This version of TShock stops loading two dangerous plugins. If your server has a dangerous plugin, it will warn you about that when you start it. Information about AutoRegister (versions 1.2.0.0 and prior) is available at GHSA-w3h6-j2gm-qf7q. We also have an updated policy for security reports.
Notable changes
- Fixed ridiculous typo in
GetDataHandlerswhich caused TShock to read the wrong field in the packet forusingBiomeTorches. (@hakusaro, @Arthri) - Fixed torchgod settings to include whether or not torchgod has been fought by the player before and respect
usingBiomeTorchessetting. (@Quinci135) - Fixed /worldmode not synchronising data to players after updating the world state (@bartico6, @Arthri)
- Added
OnSendNetDatahook to TSAPI, which enables developers to intercept traffic being sent from the server to clients using the new NetPacket protocol. (@Stealownz) - Fixed false positive
OnNPCAddBuffdetection when throwing rotten eggs at town NPCs while wearing Frost armor set. (@moisterrific) - Moved the emoji player index check into a new class of handlers called
IllegalPerSe, which is designed to help isolate parts of TShock and make it so that "protocol violations" are treated separately from heuristic based anti-cheat checks. (@hakusaro) - Changed
TSPlayer.FindByNameOrIDso that it will continue searching for players and return a list of many players whem ambiguous matches exist in all cases. Specifically, this avoids a scenario where a griefer names themselves1and is difficult to enact justice on, because their name will not be found by the matching system used to kick players. To help with ambiguity, this method now processes requests with prefixestsi:andtsn:.tsi:[number]will process the search as looking for an exact player by ID.tsn:will process the search as looking for an exact name, case sensitive. In both cases, the system will return an exact result in the "old-style" result, i.e., aList<TSPlayer>with exactly one result. For example,/kick tsid:1will match the player with the ID1./kick tsn:1will match the username1. In addition, players who attempt to join the server with the name prefixestsn:andtsi:will be rejected for having invalid names. (@hakusaro, @onusai) - Added warnings for conditions where a password is set at runtime but can be bypassed. The thinking is that if a user sets a password when they're booting the server, that's what they expect to be the password. The only thing is that sometimes, other config options can basically defeat this as a security feature. The goal is just to communicate more and make things clearer. The server also warns users when UUID login is enabled, because it can be confusing and insecure. (@hakusaro, @onusai)
- Fixed Torch God's Favor biome torch placement being rejected by the server. (@moisterrific)
- Changed backups created by the backup manager to use ISO8601-style timestamps. I say "style" because it's impossible to implement ISO8601 or RFC3389 dates in a filename on most modern filesystems. So instead of the proper ISO separators, we've got dashes and dots. (@hakusaro, change sponsored by @drunderscore)
- Added hook for
OnDoorUse(DoorUse) and associatedDoorUseEventArgsfired when a door is used. Also addedGetDataHandlers.DoorActionenum for determining the action of a door. (@hakusaro) - Disallowed loading of the AutoRegister plugin version 1.2.0 or lower. Versions of this plugin at or equal to 1.2.0 use low entropy material to create passwords. This effectively means that it's possible for any user to be easily impersonated on a server running AutoRegister by simply convincing a user to join a malicious server, even when UUID login is disabled. This was assigned GHSA-w3h6-j2gm-qf7q. (@hakusaro)
- Disallowed loading of another plugin due to security issue GHSA-qj59-99v9-3gww. Due to the importance of this issue and severity, information is not available in the changelog. Information will be available June 8th, 2021, at 12:00 MDT. (@hakusaro)
Updating
To update TShock, simply replace all of the files in your server folder with those from the release folder.