From e3b5d31b909a08b4c13b959f99683cd11bda6183 Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Fri, 28 May 2021 23:00:12 -0700 Subject: [PATCH 1/2] Update submodule to block AutoRegister <= 1.2.0 For more information, see https://github.com/Pryaxis/TSAPI/commit/4fe71f8cdf5ae7a3bae4686a152d62dfee23013b or the underlying changelog message. --- CHANGELOG.md | 1 + TerrariaServerAPI | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a51eda7..2ed3232a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,6 +21,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Moved the emoji player index check into a new class of handlers called `IllegalPerSe`, which is designed to help isolate parts of TShock and make it so that "protocol violations" are treated separately from heuristic based anti-cheat checks. (@hakusaro) * Changed `TSPlayer.FindByNameOrID` so that it will continue searching for players and return a list of many players whem ambiguous matches exist in all cases. Specifically, this avoids a scenario where a griefer names themselves `1` and is difficult to enact justice on, because their name will not be found by the matching system used to kick players. To help with ambiguity, this method now processes requests with prefixes `tsi:` and `tsn:`. `tsi:[number]` will process the search as looking for an exact player by ID. `tsn:` will process the search as looking for an exact name, case sensitive. In both cases, the system will return an exact result in the "old-style" result, i.e., a `List` with exactly one result. For example, `/kick tsid:1` will match the player with the ID `1`. `/kick tsn:1` will match the username `1`. In addition, players who attempt to join the server with the name prefixes `tsn:` and `tsi:` will be rejected for having invalid names. (@hakusaro, @Onusai) * Added warnings for conditions where a password is set at runtime but can be bypassed. The thinking is that if a user sets a password when they're booting the server, that's what they expect to be the password. The only thing is that sometimes, other config options can basically defeat this as a security feature. The goal is just to communicate more and make things clearer. The server also warns users when UUID login is enabled, because it can be confusing and insecure. (@hakusaro, @Onusai) +* Disallow loading of the AutoRegister plugin version 1.2.0 or lower. Versions of this plugin at or equal to 1.2.0 use low entropy material to create passwords. This effectively means that it's possible for any user to be easily impersonated on a server running AutoRegister by simply convincing a user to join a malicious server, even when UUID login is disabled. (@hakusaro) ## TShock 4.5.3 * Added permissions for using Teleportation Potions, Magic Conch, and Demon Conch. (@drunderscore) diff --git a/TerrariaServerAPI b/TerrariaServerAPI index 4ac95288..4fe71f8c 160000 --- a/TerrariaServerAPI +++ b/TerrariaServerAPI @@ -1 +1 @@ -Subproject commit 4ac9528825390ac3a15f096b248fcda33f5d210f +Subproject commit 4fe71f8cdf5ae7a3bae4686a152d62dfee23013b From df3168be34ba639b837c6688356ffd4572c98303 Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Sat, 5 Jun 2021 16:33:41 -0700 Subject: [PATCH 2/2] Update submodule (again) for final blocking change The commits before the "Revert changes to submodule" commit are very cursed and I'm not going to try to rebase to fix things. --- TerrariaServerAPI | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TerrariaServerAPI b/TerrariaServerAPI index 775e57ce..e9e2ad91 160000 --- a/TerrariaServerAPI +++ b/TerrariaServerAPI @@ -1 +1 @@ -Subproject commit 775e57ce274f34b4593037dcf99941ac966b8415 +Subproject commit e9e2ad919dd8b1b2bc1aeb3b96da7542dadc16a8