TShock 4.5.5

This version of TShock includes a fix for GHSA-jq4j-v8pr-jv7j. For more information, see the advisory.

We are aware of at least three other security issues, but they are still in-progress. At least one of those will be shipping in the near future.

Notable changes

• Changed the world autosave message so that it no longer warns of a "potential lag spike." (@hakusaro)
• Added /slay as an alias for /kill to be more consistent with other server mods. (@hakusaro)
• Added /god as an alias for /godmode to be more consistent with other server mods. (@hakusaro)
• Fixed ridiculous typo in Amethyst Gemtree text. (@hakusaro)
• Fixed CTRL + C / interactive console interrupt not safely shutting down the server. Now, interrupts will cause a safe shutdown (saving the world and disconnecting all players before fully shutting down). Previously, interrupts caused an unsafe shutdown (not saving the world). (@hakusaro)
• Changed "success message" color to Color.LimeGreen instead of Color.Green. Color.Green looks ugly. Color.LimeGreen looks less ugly but isn't as offensively bright as pure green. (@hakusaro)
• Changed the default respawn timer to 10 seconds, so as to not desynchronize from the game by default. (@hakusaro)
• Fixed /home allowing players to bypass the respawn timer. (@hakusaro, @moisterrific, @Arthri)
• Added the config option SuppressPermissionFailureNotices. When set to true, the server will not send warning messages to players when they fail a build permission check from TSPlayer.HasBuildPermission (even if shouldWarnPlayer is set to true. (@hakusaro)
• Fixed /warp send failing a nullcheck if the warp didn't exist. The previous behavior may have always been buggy or broken. In other words, sending someone to a warp that doesn't exist should result in a nicer error. (@hakusaro, @punchready)
• Fixed /group del allowing server operators to delete the default group that guests are put into. This is a really critical group and the server doesn't behave correctly when it happens. As a result, it's better to prevent this from happening than not. Additionally, GroupManagerExceptions will be thrown if this is attempted programmatically. Finally, if the exception is thrown in response to /group del (or if any other exception is thrown that the command handler can handle), the stack trace will no longer be present. Fixes #2165. (@hakusaro, @DeveloperLuxo, @Rozen4334, @moisterrific, @bartico6, @Quinci135)
• Removed the old ConfigFile class. If you are updating a plugin, you should use TShock.Config.Settings instead of the accessor you were using. This is typically a really easy change. For most plugin authors, updating to the new config format is as simple as changing the reference to the old static config to point to the new location. If you were using this for your own configs, you should swap to using a IConfigFile (see TShockAPI.Configuration.ConfigFile). (@hakusaro, @bartico6)
• Added Main.worldPathName to /worldinfo command. Now, if you need to see what the location on disk for your world file is, you can simply run /worldinfo to find out. This is particularly helpful on Linux and macOS, where the world path isn't obvious. (@hakusaro)
• Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore)
• Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore)
• Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass -disable-commands to disable the input thread, but by default, it will be enabled. Fixes #1450. (@DeathCradle, @QuiCM)
• Added summonboss permission check for Prismatic Lacewing. Players who do not have said permission will be unable to kill this critter, as it will summon the Empress of Light. Also added support for the AnonymousBossInvasions config option, if this is set to false it will now broadcast the name of the player who summoned her. (@moisterrific)
• Added ForceTime config setting check for Enchanted Sundial usage. If ForceTime is set to anything other than normal, Sundial use will be rejected as this would lead to very janky game behavior. Additionally, players with cfgreload permission will be advised to change it back to normal in order to use sundial. (@moisterrific, @bartico6)
• Added %onlineplayers% and %serverslots% placeholders for MOTD. The default MOTD message was also updated to use this. (@moisterrific, @bartico6)
• Fixed Bouncer inconsistently using TilePlacementValid when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned GHSA-jq4j-v8pr-jv7j. (@drunderscore)
  • OnTileEdit: The check was moved to be the first, and will no longer SendTileSquare upon failure.
  • OnPlaceObject: The check was moved to be the first, and will no longer SendTileSquare upon failure.
  • OnPlaceTileEntity: The check was newly added.
  • OnPlaceItemFrame: The check was newly added.
  • OnFoodPlatterTryPlacing: The check was newly added.

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

TShock 4.5.4

This version of TShock stops loading two dangerous plugins. If your server has a dangerous plugin, it will warn you about that when you start it. Information about AutoRegister (versions 1.2.0.0 and prior) is available at GHSA-w3h6-j2gm-qf7q. We also have an updated policy for security reports.

Notable changes

• Fixed ridiculous typo in GetDataHandlers which caused TShock to read the wrong field in the packet for usingBiomeTorches. (@hakusaro, @Arthri)
• Fixed torchgod settings to include whether or not torchgod has been fought by the player before and respect usingBiomeTorches setting. (@Quinci135)
• Fixed /worldmode not synchronising data to players after updating the world state (@bartico6, @Arthri)
• Added OnSendNetData hook to TSAPI, which enables developers to intercept traffic being sent from the server to clients using the new NetPacket protocol. (@Stealownz)
• Fixed false positive OnNPCAddBuff detection when throwing rotten eggs at town NPCs while wearing Frost armor set. (@moisterrific)
• Moved the emoji player index check into a new class of handlers called IllegalPerSe, which is designed to help isolate parts of TShock and make it so that "protocol violations" are treated separately from heuristic based anti-cheat checks. (@hakusaro)
• Changed TSPlayer.FindByNameOrID so that it will continue searching for players and return a list of many players whem ambiguous matches exist in all cases. Specifically, this avoids a scenario where a griefer names themselves 1 and is difficult to enact justice on, because their name will not be found by the matching system used to kick players. To help with ambiguity, this method now processes requests with prefixes tsi: and tsn:. tsi:[number] will process the search as looking for an exact player by ID. tsn: will process the search as looking for an exact name, case sensitive. In both cases, the system will return an exact result in the "old-style" result, i.e., a List<TSPlayer> with exactly one result. For example, /kick tsid:1 will match the player with the ID 1. /kick tsn:1 will match the username 1. In addition, players who attempt to join the server with the name prefixes tsn: and tsi: will be rejected for having invalid names. (@hakusaro, @onusai)
• Added warnings for conditions where a password is set at runtime but can be bypassed. The thinking is that if a user sets a password when they're booting the server, that's what they expect to be the password. The only thing is that sometimes, other config options can basically defeat this as a security feature. The goal is just to communicate more and make things clearer. The server also warns users when UUID login is enabled, because it can be confusing and insecure. (@hakusaro, @onusai)
• Fixed Torch God's Favor biome torch placement being rejected by the server. (@moisterrific)
• Changed backups created by the backup manager to use ISO8601-style timestamps. I say "style" because it's impossible to implement ISO8601 or RFC3389 dates in a filename on most modern filesystems. So instead of the proper ISO separators, we've got dashes and dots. (@hakusaro, change sponsored by @drunderscore)
• Added hook for OnDoorUse (DoorUse) and associated DoorUseEventArgs fired when a door is used. Also added GetDataHandlers.DoorAction enum for determining the action of a door. (@hakusaro)
• Disallowed loading of the AutoRegister plugin version 1.2.0 or lower. Versions of this plugin at or equal to 1.2.0 use low entropy material to create passwords. This effectively means that it's possible for any user to be easily impersonated on a server running AutoRegister by simply convincing a user to join a malicious server, even when UUID login is disabled. This was assigned GHSA-w3h6-j2gm-qf7q. (@hakusaro)
• Disallowed loading of another plugin due to security issue GHSA-qj59-99v9-3gww. Due to the importance of this issue and severity, information is not available in the changelog. Information will be available June 8th, 2021, at 12:00 MDT. (@hakusaro)

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

TShock 4.5.3

This version adds support for Terraria 1.4.2.3, and fixes GHSA-q776-cv3j-4q6m, an issue reported to us and fixed by @bartico6.

Please make a backup of your configuration files before updating. Remember, you can normally just overwrite all files from the release in your server. However, a late breaking bug reported less than 30 minutes before the update may cause your SSC config file to be overwritten.

Notable changes

• Added permissions for using Teleportation Potions, Magic Conch, and Demon Conch. (@drunderscore)
  • tshock.tp.tppotion, tshock.tp.magicconch, and tshock.tp.demonconch respectively.
• Updated HealOtherPlayer damage check to make more sense by respecting ignoredamagecap permission. (@moisterrific)
• Added preliminary support for Terraria 1.4.2.3 (@moisterrific, @Moneylover3246, @DeathCradle)
• Added celebration mk2 explosive to explosives ItemID set in TSAPI. Solves #2304. (@Quinci135)
• TShock now writes its log files to the logs folder inside the tshock folder by default, as opposed to just the tshock folder. (@QuiCM)
• The default MOTD is now prettier. The MOTD format can now contain %specifier% to send the command specifier. (@moisterrific)
• The buff commands now support -1 as a time option to set buffs that last 415 days (the maximum buff time the game supports). (@moisterrific)
• TShock defaults to saving backups every 10 minutes, and defaults to keeping backups for 4 hours. (@hakusaro)
• Updated SSC bypass messaging. Now, when you connect, you're told if you're bypassing SSC. Console logging has been improved to warn when players are not being saved due to the bypass SSC permission. To turn this warning off, change WarnPlayersAboutBypassPermission to false in the sscconfig.json file. (@hakusaro)
• Fix oversight & exploit allowing specially crafted SendTileRectangle packets to perform large-scale world griefing. In addition, NetTile.Slope is now the native value (byte), and accessor methods Slope1, Slope2, and Slope3 can be used to get the old style of values out. HalfBrick and Actuator were removed from NetTile because these were initialized to zero and never changed or used. (@bartico6)

In other news

A total lunar eclipse is scheduled to take place on May 26th, 2021, and as a result, this version was named Blood Moon edition, accordingly. Have fun staring at the sky! Thanks to @moisterrific for the awesome news!

Note: this release was created twice, due to a bug with GitHub Releases at the exact moment of release. Hooray!

TShock 4.5.2 (Terraria 1.4.2.2)

This release supports Terraria protocol 1.4.2.2.

Notable changes

• Added preliminary support for Terraria 1.4.2.2. (@hakusaro)
• Removed /ungodme and godmode warning (no longer necessary). Also, godmode now supports silent commands. (@hakusaro)

In other news

• Tonight (April 22) in North America is expected to be the peak of the April Lyrids meteor shower. This happens every year, and is visible in most of the world. Why not look at the sky tonight, and make a wish?
• I feel quite shy, but I would like to say that @hakusaro can now be sponsored on GitHub. I would like to formalize this a little bit. If you have opinions on these shoutouts for sponsorships, please drop them in this release thread.

TShock 4.5.1

This version supports Terraria protocol version 1.4.2.1.

Changes since last release

• Fixed server crash from /v2/players/list & other parameterised REST endpoints. (@QuiCM, reported by @ATFGK)
• Added handling to the PlayerChat hook event. (@QuiCM - Thanks for the suggestion @Arthri)
• Changed the spawnboss command to support silent command specifiers. (@QuiCM, suggested by @nojomyth-dev)
• Updated /godmode to use Journey Mode's Godmode power instead of healing on damage. (requested by @tlworks, backported by @bartico6, implemented preemptive bugfix for creative powers mentioned by @Stealownz)
• Fixed /r attempting to send messages to players that have since disconnected. (@bartico6, reported by @Arthri)
• Added ban ticket ID to ban messages (@QuiCM, suggested by @bippity)
• Refactored /wallow command. /reply no longer bypasses /wallow (@QuiCM)

Notable developments

• Stealownz's previously mentioned sponsorship on GitHub is at 40%!
• QuiCM can now be sponsored.
• bartico6 aka quake aka professional can now be sponsored!

Please give these people the love and support they deserve! Guess what? I'm sponsoring all of these lovely people! 😻

TShock 4.5.0.1

This version supports Terraria protocol version 1.4.2.1.

Changes since last release

• Fixed conversion from old to new ban system for MySQL hosted ban databases. (@DeathCradle, @ATFGK)
• Fixed wrong identifier used for UUID bans. (@DeathCradle, @ATFGK)
• Fixed conversion from sqlite bans due to locking issue. (@DeathCradle, @Kojirremer)

In other news

If you appreciated the these changes, @DeathCradle and @Stealownz are now accepting donations. If you feel it in your heart, please consider donating to the recent contributors that have made TShock possible.

• DeathCradle: Send bitcoin to 3PRfyMh1brjCqzkw9az2aT7yNjbfkwFZqo.
• Stealownz: Send money via GitHub Sponsors. GitHub sponsors now supports one time payments.

Full disclosure: I donated to both DeathCradle and Stealownz. 💖

TShock 4.5.0 for Terraria 1.4.2.1

Changes

• Updated OTAPI and TSAPI to Terraria 1.4.2.1. (@Stealownz, @DeathCradle)
• Updated TShock with preliminary protocol support for Terraria 1.4.2.1. (@Stealownz)

Thank you so much to @Stealownz and @DeathCradle for this release!

Notes

An executive decision has been made on versioning going forward. Instead of publishing pre-releases on 4.4.0 forever, this is now 4.5.0. Patch releases on the 4.5 series will be released as time goes on. You should consider the 4.5.x series unstable. All odd numbered versions (4.5, 4.7, 4.9) will be unstable. When a stable version is released, it will be even (e.g., 4.6.0, 4.8.0, 6.0.0).

The reason for this change is simple. The TShock automatic update system does not display updates for pre-releases. Unfortunately, it is quite useless to have an automatic updater when you don't use it. Polishing 4.4.0 has been time consuming, and therefore, we haven't been able to push a stable version for a while. Because of this, the lack of an automatic update function means that people are left in the dark about important updates. This is a problem.

We are planning on publishing updates more frequently to resolve stability issues and improve the system. Unfortunately, it's just taking a bit longer than usual.

To upgrade, simply overwrite all applicable files in your existing server folder. TShock releases are designed so that you can upgrade by copying all files over and clicking "yes" to overwrite any duplicates. All existing world and character and database data will be saved. Please make a backup copy of your world file and your TShock configuration before installing.

TShock 4.4.0 Pre-release 15 for Terraria 1.4.1.2

IF YOU ARE USING PRE-14 PLEASE UPDATE TO THIS VERSION ASAP

Some debugging was left enabled in pre-14 that will cause unintended tile edits in your worlds.
Please update to this release ASAP

TShock 4.4.0 Pre-release 14 for Terraria 1.4.1.2

To upgrade, simply overwrite all applicable files in your existing server folder. TShock releases are designed so that you can upgrade by copying all files over and clicking "yes" to overwrite any duplicates. All existing world and character and database data will be saved.

Changes

• Terraria v1.4.1.2 (Thanks @Patrikkk and @DeathCradle <3)
• Added Torch God's Favor support in SSC. (@Stealownz)
• SendTileSquare is now SendTileRect and can now send rectangles instead of squares. This is a breaking change (@QuiCM)
• Destroying protected tiles underneath a tile object no longer causes the tile object to disappear for the client (@QuiCM)
• 'RegionProtectGemLocks' config option now works correctly. Gems can now be placed in Gem Locks while this option is enabled (@QuiCM)

TShock 4.4.0 Pre-release 13 (woah that's a big number) for Terraria 1.4.1.1

Upgrading

To upgrade, simply overwrite all applicable files in your existing server folder. TShock releases are designed so that you can upgrade by copying all files over and clicking "yes" to overwrite any duplicates. All existing world and character and database data will be saved.

Changes

• Added Gravedigger's Shovel support. (@Zennos)
• You can now start up multiple TShock servers at once without getting a startup error. (@ZakFahey)
• Updated bouncer to include new Magma Stone, Frost Armor, and Spinal Tap inflicted npc debuffs to bouncer. (@Quinci135)