github Pryaxis/TShock v4.5.5
TShock 4.5.5
on GitHub

latest releases: v6.0.0-pre1, v5.2.4, v5.2.4-pre3...
4 years ago

This version of TShock includes a fix for GHSA-jq4j-v8pr-jv7j. For more information, see the advisory.

We are aware of at least three other security issues, but they are still in-progress. At least one of those will be shipping in the near future.

Notable changes

  • Changed the world autosave message so that it no longer warns of a "potential lag spike." (@hakusaro)
  • Added /slay as an alias for /kill to be more consistent with other server mods. (@hakusaro)
  • Added /god as an alias for /godmode to be more consistent with other server mods. (@hakusaro)
  • Fixed ridiculous typo in Amethyst Gemtree text. (@hakusaro)
  • Fixed CTRL + C / interactive console interrupt not safely shutting down the server. Now, interrupts will cause a safe shutdown (saving the world and disconnecting all players before fully shutting down). Previously, interrupts caused an unsafe shutdown (not saving the world). (@hakusaro)
  • Changed "success message" color to Color.LimeGreen instead of Color.Green. Color.Green looks ugly. Color.LimeGreen looks less ugly but isn't as offensively bright as pure green. (@hakusaro)
  • Changed the default respawn timer to 10 seconds, so as to not desynchronize from the game by default. (@hakusaro)
  • Fixed /home allowing players to bypass the respawn timer. (@hakusaro, @moisterrific, @Arthri)
  • Added the config option SuppressPermissionFailureNotices. When set to true, the server will not send warning messages to players when they fail a build permission check from TSPlayer.HasBuildPermission (even if shouldWarnPlayer is set to true. (@hakusaro)
  • Fixed /warp send failing a nullcheck if the warp didn't exist. The previous behavior may have always been buggy or broken. In other words, sending someone to a warp that doesn't exist should result in a nicer error. (@hakusaro, @punchready)
  • Fixed /group del allowing server operators to delete the default group that guests are put into. This is a really critical group and the server doesn't behave correctly when it happens. As a result, it's better to prevent this from happening than not. Additionally, GroupManagerExceptions will be thrown if this is attempted programmatically. Finally, if the exception is thrown in response to /group del (or if any other exception is thrown that the command handler can handle), the stack trace will no longer be present. Fixes #2165. (@hakusaro, @DeveloperLuxo, @Rozen4334, @moisterrific, @bartico6, @Quinci135)
  • Removed the old ConfigFile class. If you are updating a plugin, you should use TShock.Config.Settings instead of the accessor you were using. This is typically a really easy change. For most plugin authors, updating to the new config format is as simple as changing the reference to the old static config to point to the new location. If you were using this for your own configs, you should swap to using a IConfigFile (see TShockAPI.Configuration.ConfigFile). (@hakusaro, @bartico6)
  • Added Main.worldPathName to /worldinfo command. Now, if you need to see what the location on disk for your world file is, you can simply run /worldinfo to find out. This is particularly helpful on Linux and macOS, where the world path isn't obvious. (@hakusaro)
  • Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore)
  • Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore)
  • Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass -disable-commands to disable the input thread, but by default, it will be enabled. Fixes #1450. (@DeathCradle, @QuiCM)
  • Added summonboss permission check for Prismatic Lacewing. Players who do not have said permission will be unable to kill this critter, as it will summon the Empress of Light. Also added support for the AnonymousBossInvasions config option, if this is set to false it will now broadcast the name of the player who summoned her. (@moisterrific)
  • Added ForceTime config setting check for Enchanted Sundial usage. If ForceTime is set to anything other than normal, Sundial use will be rejected as this would lead to very janky game behavior. Additionally, players with cfgreload permission will be advised to change it back to normal in order to use sundial. (@moisterrific, @bartico6)
  • Added %onlineplayers% and %serverslots% placeholders for MOTD. The default MOTD message was also updated to use this. (@moisterrific, @bartico6)
  • Fixed Bouncer inconsistently using TilePlacementValid when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned GHSA-jq4j-v8pr-jv7j. (@drunderscore)
    • OnTileEdit: The check was moved to be the first, and will no longer SendTileSquare upon failure.
    • OnPlaceObject: The check was moved to be the first, and will no longer SendTileSquare upon failure.
    • OnPlaceTileEntity: The check was newly added.
    • OnPlaceItemFrame: The check was newly added.
    • OnFoodPlatterTryPlacing: The check was newly added.

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

Check out latest releases or
releases around Pryaxis/TShock v4.5.5

Don't miss a new TShock release

NewReleases is sending notifications on new releases.

Get notifications