themaster1970sf/TShock
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

Merge branch 'advistory-fix-1' into general-devel

Browse source
This commit is contained in:
Lucas Nicodemus 2021-07-21 18:44:11 -07:00
commit 5a96688796
2 changed files with 41 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

6
CHANGELOG.md
View file

@ -32,6 +32,12 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin
* Added `summonboss` permission check for Prismatic Lacewing. Players who do not have said permission will be unable to kill this critter, as it will summon the Empress of Light. Also added support for the `AnonymousBossInvasions` config option, if this is set to `false` it will now broadcast the name of the player who summoned her. (@moisterrific)
* Added `ForceTime` config setting check for Enchanted Sundial usage. If `ForceTime` is set to anything other than `normal`, Sundial use will be rejected as this would lead to very janky game behavior. Additionally, players with `cfgreload` permission will be advised to change it back to `normal` in order to use sundial. (@moisterrific, @bartico6)
* Added `%onlineplayers%` and `%serverslots%` placeholders for MOTD. The default MOTD message was also updated to use this. (@moisterrific, @bartico6)
* Fixed Bouncer inconsistently using `TilePlacementValid` when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/Plugins/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore)
* `OnTileEdit`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure.
* `OnPlaceObject`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure.
* `OnPlaceTileEntity`: The check was newly added.
* `OnPlaceItemFrame`: The check was newly added.
* `OnFoodPlatterTryPlacing`: The check was newly added.
## TShock 4.5.4
* Fixed ridiculous typo in `GetDataHandlers` which caused TShock to read the wrong field in the packet for `usingBiomeTorches`. (@hakusaro, @Arthri)

51
TShockAPI/Bouncer.cs
View file

@ -260,6 +260,13 @@ namespace TShockAPI
try
{
if (!TShock.Utils.TilePlacementValid(tileX, tileY))
{
TShock.Log.ConsoleDebug("Bouncer / OnTileEdit rejected from (tile placement valid) {0} {1} {2}", args.Player.Name, action, editData);
args.Handled = true;
return;
}
if (editData < 0 ||
((action == EditAction.PlaceTile || action == EditAction.ReplaceTile) && editData >= Main.maxTileSets) ||
((action == EditAction.PlaceWall || action == EditAction.ReplaceWall) && editData >= Main.maxWallTypes))
@ -270,14 +277,6 @@ namespace TShockAPI
return;
}
if (!TShock.Utils.TilePlacementValid(tileX, tileY))
{
TShock.Log.ConsoleDebug("Bouncer / OnTileEdit rejected from (tile placement valid) {0} {1} {2}", args.Player.Name, action, editData);
args.Player.SendTileSquare(tileX, tileY, 1);
args.Handled = true;
return;
}
if (action == EditAction.KillTile && Main.tile[tileX, tileY].type == TileID.MagicalIceBlock)
{
TShock.Log.ConsoleDebug("Bouncer / OnTileEdit super accepted from (ice block) {0} {1} {2}", args.Player.Name, action, editData);
@ -1654,6 +1653,13 @@ namespace TShockAPI
short type = args.Type;
short style = args.Style;
if (!TShock.Utils.TilePlacementValid(x, y))
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected valid placements from {0}", args.Player.Name);
args.Handled = true;
return;
}
if (type < 0 || type >= Main.maxTileSets)
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected out of bounds tile from {0}", args.Player.Name);
@ -1702,14 +1708,6 @@ namespace TShockAPI
return;
}
if (!TShock.Utils.TilePlacementValid(x, y))
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected valid placements from {0}", args.Player.Name);
args.Player.SendTileSquare(x, y, 1);
args.Handled = true;
return;
}
if (args.Player.Dead && TShock.Config.Settings.PreventDeadModification)
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected dead people don't do things from {0}", args.Player.Name);
@ -1801,6 +1799,13 @@ namespace TShockAPI
/// <param name="args">The packet arguments that the event has.</param>
internal void OnPlaceTileEntity(object sender, GetDataHandlers.PlaceTileEntityEventArgs args)
{
if (!TShock.Utils.TilePlacementValid(args.X, args.Y))
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceTileEntity rejected tile placement valid from {0}", args.Player.Name);
args.Handled = true;
return;
}
if (args.Player.IsBeingDisabled())
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceTileEntity rejected disabled from {0}", args.Player.Name);
@ -1828,6 +1833,13 @@ namespace TShockAPI
/// <param name="args">The packet arguments that the event has.</param>
internal void OnPlaceItemFrame(object sender, GetDataHandlers.PlaceItemFrameEventArgs args)
{
if (!TShock.Utils.TilePlacementValid(args.X, args.Y))
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceItemFrame rejected tile placement valid from {0}", args.Player.Name);
args.Handled = true;
return;
}
if (args.Player.IsBeingDisabled())
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceItemFrame rejected disabled from {0}", args.Player.Name);
@ -2129,6 +2141,13 @@ namespace TShockAPI
/// <param name="args"></param>
internal void OnFoodPlatterTryPlacing(object sender, GetDataHandlers.FoodPlatterTryPlacingEventArgs args)
{
if (!TShock.Utils.TilePlacementValid(args.TileX, args.TileY))
{
TShock.Log.ConsoleDebug("Bouncer / OnFoodPlatterTryPlacing rejected tile placement valid from {0}", args.Player.Name);
args.Handled = true;
return;
}
if ((args.Player.SelectedItem.type != args.ItemID && args.Player.ItemInHand.type != args.ItemID))
{
TShock.Log.ConsoleDebug("Bouncer / OnFoodPlatterTryPlacing rejected item not placed by hand from {0}", args.Player.Name);