From a26ad7dce0314c65c047139b9a32411f48162093 Mon Sep 17 00:00:00 2001 From: Stealownz Date: Sun, 4 Jul 2021 17:15:13 +0800 Subject: [PATCH 1/7] Fix SendTileRectHandler not sending tile rect updates to everyone else Fixes #2386 --- CHANGELOG.md | 1 + TShockAPI/Handlers/SendTileRectHandler.cs | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85d31e64..cbfb3a12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore) * Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore) * Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass `-disable-commands` to disable the input thread, but by default, it will be enabled. Fixes [#1450](https://github.com/Pryaxis/TShock/issues/1450). (@DeathCradle, @QuiCM) +* Fixed SendTileRectHandler not sending tile rect updates like Pylons/Mannequins to other clients. (@Stealownz) ## TShock 4.5.4 * Fixed ridiculous typo in `GetDataHandlers` which caused TShock to read the wrong field in the packet for `usingBiomeTorches`. (@hakusaro, @Arthri) diff --git a/TShockAPI/Handlers/SendTileRectHandler.cs b/TShockAPI/Handlers/SendTileRectHandler.cs index b3955618..b5c0bafd 100644 --- a/TShockAPI/Handlers/SendTileRectHandler.cs +++ b/TShockAPI/Handlers/SendTileRectHandler.cs @@ -85,7 +85,7 @@ namespace TShockAPI.Handlers // At this point we should send our state back to the client so they remain in sync with the server if (args.Handled == true) { - args.Player.SendTileRect(args.TileX, args.TileY, args.Width, args.Length); + TSPlayer.All.SendTileRect(args.TileX, args.TileY, args.Width, args.Length); TShock.Log.ConsoleDebug("Bouncer / SendTileRect reimplemented from carbonara from {0}", args.Player.Name); } } From ef603f61a860df671074025624f4e92bb13adb3a Mon Sep 17 00:00:00 2001 From: James Puleo Date: Fri, 9 Jul 2021 17:27:41 -0400 Subject: [PATCH 2/7] Consistently use `TilePlacementValid` and `SendTileSquare` in Bouncer. There are 3 different ways Bouncer uses these: - Not checking `TilePlacementValid` at all. - Checking `TilePlacementValid`, rejecting, but then doing a `SendTileSquare` to that player. - Checking `TilePlacementValid`, rejecting. _(this is what we should always be doing)_ Not checking `TilePlacementValid` can allow for placement outside of the world (unknown results), and checking `TilePlacementValid` and sending a `SendTileSquare` on rejection causes the server to try to frame that square. In the case of invalid coordinates (negative), framing takes much longer than expected. --- CHANGELOG.md | 1 + TShockAPI/Bouncer.cs | 51 ++++++++++++++++++++++++++++++-------------- 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 85d31e64..9a3902b4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore) * Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore) * Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass `-disable-commands` to disable the input thread, but by default, it will be enabled. Fixes [#1450](https://github.com/Pryaxis/TShock/issues/1450). (@DeathCradle, @QuiCM) +* Properly sanitize packet tile coordinates that coulbe used to DoS attack a server. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/TShock/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) ## TShock 4.5.4 * Fixed ridiculous typo in `GetDataHandlers` which caused TShock to read the wrong field in the packet for `usingBiomeTorches`. (@hakusaro, @Arthri) diff --git a/TShockAPI/Bouncer.cs b/TShockAPI/Bouncer.cs index 42cc6cd1..60737a7f 100644 --- a/TShockAPI/Bouncer.cs +++ b/TShockAPI/Bouncer.cs @@ -260,6 +260,13 @@ namespace TShockAPI try { + if (!TShock.Utils.TilePlacementValid(tileX, tileY)) + { + TShock.Log.ConsoleDebug("Bouncer / OnTileEdit rejected from (tile placement valid) {0} {1} {2}", args.Player.Name, action, editData); + args.Handled = true; + return; + } + if (editData < 0 || ((action == EditAction.PlaceTile || action == EditAction.ReplaceTile) && editData >= Main.maxTileSets) || ((action == EditAction.PlaceWall || action == EditAction.ReplaceWall) && editData >= Main.maxWallTypes)) @@ -270,14 +277,6 @@ namespace TShockAPI return; } - if (!TShock.Utils.TilePlacementValid(tileX, tileY)) - { - TShock.Log.ConsoleDebug("Bouncer / OnTileEdit rejected from (tile placement valid) {0} {1} {2}", args.Player.Name, action, editData); - args.Player.SendTileSquare(tileX, tileY, 1); - args.Handled = true; - return; - } - if (action == EditAction.KillTile && Main.tile[tileX, tileY].type == TileID.MagicalIceBlock) { TShock.Log.ConsoleDebug("Bouncer / OnTileEdit super accepted from (ice block) {0} {1} {2}", args.Player.Name, action, editData); @@ -1654,6 +1653,13 @@ namespace TShockAPI short type = args.Type; short style = args.Style; + if (!TShock.Utils.TilePlacementValid(x, y)) + { + TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected valid placements from {0}", args.Player.Name); + args.Handled = true; + return; + } + if (type < 0 || type >= Main.maxTileSets) { TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected out of bounds tile from {0}", args.Player.Name); @@ -1702,14 +1708,6 @@ namespace TShockAPI return; } - if (!TShock.Utils.TilePlacementValid(x, y)) - { - TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected valid placements from {0}", args.Player.Name); - args.Player.SendTileSquare(x, y, 1); - args.Handled = true; - return; - } - if (args.Player.Dead && TShock.Config.Settings.PreventDeadModification) { TShock.Log.ConsoleDebug("Bouncer / OnPlaceObject rejected dead people don't do things from {0}", args.Player.Name); @@ -1801,6 +1799,13 @@ namespace TShockAPI /// The packet arguments that the event has. internal void OnPlaceTileEntity(object sender, GetDataHandlers.PlaceTileEntityEventArgs args) { + if (!TShock.Utils.TilePlacementValid(args.X, args.Y)) + { + TShock.Log.ConsoleDebug("Bouncer / OnPlaceTileEntity rejected tile placement valid from {0}", args.Player.Name); + args.Handled = true; + return; + } + if (args.Player.IsBeingDisabled()) { TShock.Log.ConsoleDebug("Bouncer / OnPlaceTileEntity rejected disabled from {0}", args.Player.Name); @@ -1828,6 +1833,13 @@ namespace TShockAPI /// The packet arguments that the event has. internal void OnPlaceItemFrame(object sender, GetDataHandlers.PlaceItemFrameEventArgs args) { + if (!TShock.Utils.TilePlacementValid(args.X, args.Y)) + { + TShock.Log.ConsoleDebug("Bouncer / OnPlaceItemFrame rejected tile placement valid from {0}", args.Player.Name); + args.Handled = true; + return; + } + if (args.Player.IsBeingDisabled()) { TShock.Log.ConsoleDebug("Bouncer / OnPlaceItemFrame rejected disabled from {0}", args.Player.Name); @@ -2129,6 +2141,13 @@ namespace TShockAPI /// internal void OnFoodPlatterTryPlacing(object sender, GetDataHandlers.FoodPlatterTryPlacingEventArgs args) { + if (!TShock.Utils.TilePlacementValid(args.TileX, args.TileY)) + { + TShock.Log.ConsoleDebug("Bouncer / OnFoodPlatterTryPlacing rejected tile placement valid from {0}", args.Player.Name); + args.Handled = true; + return; + } + if ((args.Player.SelectedItem.type != args.ItemID && args.Player.ItemInHand.type != args.ItemID)) { TShock.Log.ConsoleDebug("Bouncer / OnFoodPlatterTryPlacing rejected item not placed by hand from {0}", args.Player.Name); From 6ad57ba51710a99e86166c8e934a0c8f9a19d9e5 Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Wed, 21 Jul 2021 18:14:46 -0700 Subject: [PATCH 3/7] Fix changelog typos --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a3902b4..3ca714dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore) * Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore) * Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass `-disable-commands` to disable the input thread, but by default, it will be enabled. Fixes [#1450](https://github.com/Pryaxis/TShock/issues/1450). (@DeathCradle, @QuiCM) -* Properly sanitize packet tile coordinates that coulbe used to DoS attack a server. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/TShock/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) +* Properly sanitized packet tile coordinates that could be used to DoS attack a server. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/TShock/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) ## TShock 4.5.4 * Fixed ridiculous typo in `GetDataHandlers` which caused TShock to read the wrong field in the packet for `usingBiomeTorches`. (@hakusaro, @Arthri) From 853715cfa7b922de5fec2c014df0dfb45aef8ce8 Mon Sep 17 00:00:00 2001 From: James Puleo Date: Wed, 21 Jul 2021 21:40:44 -0400 Subject: [PATCH 4/7] Update changelog to be _much_ more verbose about GHSA-jq4j-v8pr-jv7j --- CHANGELOG.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ca714dc..35b3788e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,7 +29,12 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore) * Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore) * Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass `-disable-commands` to disable the input thread, but by default, it will be enabled. Fixes [#1450](https://github.com/Pryaxis/TShock/issues/1450). (@DeathCradle, @QuiCM) -* Properly sanitized packet tile coordinates that could be used to DoS attack a server. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/TShock/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) +* Fixed Bouncer inconsistently using `TilePlacementValid` when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/Plugins/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) + * `OnTileEdit`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure. + * `OnPlaceObject`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure. + * `OnPlaceTileEntity`: The check was newly added. + * `OnPlaceItemFrame`: The check was newly added. + * `OnFoodPlatterTryPlacing`: The check was newly added. ## TShock 4.5.4 * Fixed ridiculous typo in `GetDataHandlers` which caused TShock to read the wrong field in the packet for `usingBiomeTorches`. (@hakusaro, @Arthri) From 87d5b769c78a8d514af4c45bccd78fc01935af2b Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Wed, 21 Jul 2021 18:46:01 -0700 Subject: [PATCH 5/7] Version tick: 4.5.5 --- CHANGELOG.md | 3 +++ TShockAPI/Properties/AssemblyInfo.cs | 4 ++-- TShockAPI/TShock.cs | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5ccb7a06..4399f2f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,9 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * If there is no section called "Upcoming changes" below this line, please add one with `## Upcoming changes` as the first line, and then a bulleted item directly after with the first change. ## Upcoming changes +* This could be you! + +## TShock 4.5.5 * Changed the world autosave message so that it no longer warns of a "potential lag spike." (@hakusaro) * Added `/slay` as an alias for `/kill` to be more consistent with other server mods. (@hakusaro) * Added `/god` as an alias for `/godmode` to be more consistent with other server mods. (@hakusaro) diff --git a/TShockAPI/Properties/AssemblyInfo.cs b/TShockAPI/Properties/AssemblyInfo.cs index 819058cb..28c98cd4 100644 --- a/TShockAPI/Properties/AssemblyInfo.cs +++ b/TShockAPI/Properties/AssemblyInfo.cs @@ -53,5 +53,5 @@ using System.Runtime.InteropServices; // Also, be sure to release on github with the exact assembly version tag as below // so that the update manager works correctly (via the Github releases api and mimic) -[assembly: AssemblyVersion("4.5.4")] -[assembly: AssemblyFileVersion("4.5.4")] +[assembly: AssemblyVersion("4.5.5")] +[assembly: AssemblyFileVersion("4.5.5")] diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs index ed74b882..2114b469 100644 --- a/TShockAPI/TShock.cs +++ b/TShockAPI/TShock.cs @@ -58,7 +58,7 @@ namespace TShockAPI /// VersionNum - The version number the TerrariaAPI will return back to the API. We just use the Assembly info. public static readonly Version VersionNum = Assembly.GetExecutingAssembly().GetName().Version; /// VersionCodename - The version codename is displayed when the server starts. Inspired by software codenames conventions. - public static readonly string VersionCodename = "Blood Moon edition"; + public static readonly string VersionCodename = "Olympics maybe?"; /// SavePath - This is the path TShock saves its data in. This path is relative to the TerrariaServer.exe (not in ServerPlugins). public static string SavePath = "tshock"; From 59f7ea02455545b3820edb69bfbcdde834ab37d7 Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Wed, 21 Jul 2021 19:22:45 -0700 Subject: [PATCH 6/7] I'm seeing things --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4399f2f9..b1a5d203 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,7 +35,7 @@ This is the rolling changelog for TShock for Terraria. Use past tense when addin * Added `summonboss` permission check for Prismatic Lacewing. Players who do not have said permission will be unable to kill this critter, as it will summon the Empress of Light. Also added support for the `AnonymousBossInvasions` config option, if this is set to `false` it will now broadcast the name of the player who summoned her. (@moisterrific) * Added `ForceTime` config setting check for Enchanted Sundial usage. If `ForceTime` is set to anything other than `normal`, Sundial use will be rejected as this would lead to very janky game behavior. Additionally, players with `cfgreload` permission will be advised to change it back to `normal` in order to use sundial. (@moisterrific, @bartico6) * Added `%onlineplayers%` and `%serverslots%` placeholders for MOTD. The default MOTD message was also updated to use this. (@moisterrific, @bartico6) -* Fixed Bouncer inconsistently using `TilePlacementValid` when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/Plugins/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) +* Fixed Bouncer inconsistently using `TilePlacementValid` when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned [GHSA-jq4j-v8pr-jv7j](https://github.com/Pryaxis/TShock/security/advisories/GHSA-jq4j-v8pr-jv7j). (@drunderscore) * `OnTileEdit`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure. * `OnPlaceObject`: The check was moved to be the first, and will no longer `SendTileSquare` upon failure. * `OnPlaceTileEntity`: The check was newly added. From c71bcc02b94bfd2f28ffff0b40f262c89c80a731 Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Sat, 24 Jul 2021 16:19:59 -0700 Subject: [PATCH 7/7] Update PR template changelog warning --- .github/PULL_REQUEST_TEMPLATE.md | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 4cf87d10..473130c4 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,19 +1,3 @@ -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? -?????? HAVE YOU UPDATED THE CHANGELOG? ?????? \ No newline at end of file +