 
Missing ban validation in Connect Request allows TShock ban bypassing
This commit is contained in:
Lucas Nicodemus 2025-02-01 22:28:55 +09:00 committed by GitHub
commit 134f80f5b8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
6 changed files with 26 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

2
TShockAPI/Commands.cs
View file

@ -5363,7 +5363,7 @@ namespace TShockAPI
foreach (TSPlayer ply in TShock.Players) foreach (TSPlayer ply in TShock.Players)
{ {
if (ply != null && ply.Active) if (ply != null && ply.Active && ply.FinishedHandshake)
{ {
if (displayIdsRequested) if (displayIdsRequested)
if (ply.Account != null) if (ply.Account != null)

3
TShockAPI/GetDataHandlers.cs
View file

@ -2726,6 +2726,8 @@ namespace TShockAPI
short numberOfDeathsPVP = args.Data.ReadInt16(); short numberOfDeathsPVP = args.Data.ReadInt16();
PlayerSpawnContext context = (PlayerSpawnContext)args.Data.ReadByte(); PlayerSpawnContext context = (PlayerSpawnContext)args.Data.ReadByte();
args.Player.FinishedHandshake = true;
if (OnPlayerSpawn(args.Player, args.Data, player, spawnx, spawny, respawnTimer, numberOfDeathsPVE, numberOfDeathsPVP, context)) if (OnPlayerSpawn(args.Player, args.Data, player, spawnx, spawny, respawnTimer, numberOfDeathsPVE, numberOfDeathsPVP, context))
return true; return true;
@ -2762,6 +2764,7 @@ namespace TShockAPI
args.Player.Dead = true; args.Player.Dead = true;
else else
args.Player.Dead = false; args.Player.Dead = false;
return false; return false;
} }

3
TShockAPI/TSPlayer.cs
View file

@ -351,6 +351,9 @@ namespace TShockAPI
/// <summary>Determines if the player is disabled for not clearing their trash. A re-login is the only way to reset this.</summary> /// <summary>Determines if the player is disabled for not clearing their trash. A re-login is the only way to reset this.</summary>
public bool IsDisabledPendingTrashRemoval; public bool IsDisabledPendingTrashRemoval;
/// <summary>Determines if the player has finished the handshake (Sent all necessary packets for connection, such as Request World Data, Spawn Player, etc). A normal client would do all of this no problem.</summary>
public bool FinishedHandshake = false;
/// <summary>Checks to see if active throttling is happening on events by Bouncer. Rejects repeated events by malicious clients in a short window.</summary> /// <summary>Checks to see if active throttling is happening on events by Bouncer. Rejects repeated events by malicious clients in a short window.</summary>
/// <returns>If the player is currently being throttled by Bouncer, or not.</returns> /// <returns>If the player is currently being throttled by Bouncer, or not.</returns>
public bool IsBouncerThrottled() public bool IsBouncerThrottled()

20
TShockAPI/TShock.cs
View file

@ -1376,6 +1376,8 @@ namespace TShockAPI
} }
} }
} }
Bans.CheckBan(player);
Players[args.Who] = player; Players[args.Who] = player;
} }
@ -1397,7 +1399,8 @@ namespace TShockAPI
return; return;
} }
Bans.CheckBan(player); if (Bans.CheckBan(player))
return;
} }
/// <summary>OnLeave - Called when a player leaves the server.</summary> /// <summary>OnLeave - Called when a player leaves the server.</summary>
@ -1437,7 +1440,7 @@ namespace TShockAPI
if (tsplr.ReceivedInfo) if (tsplr.ReceivedInfo)
{ {
if (!tsplr.SilentKickInProgress && tsplr.State >= 3) if (!tsplr.SilentKickInProgress && tsplr.State >= 3 && tsplr.FinishedHandshake) //The player has left, do not broadcast any clients exploiting the behaviour of not spawning their player.
Utils.Broadcast(GetString("{0} has left.", tsplr.Name), Color.Yellow); Utils.Broadcast(GetString("{0} has left.", tsplr.Name), Color.Yellow);
Log.Info(GetString("{0} disconnected.", tsplr.Name)); Log.Info(GetString("{0} disconnected.", tsplr.Name));
@ -1458,6 +1461,9 @@ namespace TShockAPI
} }
} }
tsplr.FinishedHandshake = false;
// Fire the OnPlayerLogout hook too, if the player was logged in and they have a TSPlayer object. // Fire the OnPlayerLogout hook too, if the player was logged in and they have a TSPlayer object.
if (tsplr.IsLoggedIn) if (tsplr.IsLoggedIn)
{ {
@ -1487,6 +1493,12 @@ namespace TShockAPI
return; return;
} }
if (!tsplr.FinishedHandshake)
{
args.Handled = true;
return;
}
if (args.Text.Length > 500) if (args.Text.Length > 500)
{ {
tsplr.Kick(GetString("Crash attempt via long chat packet."), true); tsplr.Kick(GetString("Crash attempt via long chat packet."), true);
@ -1703,14 +1715,14 @@ namespace TShockAPI
Log.Info(GetString("{0} ({1}) from '{2}' group from '{3}' joined. ({4}/{5})", player.Name, player.IP, Log.Info(GetString("{0} ({1}) from '{2}' group from '{3}' joined. ({4}/{5})", player.Name, player.IP,
player.Group.Name, player.Country, TShock.Utils.GetActivePlayerCount(), player.Group.Name, player.Country, TShock.Utils.GetActivePlayerCount(),
TShock.Config.Settings.MaxSlots)); TShock.Config.Settings.MaxSlots));
if (!player.SilentJoinInProgress) if (!player.SilentJoinInProgress && player.FinishedHandshake)
Utils.Broadcast(GetString("{0} ({1}) has joined.", player.Name, player.Country), Color.Yellow); Utils.Broadcast(GetString("{0} ({1}) has joined.", player.Name, player.Country), Color.Yellow);
} }
else else
{ {
Log.Info(GetString("{0} ({1}) from '{2}' group joined. ({3}/{4})", player.Name, player.IP, Log.Info(GetString("{0} ({1}) from '{2}' group joined. ({3}/{4})", player.Name, player.IP,
player.Group.Name, TShock.Utils.GetActivePlayerCount(), TShock.Config.Settings.MaxSlots)); player.Group.Name, TShock.Utils.GetActivePlayerCount(), TShock.Config.Settings.MaxSlots));
if (!player.SilentJoinInProgress) if (!player.SilentJoinInProgress && player.FinishedHandshake)
Utils.Broadcast(GetString("{0} has joined.", player.Name), Color.Yellow); Utils.Broadcast(GetString("{0} has joined.", player.Name), Color.Yellow);
} }

2
TShockAPI/Utils.cs
View file

@ -183,7 +183,7 @@ namespace TShockAPI
/// <returns>The number of active players on the server.</returns> /// <returns>The number of active players on the server.</returns>
public int GetActivePlayerCount() public int GetActivePlayerCount()
{ {
return TShock.Players.Count(p => null != p && p.Active); return TShock.Players.Count(p => null != p && p.Active && p.FinishedHandshake);
} }
//Random should not be generated in a method //Random should not be generated in a method

2
docs/changelog.md
View file

@ -78,6 +78,8 @@ Use past tense when adding new entries; sign your name off when you add or chang
* If there is no section called "Upcoming changes" below this line, please add one with `## Upcoming changes` as the first line, and then a bulleted item directly after with the first change. --> * If there is no section called "Upcoming changes" below this line, please add one with `## Upcoming changes` as the first line, and then a bulleted item directly after with the first change. -->
## Upcoming changes ## Upcoming changes
* Added a variable for handshake (True upon spawn player), clients no longer notify others of their presence and cant chat if this is never set to true. (@ohayo)
* Fixed a security issue with how bans are handled on join. (@ohayo)
* Fixed `/dump-reference-data` mutate the command names. (#2943, @sgkoishi) * Fixed `/dump-reference-data` mutate the command names. (#2943, @sgkoishi)
* Added `ParryDamageBuff` (Striking Moment with Brand of the Inferno and shield) for player, updated `CursedInferno` buff for NPC (@sgkoishi, #3005) * Added `ParryDamageBuff` (Striking Moment with Brand of the Inferno and shield) for player, updated `CursedInferno` buff for NPC (@sgkoishi, #3005)
* Changed the use of `Player.active` to `TSPlayer.Active` for consistency. (@sgkoishi, #2939) * Changed the use of `Player.active` to `TSPlayer.Active` for consistency. (@sgkoishi, #2939)