From e0f17b82ef38b4db9ff03c88e0d332629af4a0f3 Mon Sep 17 00:00:00 2001
From: ProfessorXZ <ssbiljan@gmail.com>
Date: Wed, 10 Aug 2016 11:25:03 +0200
Subject: [PATCH 1/2] SyncExtraValue validation. Fixes #1024

---
 TShockAPI/GetDataHandlers.cs | 27 ++++++++++++++++++++++++++-
 TShockAPI/TSPlayer.cs        | 34 +++++++++++++++++++++++++++++-----
 2 files changed, 55 insertions(+), 6 deletions(-)

diff --git a/TShockAPI/GetDataHandlers.cs b/TShockAPI/GetDataHandlers.cs
index c8d37d33..801e6273 100755
--- a/TShockAPI/GetDataHandlers.cs
+++ b/TShockAPI/GetDataHandlers.cs
@@ -1259,6 +1259,7 @@ namespace TShockAPI
 					{ PacketTypes.KillPortal, HandleKillPortal },
 					{ PacketTypes.PlaceTileEntity, HandlePlaceTileEntity },
 					{ PacketTypes.PlaceItemFrame, HandlePlaceItemFrame },
+					{ PacketTypes.SyncExtraValue, HandleSyncExtraValue },
 					{ PacketTypes.ToggleParty, HandleToggleParty }
 				};
 		}
@@ -4203,11 +4204,35 @@ namespace TShockAPI
 			return false;
 		}
 
+		private static bool HandleSyncExtraValue(GetDataHandlerArgs args)
+		{
+			var npcIndex = args.Data.ReadInt16();
+			var extraValue = args.Data.ReadSingle();
+			var position = new Vector2(args.Data.ReadSingle(), args.Data.ReadSingle());
+
+			if (position.X < 0 || position.X >= Main.maxTilesX || position.Y < 0 || position.Y >= Main.maxTilesY)
+			{
+				return true;
+			}
+
+			if (!Main.expertMode)
+			{
+				return true;
+			}
+
+			if (TShock.CheckRangePermission(args.Player, (int)position.X, (int)position.Y))
+			{
+				return true;
+			}
+
+			return false;
+		}
+
 		private static bool HandleToggleParty(GetDataHandlerArgs args)
 		{
 			if (args.Player != null && !args.Player.HasPermission(Permissions.toggleparty))
 			{
-				args.Player.SendErrorMessage("You do not have permission to start a party");
+				args.Player.SendErrorMessage("You do not have permission to start a party.");
 				return true;
 			}
 
diff --git a/TShockAPI/TSPlayer.cs b/TShockAPI/TSPlayer.cs
index 858b4ba9..95feb980 100755
--- a/TShockAPI/TSPlayer.cs
+++ b/TShockAPI/TSPlayer.cs
@@ -198,8 +198,14 @@ namespace TShockAPI
 		/// </summary>
 		public int LoginAttempts { get; set; }
 
+		/// <summary>
+		/// Unused.
+		/// </summary>
 		public Vector2 TeleportCoords = new Vector2(-1, -1);
 
+		/// <summary>
+		/// The player's last known position from PlayerUpdate packet.
+		/// </summary>
 		public Vector2 LastNetPosition = Vector2.Zero;
 
 		/// <summary>
@@ -247,6 +253,9 @@ namespace TShockAPI
 		/// </summary>
 		public bool HasBeenNaggedAboutLoggingIn;
 
+		/// <summary>
+		/// Whether other players can teleport to the player.
+		/// </summary>
 		public bool TPAllow = true;
 
 		/// <summary>
@@ -435,7 +444,7 @@ namespace TShockAPI
 		}
 
 		/// <summary>
-		/// Saves the player's inventory to SSI
+		/// Saves the player's inventory to SSC
 		/// </summary>
 		/// <returns>bool - True/false if it saved successfully</returns>
 		public bool SaveServerCharacter()
@@ -534,7 +543,7 @@ namespace TShockAPI
 		}
 
 		/// <summary>
-		/// Gets the player's X tile coordinate.
+		/// Player X coordinate divided by 16. Supposed X world coordinate.
 		/// </summary>
 		public int TileX
 		{
@@ -542,13 +551,16 @@ namespace TShockAPI
 		}
 
 		/// <summary>
-		/// Gets the player's Y tile coordinate.
+		/// Player Y cooridnate divided by 16. Supposed Y world coordinate.
 		/// </summary>
 		public int TileY
 		{
 			get { return (int) (Y/16); }
 		}
 
+		/// <summary>
+		/// Unused.
+		/// </summary>
 		public bool TpLock;
 
 		/// <summary>
@@ -630,6 +642,10 @@ namespace TShockAPI
 			return null;
 		}
 
+		/// <summary>
+		/// Initializes a new instance of the <see cref="TSPlayer"/> class.
+		/// </summary>
+		/// <param name="index">The player's index in the.</param>
 		public TSPlayer(int index)
 		{
 			TilesDestroyed = new Dictionary<Vector2, Tile>();
@@ -640,6 +656,10 @@ namespace TShockAPI
 			AwaitingResponse = new Dictionary<string, Action<object>>();
 		}
 
+		/// <summary>
+		/// Initializes a new instance of the <see cref="TSPlayer"/> class.
+		/// </summary>
+		/// <param name="playerName">The player's name.</param>
 		protected TSPlayer(String playerName)
 		{
 			TilesDestroyed = new Dictionary<Vector2, Tile>();
@@ -686,7 +706,7 @@ namespace TShockAPI
 		}
 
 		/// <summary>
-		/// Teleports a player to the given coordinates in the world.
+		/// Teleports the player to the given coordinates in the world.
 		/// </summary>
 		/// <param name="x">The X coordinate.</param>
 		/// <param name="y">The Y coordinate.</param>
@@ -989,7 +1009,7 @@ namespace TShockAPI
 		}
 
 		/// <summary>
-		/// Sends a message to a player with the specified RGB color.
+		/// Sends a message to the player with the specified RGB color.
 		/// </summary>
 		/// <param name="msg">The message.</param>
 		/// <param name="red">The amount of red color to factor in. Max: 255.</param>
@@ -1116,6 +1136,10 @@ namespace TShockAPI
 				TShock.Log.Debug(frame.GetMethod().DeclaringType.Name + " called Disable().");
 		}
 
+		/// <summary>
+		/// Annoys the player for a specified amount of time.
+		/// </summary>
+		/// <param name="time">The</param>
 		public virtual void Whoopie(object time)
 		{
 			var time2 = (int) time;

From 6c0f3ec15db8906bbb32472edd6c6c3554f447d0 Mon Sep 17 00:00:00 2001
From: ProfessorXZ <ssbiljan@gmail.com>
Date: Fri, 12 Aug 2016 12:28:41 +0200
Subject: [PATCH 2/2] Players are no longer able to place liquids using packet
 82. Fixes #1260

---
 CHANGELOG.md                 | 2 ++
 TShockAPI/GetDataHandlers.cs | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 222991f4..eb2270dd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,8 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin
 * Players can no longer quick stack items into region protected chests (@ProfessorXZ)
 * Rope placement is no longer blocked by range checks (@ProfessorXZ)
 * The Drill Containment Unit breaks blocks properly now (@ProfessorXZ)
+* Fixed Expert mode coin duplication (@ProfessorXZ)
+* Players are no longer able to place liquids using LoadNetModule packet (@ProfessorXZ)
 
 ## TShock 4.3.17
 
diff --git a/TShockAPI/GetDataHandlers.cs b/TShockAPI/GetDataHandlers.cs
index 801e6273..9ff3b562 100755
--- a/TShockAPI/GetDataHandlers.cs
+++ b/TShockAPI/GetDataHandlers.cs
@@ -362,7 +362,7 @@ namespace TShockAPI
 			public int TileY { get; set; }
 		}
 		/// <summary>
-		/// TileKill - When a tile is removed fromt he world
+		/// TileKill - When a tile is removed from the world
 		/// </summary>
 		public static HandlerList<TileKillEventArgs> TileKill;
 
@@ -1260,6 +1260,7 @@ namespace TShockAPI
 					{ PacketTypes.PlaceTileEntity, HandlePlaceTileEntity },
 					{ PacketTypes.PlaceItemFrame, HandlePlaceItemFrame },
 					{ PacketTypes.SyncExtraValue, HandleSyncExtraValue },
+					{ PacketTypes.LoadNetModule, HandleLoadNetModule },
 					{ PacketTypes.ToggleParty, HandleToggleParty }
 				};
 		}
@@ -4228,6 +4229,12 @@ namespace TShockAPI
 			return false;
 		}
 
+		private static bool HandleLoadNetModule(GetDataHandlerArgs args)
+		{
+			// Since this packet is never actually sent to us, every attempt at sending it can be considered as a liquid exploit attempt
+			return true;
+		}
+
 		private static bool HandleToggleParty(GetDataHandlerArgs args)
 		{
 			if (args.Player != null && !args.Player.HasPermission(Permissions.toggleparty))