diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 4cf87d10..473130c4 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,19 +1,3 @@
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
-?????? HAVE YOU UPDATED THE CHANGELOG? ??????
\ No newline at end of file
+
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8d9e18eb..1434d2c4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin
## Upcoming changes
* Fix some typos that have been in the repository for over a lustrum. (@Killia0)
+* Fixed SendTileRectHandler not sending tile rect updates like Pylons/Mannequins to other clients. (@Stealownz)
* Changed the world autosave message so that it no longer warns of a "potential lag spike." (@hakusaro)
* Added `/slay` as an alias for `/kill` to be more consistent with other server mods. (@hakusaro)
* Added `/god` as an alias for `/godmode` to be more consistent with other server mods. (@hakusaro)
@@ -33,6 +34,12 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin
* Added `summonboss` permission check for Prismatic Lacewing. Players who do not have said permission will be unable to kill this critter, as it will summon the Empress of Light. Also added support for the `AnonymousBossInvasions` config option, if this is set to `false` it will now broadcast the name of the player who summoned her. (@moisterrific)
* Added `ForceTime` config setting check for Enchanted Sundial usage. If `ForceTime` is set to anything other than `normal`, Sundial use will be rejected as this would lead to very janky game behavior. Additionally, players with `cfgreload` permission will be advised to change it back to `normal` in order to use sundial. (@moisterrific, @bartico6)
* Added `%onlineplayers%` and `%serverslots%` placeholders for MOTD. The default MOTD message was also updated to use this. (@moisterrific, @bartico6)
+* Fixed Bouncer inconsistently using `TilePlacementValid` when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/TShock/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore)
+ * `OnTileEdit`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure.
+ * `OnPlaceObject`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure.
+ * `OnPlaceTileEntity`: The check was newly added.
+ * `OnPlaceItemFrame`: The check was newly added.
+ * `OnFoodPlatterTryPlacing`: The check was newly added.
## TShock 4.5.4
* Fixed ridiculous typo in `GetDataHandlers` which caused TShock to read the wrong field in the packet for `usingBiomeTorches`. (@hakusaro, @Arthri)
diff --git a/TShockAPI/Bouncer.cs b/TShockAPI/Bouncer.cs
index 299ab85b..a625190b 100644
--- a/TShockAPI/Bouncer.cs
+++ b/TShockAPI/Bouncer.cs
@@ -260,6 +260,13 @@ namespace TShockAPI
try
{
+ if (!TShock.Utils.TilePlacementValid(tileX, tileY))
+ {
+ TShock.Log.ConsoleDebug("Bouncer / OnTileEdit rejected from (tile placement valid) {0} {1} {2}", args.Player.Name, action, editData);
+ args.Handled = true;
+ return;
+ }
+
if (editData < 0 ||
((action == EditAction.PlaceTile || action == EditAction.ReplaceTile) && editData >= Main.maxTileSets) ||
((action == EditAction.PlaceWall || action == EditAction.ReplaceWall) && editData >= Main.maxWallTypes))
@@ -270,14 +277,6 @@ namespace TShockAPI
return;
}
- if (!TShock.Utils.TilePlacementValid(tileX, tileY))
- {
- TShock.Log.ConsoleDebug("Bouncer / OnTileEdit rejected from (tile placement valid) {0} {1} {2}", args.Player.Name, action, editData);
- args.Player.SendTileSquare(tileX, tileY, 1);
- args.Handled = true;
- return;
- }
-
if (action == EditAction.KillTile && Main.tile[tileX, tileY].type == TileID.MagicalIceBlock)
{
TShock.Log.ConsoleDebug("Bouncer / OnTileEdit super accepted from (ice block) {0} {1} {2}", args.Player.Name, action, editData);
@@ -1654,6 +1653,13 @@ namespace TShockAPI
short type = args.Type;
short style = args.Style;
+ if (!TShock.Utils.TilePlacementValid(x, y))
+ {
+ TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected valid placements from {0}", args.Player.Name);
+ args.Handled = true;
+ return;
+ }
+
if (type < 0 || type >= Main.maxTileSets)
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected out of bounds tile from {0}", args.Player.Name);
@@ -1702,14 +1708,6 @@ namespace TShockAPI
return;
}
- if (!TShock.Utils.TilePlacementValid(x, y))
- {
- TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected valid placements from {0}", args.Player.Name);
- args.Player.SendTileSquare(x, y, 1);
- args.Handled = true;
- return;
- }
-
if (args.Player.Dead && TShock.Config.Settings.PreventDeadModification)
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected dead people don't do things from {0}", args.Player.Name);
@@ -1801,6 +1799,13 @@ namespace TShockAPI
/// The packet arguments that the event has.
internal void OnPlaceTileEntity(object sender, GetDataHandlers.PlaceTileEntityEventArgs args)
{
+ if (!TShock.Utils.TilePlacementValid(args.X, args.Y))
+ {
+ TShock.Log.ConsoleDebug("Bouncer / OnPlaceTileEntity rejected tile placement valid from {0}", args.Player.Name);
+ args.Handled = true;
+ return;
+ }
+
if (args.Player.IsBeingDisabled())
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceTileEntity rejected disabled from {0}", args.Player.Name);
@@ -1828,6 +1833,13 @@ namespace TShockAPI
/// The packet arguments that the event has.
internal void OnPlaceItemFrame(object sender, GetDataHandlers.PlaceItemFrameEventArgs args)
{
+ if (!TShock.Utils.TilePlacementValid(args.X, args.Y))
+ {
+ TShock.Log.ConsoleDebug("Bouncer / OnPlaceItemFrame rejected tile placement valid from {0}", args.Player.Name);
+ args.Handled = true;
+ return;
+ }
+
if (args.Player.IsBeingDisabled())
{
TShock.Log.ConsoleDebug("Bouncer / OnPlaceItemFrame rejected disabled from {0}", args.Player.Name);
@@ -2129,6 +2141,13 @@ namespace TShockAPI
///
internal void OnFoodPlatterTryPlacing(object sender, GetDataHandlers.FoodPlatterTryPlacingEventArgs args)
{
+ if (!TShock.Utils.TilePlacementValid(args.TileX, args.TileY))
+ {
+ TShock.Log.ConsoleDebug("Bouncer / OnFoodPlatterTryPlacing rejected tile placement valid from {0}", args.Player.Name);
+ args.Handled = true;
+ return;
+ }
+
if ((args.Player.SelectedItem.type != args.ItemID && args.Player.ItemInHand.type != args.ItemID))
{
TShock.Log.ConsoleDebug("Bouncer / OnFoodPlatterTryPlacing rejected item not placed by hand from {0}", args.Player.Name);
diff --git a/TShockAPI/Handlers/SendTileRectHandler.cs b/TShockAPI/Handlers/SendTileRectHandler.cs
index b3955618..b5c0bafd 100644
--- a/TShockAPI/Handlers/SendTileRectHandler.cs
+++ b/TShockAPI/Handlers/SendTileRectHandler.cs
@@ -85,7 +85,7 @@ namespace TShockAPI.Handlers
// At this point we should send our state back to the client so they remain in sync with the server
if (args.Handled == true)
{
- args.Player.SendTileRect(args.TileX, args.TileY, args.Width, args.Length);
+ TSPlayer.All.SendTileRect(args.TileX, args.TileY, args.Width, args.Length);
TShock.Log.ConsoleDebug("Bouncer / SendTileRect reimplemented from carbonara from {0}", args.Player.Name);
}
}
diff --git a/TShockAPI/Properties/AssemblyInfo.cs b/TShockAPI/Properties/AssemblyInfo.cs
index 819058cb..28c98cd4 100644
--- a/TShockAPI/Properties/AssemblyInfo.cs
+++ b/TShockAPI/Properties/AssemblyInfo.cs
@@ -53,5 +53,5 @@ using System.Runtime.InteropServices;
// Also, be sure to release on github with the exact assembly version tag as below
// so that the update manager works correctly (via the Github releases api and mimic)
-[assembly: AssemblyVersion("4.5.4")]
-[assembly: AssemblyFileVersion("4.5.4")]
+[assembly: AssemblyVersion("4.5.5")]
+[assembly: AssemblyFileVersion("4.5.5")]
diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs
index c743a7d7..5a874e55 100644
--- a/TShockAPI/TShock.cs
+++ b/TShockAPI/TShock.cs
@@ -58,7 +58,7 @@ namespace TShockAPI
/// VersionNum - The version number the TerrariaAPI will return back to the API. We just use the Assembly info.
public static readonly Version VersionNum = Assembly.GetExecutingAssembly().GetName().Version;
/// VersionCodename - The version codename is displayed when the server starts. Inspired by software codenames conventions.
- public static readonly string VersionCodename = "Blood Moon edition";
+ public static readonly string VersionCodename = "Olympics maybe?";
/// SavePath - This is the path TShock saves its data in. This path is relative to the TerrariaServer.exe (not in ServerPlugins).
public static string SavePath = "tshock";