From d35934b3a2c0e89af2f19f75e622049e5ac9f23b Mon Sep 17 00:00:00 2001 From: ohayo Date: Thu, 30 Jan 2025 22:46:13 +1000 Subject: [PATCH 1/4] Check for bans on connection as well as join, etc Should prevent people from being able to bypass this. --- TShockAPI/TShock.cs | 2 ++ docs/changelog.md | 1 + 2 files changed, 3 insertions(+) diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs index 365c531d5..6955efdd6 100644 --- a/TShockAPI/TShock.cs +++ b/TShockAPI/TShock.cs @@ -1376,6 +1376,8 @@ private void OnConnect(ConnectEventArgs args) } } } + + Bans.CheckBan(player); Players[args.Who] = player; } diff --git a/docs/changelog.md b/docs/changelog.md index 490a6b0af..910696cee 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -78,6 +78,7 @@ Use past tense when adding new entries; sign your name off when you add or chang * If there is no section called "Upcoming changes" below this line, please add one with `## Upcoming changes` as the first line, and then a bulleted item directly after with the first change. --> ## Upcoming changes +* Fixed a security issue with how bans are handled on join. (@ohayo) * Fixed `/dump-reference-data` mutate the command names. (#2943, @sgkoishi) * Added `ParryDamageBuff` (Striking Moment with Brand of the Inferno and shield) for player, updated `CursedInferno` buff for NPC (@sgkoishi, #3005) * Changed the use of `Player.active` to `TSPlayer.Active` for consistency. (@sgkoishi, #2939) From 53789b40e4bd1211fa564d05f135226af95912b9 Mon Sep 17 00:00:00 2001 From: ohayo Date: Fri, 31 Jan 2025 09:17:26 +1000 Subject: [PATCH 2/4] Prevent further things from clients who dont handshake - The player will only finish the handshake once they spawn their player, a normal client would always do this eventually. - They cannot chat, even if they request world data but just not spawn their player. - Other clients will not be notified of their join/leave in both cases (dont request WD or do but dont spawn) - And most importantly, they do not show on the in game player list but still show on the server console /playing cmd. --- TShockAPI/Commands.cs | 2 +- TShockAPI/GetDataHandlers.cs | 3 +++ TShockAPI/TSPlayer.cs | 3 +++ TShockAPI/TShock.cs | 18 ++++++++++++++---- TShockAPI/Utils.cs | 2 +- 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/TShockAPI/Commands.cs b/TShockAPI/Commands.cs index f7d3247a5..d82f10e29 100644 --- a/TShockAPI/Commands.cs +++ b/TShockAPI/Commands.cs @@ -5363,7 +5363,7 @@ private static void ListConnectedPlayers(CommandArgs args) foreach (TSPlayer ply in TShock.Players) { - if (ply != null && ply.Active) + if (ply != null && ply.Active && ply.FinishedHandshake) { if (displayIdsRequested) if (ply.Account != null) diff --git a/TShockAPI/GetDataHandlers.cs b/TShockAPI/GetDataHandlers.cs index b736a5123..8f70fd2ca 100644 --- a/TShockAPI/GetDataHandlers.cs +++ b/TShockAPI/GetDataHandlers.cs @@ -2726,6 +2726,8 @@ private static bool HandleSpawn(GetDataHandlerArgs args) short numberOfDeathsPVP = args.Data.ReadInt16(); PlayerSpawnContext context = (PlayerSpawnContext)args.Data.ReadByte(); + args.Player.FinishedHandshake = true; + if (OnPlayerSpawn(args.Player, args.Data, player, spawnx, spawny, respawnTimer, numberOfDeathsPVE, numberOfDeathsPVP, context)) return true; @@ -2762,6 +2764,7 @@ private static bool HandleSpawn(GetDataHandlerArgs args) args.Player.Dead = true; else args.Player.Dead = false; + return false; } diff --git a/TShockAPI/TSPlayer.cs b/TShockAPI/TSPlayer.cs index c9194c368..cb66649a6 100644 --- a/TShockAPI/TSPlayer.cs +++ b/TShockAPI/TSPlayer.cs @@ -351,6 +351,9 @@ public int RespawnTimer /// Determines if the player is disabled for not clearing their trash. A re-login is the only way to reset this. public bool IsDisabledPendingTrashRemoval; + /// Determines if the player has finished the handshake (Sent all necessary packets for connection, such as Request World Data, Spawn Player, etc). A normal client would do all of this no problem. + public bool FinishedHandshake = false; + /// Checks to see if active throttling is happening on events by Bouncer. Rejects repeated events by malicious clients in a short window. /// If the player is currently being throttled by Bouncer, or not. public bool IsBouncerThrottled() diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs index 6955efdd6..ae9738ccd 100644 --- a/TShockAPI/TShock.cs +++ b/TShockAPI/TShock.cs @@ -1399,7 +1399,8 @@ private void OnJoin(JoinEventArgs args) return; } - Bans.CheckBan(player); + if (Bans.CheckBan(player)) + return; } /// OnLeave - Called when a player leaves the server. @@ -1439,7 +1440,7 @@ private void OnLeave(LeaveEventArgs args) if (tsplr.ReceivedInfo) { - if (!tsplr.SilentKickInProgress && tsplr.State >= 3) + if (!tsplr.SilentKickInProgress && tsplr.State >= 3 && tsplr.FinishedHandshake) //The player has left, do not broadcast any clients exploiting the behaviour of not spawning their player. Utils.Broadcast(GetString("{0} has left.", tsplr.Name), Color.Yellow); Log.Info(GetString("{0} disconnected.", tsplr.Name)); @@ -1460,6 +1461,9 @@ private void OnLeave(LeaveEventArgs args) } } + + tsplr.FinishedHandshake = false; + // Fire the OnPlayerLogout hook too, if the player was logged in and they have a TSPlayer object. if (tsplr.IsLoggedIn) { @@ -1489,6 +1493,12 @@ private void OnChat(ServerChatEventArgs args) return; } + if (!tsplr.FinishedHandshake) + { + args.Handled = true; + return; + } + if (args.Text.Length > 500) { tsplr.Kick(GetString("Crash attempt via long chat packet."), true); @@ -1705,14 +1715,14 @@ private void OnGreetPlayer(GreetPlayerEventArgs args) Log.Info(GetString("{0} ({1}) from '{2}' group from '{3}' joined. ({4}/{5})", player.Name, player.IP, player.Group.Name, player.Country, TShock.Utils.GetActivePlayerCount(), TShock.Config.Settings.MaxSlots)); - if (!player.SilentJoinInProgress) + if (!player.SilentJoinInProgress && player.FinishedHandshake) Utils.Broadcast(GetString("{0} ({1}) has joined.", player.Name, player.Country), Color.Yellow); } else { Log.Info(GetString("{0} ({1}) from '{2}' group joined. ({3}/{4})", player.Name, player.IP, player.Group.Name, TShock.Utils.GetActivePlayerCount(), TShock.Config.Settings.MaxSlots)); - if (!player.SilentJoinInProgress) + if (!player.SilentJoinInProgress && player.FinishedHandshake) Utils.Broadcast(GetString("{0} has joined.", player.Name), Color.Yellow); } diff --git a/TShockAPI/Utils.cs b/TShockAPI/Utils.cs index 3b9c0286b..613e7a8a4 100644 --- a/TShockAPI/Utils.cs +++ b/TShockAPI/Utils.cs @@ -183,7 +183,7 @@ public void SendLogs(string log, Color color, TSPlayer excludedPlayer = null) /// The number of active players on the server. public int GetActivePlayerCount() { - return TShock.Players.Count(p => null != p && p.Active); + return TShock.Players.Count(p => null != p && p.Active && p.FinishedHandshake); } //Random should not be generated in a method From ed398430bc51b835a97fa7dec3b9f86375ae6587 Mon Sep 17 00:00:00 2001 From: ohayo Date: Fri, 31 Jan 2025 10:04:50 +1000 Subject: [PATCH 3/4] Update changelog.md --- docs/changelog.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/changelog.md b/docs/changelog.md index 910696cee..afcfc727e 100644 --- a/docs/changelog.md +++ b/docs/changelog.md @@ -78,6 +78,7 @@ Use past tense when adding new entries; sign your name off when you add or chang * If there is no section called "Upcoming changes" below this line, please add one with `## Upcoming changes` as the first line, and then a bulleted item directly after with the first change. --> ## Upcoming changes +* Added a variable for handshake (True upon spawn player), clients no longer notify others of their presence and cant chat if this is never set to true. (@ohayo) * Fixed a security issue with how bans are handled on join. (@ohayo) * Fixed `/dump-reference-data` mutate the command names. (#2943, @sgkoishi) * Added `ParryDamageBuff` (Striking Moment with Brand of the Inferno and shield) for player, updated `CursedInferno` buff for NPC (@sgkoishi, #3005) From e4e28cb1b561dbf9a30eafd925c8fe93052e0aad Mon Sep 17 00:00:00 2001 From: Lucas Nicodemus Date: Sat, 1 Feb 2025 22:32:36 +0900 Subject: [PATCH 4/4] Version tick: 5.2.2 --- TShockAPI/TShock.cs | 2 +- TShockAPI/TShockAPI.csproj | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/TShockAPI/TShock.cs b/TShockAPI/TShock.cs index ae9738ccd..e984da2f3 100644 --- a/TShockAPI/TShock.cs +++ b/TShockAPI/TShock.cs @@ -63,7 +63,7 @@ public class TShock : TerrariaPlugin /// VersionNum - The version number the TerrariaAPI will return back to the API. We just use the Assembly info. public static readonly Version VersionNum = Assembly.GetExecutingAssembly().GetName().Version; /// VersionCodename - The version codename is displayed when the server starts. Inspired by software codenames conventions. - public static readonly string VersionCodename = "Intensity"; + public static readonly string VersionCodename = "East"; /// SavePath - This is the path TShock saves its data in. This path is relative to the TerrariaServer.exe (not in ServerPlugins). public static string SavePath = "tshock"; diff --git a/TShockAPI/TShockAPI.csproj b/TShockAPI/TShockAPI.csproj index 34df3c74c..88f616063 100644 --- a/TShockAPI/TShockAPI.csproj +++ b/TShockAPI/TShockAPI.csproj @@ -18,7 +18,7 @@ Also, be sure to release on github with the exact assembly version tag as below so that the update manager works correctly (via the Github releases api and mimic) --> - 5.2.1 + 5.2.2 TShock for Terraria Pryaxis & TShock Contributors TShockAPI