Skip to content
Compare
Choose a tag to compare

Notable changes

  • Fixed the ability to spawn Zenith projectile with non-original items. (@AgaSpace)
  • Added hook GetDataHandlers.OnNpcTalk for NpcTalk and a handler for it that stops unregistered and logged out players from interacting with NPCs, preventing them from smuggling or duplicating items via NPC item slots. (@tru321)
  • Fixed the ability to create custom messages with your death (or the death of another player) (@AgaSpace)
  • Added the OnSignRead handler in GetDataHandler, and added the SignRead event. Added check to ensure the sign being read is within world bounds (x >= 0 && y >= 0 && x < Main.maxTilesX && y < Main.maxTilesY). (@drunderscore)
  • Added check to HandleNpcTalk to ensure the passed NPC index is within bounds (>= -1 && < Main.maxNPCs). (@drunderscore)

Upgrading

To upgrade TShock, replace all of the files in the location of your server installation with all of the files from the release zip we provide. Overwrite all files. No data will be lost.

Compare
Choose a tag to compare

Notable changes

  • Add the new allowed buff TentacleSpike to NPC buff cheat detection bouncer. (@sgkoishi)
  • Changed hook GetDataHandlers.OnNewProjectile so that it passes the projectile's AI (by updating NewProjectileEventArgs and parsing this during the TShock hook) to support processing projectile AI in bouncer. (@AgaSpace)
  • Fixed an issue where certain projectiles could be sent to the server with uncapped size parameters, which resulted in large disruptive client artifacts that could be used to grief players. (@AgaSpace, @Arthri)
  • Added the currently running value of Main.GameMode to /worldmode as "Mode". (@hakusaro)

Upgrading

To upgrade TShock, replace all of the files in the location of your server installation with all of the files from the release zip we provide. Overwrite all files. No data will be lost.

Compare
Choose a tag to compare

This version of TShock is protocol compatible with Terraria 1.4.3.2.

Notable changes

  • Changed the server behavior when SIGINT is received. When SIGINT is trapped, the server will attempt to shut down safely. When it is trapped a second time in a session, it will immediately exit. (SIGINT is typically triggered via CTRL + C.) This means that it is possible to corrupt your world if you force shutdown at the wrong time (e.g., while the world is saving), but hopefully you expect this to happen if you hit CTRL + C twice in a session and you read the warning. (@hakusaro, @onusai)

Did you know?

DeathCradle now accepts GitHub sponsorships. Did you know that DeathCradle is the reason why TShock is about to switch to .NET 5 and/or 6 and ditch mono? Isn't that neat?

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

Compare
Choose a tag to compare

Did you miss version 4.5.6? A lot of stuff changed in TShock 4.5.6 so you might want to read those change notes too.

Did you miss version 4.5.7? Some stuff changed in that release too.

Did you miss version 4.5.8? Yep that also changed some stuff in that release.

Notable changes

Did you know?

DeathCradle now accepts GitHub sponsorships. Did you know that DeathCradle is the reason why TShock is about to switch to .NET 5 and/or 6 and ditch mono?

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

01aa4b5
Compare
Choose a tag to compare

This release includes a security fix for GHSA-6w5v-hxr3-m2wx.

Did you miss version 4.5.6? A lot of stuff changed in TShock 4.5.6 so you might want to read those change notes too.

Did you miss version 4.5.7? Some stuff changed in that release too.

Notable changes

  • Removed TShockAPI/DB/DBTools.cs. This appears to have been dead code and not used by anything. (@hakusaro, @DeathCradle)
  • Fixed the /firework command not sending fireworks when specified without a firework color. The firework command now correctly sends red fireworks to a target if a color is not specified. (@hakusaro, @Kojirremer)
  • Fixed bad XML of TShock code documentation. (@Arthri)
  • Fixed Bouncer exploits allowing for invalid tiles' placement. These tiles(specifically torches) caused clients to crash. The fixed exploits are listed below. (@Arthri, @QuiCM)
    • Biome Torch Correction. Previously, it used unrelated values to validate biome torches, and unintentionally passed on invalid tiles. It's now fixed to use the correct values and block invalid torches. As well as a new right booster track correction/check, to allow right booster tracks to be placed. Right booster track is an extraneous place style because it depends on the direction the player is facing. The new check takes that into consideration so that the place style isn't considered mismatched and rejected.
    • Max Place Styles. Previously, it rejects only if both MaxPlaceStyles and ExtraneousPlaceStyles contains an entry for a tile, and unintentionally passed on invalid tiles. ExtraneousPlaceStyles only contains special max placeStyles, not all placeables unlike MaxPlaceStyles. It's now corrected to take from ExtraneousPlaceStyles first, then fallback to MaxPlaceStyles if there's no entry for that tile, and then finally -1 if there's no entry in either.

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

Compare
Choose a tag to compare

This release includes protocol compatibility with Terraria 1.4.3.1.

Did you miss version 4.5.6? A lot of stuff changed in TShock 4.5.6 so you might want to read those change notes too.

Notable changes

  • Fixed the /respawn command to permit respawning players from the console. (@hakusaro, @Kojirremer)
  • Removed the old password hashing system, which predated bcrypt hashes and allowed specifying the hash algorithm in the config file. This also removes the config option for setting the hash algorithm (HashAlgorithm). This is because it helps clear the way for .NET5/6 and OTAPI 3, and because bcrypt has been the default since TShock 4.3 in 2015. (@hakusaro)
  • Updated to OTAPI 2.0.0.46, which adds support for Terraria Protocol 1.4.3.1. (@Patrikkk, @DeathCradle)
  • Change warning: a release of TShock for .NET 5 and OTAPI 3 may be imminent.

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

Compare
Choose a tag to compare

This release includes protocol compatibility with Terraria 1.4.3.0.

This release includes a security fix for GHSA-6w5v-hxr3-m2wx. The details around of vulnerability and additional patches will be provided as a defense-in-depth measure in the next release. This security advisory will be made public and additional patches provided on Tuesday, November 23rd, at 22:00 MST.

Notable changes

  • Updated Linux guide. (@NezbednikSK)
  • Fixed SendTileRectHandler not sending tile rect updates like Pylons/Mannequins to other clients. (@Stealownz)
  • Introduced SoftcoreOnly config option to allow only softcore characters to connect. (@drunderscore)
  • Fixed some typos that have been in the repository for over a lustrum. (@Killia0)
  • Added a tshock.npc.summonboss permission check for Lunatic Cultist, players who do not have this permission will not be able to kill Cultist Archers/Devotees to summon the Lunatic Cultist. (@moisterrific)
  • Added more usage examples for the ban command under ban help examples to explain how users can ban: offline players by account, offline players by IP, and online players by player index - useful for banning hard to type character names. (@moisterrific)
  • Changed /login and /register to provide login help depending on if UUID login is enabled or disabled, and whether or not a player can login via any username or not. In addition, the message parameters will now be differentiated by colour instead of <> (@moisterrific, @hakusaro)
  • Added a new DisablePrimeBombs config option (false by default). Highly recommended to set this to true in order to prevent griefing on servers doing a for the worthy play-through, since the prime bombs on this seed can destroy most tiles and bypass region protection. (@moisterrific)
  • Added a new /respawn command that lets you respawn yourself or another player. Respawning yourself requires the tshock.respawn permission and respawning others requires the tshock.respawn.other permission. The full command syntax is /respawn [player]. (@moisterrific)
  • Added a notification message and silent command support for permanently changing a target player's user group. Now players who received a group change will be notified of their new group if they are currently online. (@moisterrific, @QuiCM)
  • Changed the TSPlayer IP method to return the loopback IP if RealPlayer is false. (@Rozen4334)
  • Fixed a bug that caused sundials to be ignored all the time, instead of only when the player has no permission or time is frozen. (@Rozen4334)
  • Added colours and usage examples (similiar to how the new ban system looks) for many more commands. (@moisterrific)
  • Changed RespawnSeconds and RespawnBossSeconds from 10 to 0 to respect the game's default respawn timers. (@moisterrific)
  • Updated Open Terraria API (OTAPI) and TSAPI for preliminary support of Terraria 1.4.3.0. This functionally changes OTAPI and points to 2.0.0.45 from 2.0.0.43 in previous versions. Developer note: SendData takes an extra arg in this version of Terraria but that's slated to be removed in a Terraria hotfix. This is vestigial and OTAPI "hacks that out" to preserve plugin compatibility. That's why it'll differ from the source code. (@Patrikkk, @DeathCradle, honorable mention: @Moneylover3246)
  • Added Deerclops to /spawnboss command. (@hakusaro, @HiddenStriker)
  • Fixed GHSA-6w5v-hxr3-m2wx. (@Yoraiz0r, @Arthri)
  • Fixed an issue where player build permissions would reject gem lock changes, even if RegionProtectGemLocks was disabled in the config file. Now, players will be permitted to use gem locks if they don't have build permission in a region, but RegionProtectGemLocks is disabled. If RegionProtectGemLocks is enabled, players will be unable to use gem locks in a build region. (@hakusaro, @Kojirremer, @Arthri)
  • Fixed an issue where /god [player] would tell [player] that they were in godmode regardless of whether or not they were or not. (@hakusaro, @Kojirremer)
  • In TSAPI: Updated PacketTypes to support SetMiscEventValues (140), RequestLucyPopup (141), and SyncProjectileTrackers (142). (@hakusaro)
  • Added DisableDefaultIPBan to the config file. If set to true, the server will not automatically IP ban players when banning them. This is useful if you run an intercepting proxy in front of TShock, and all players share the same IP. (@hakusaro, and Telegram user xmzzhh233)
  • Blank passwords will be upgraded to bcrypt hashes automatically. Previously, blank passwords were not upgraded to bcrypt hashes. This is in preparation to remove the old password hashing system and related fallback components in the next release. Most users have been using bcrypt hashes for the past...few years. (@hakusaro)

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

Compare
Choose a tag to compare

This version of TShock includes a fix for GHSA-jq4j-v8pr-jv7j. For more information, see the advisory.

We are aware of at least three other security issues, but they are still in-progress. At least one of those will be shipping in the near future.

Notable changes

  • Changed the world autosave message so that it no longer warns of a "potential lag spike." (@hakusaro)
  • Added /slay as an alias for /kill to be more consistent with other server mods. (@hakusaro)
  • Added /god as an alias for /godmode to be more consistent with other server mods. (@hakusaro)
  • Fixed ridiculous typo in Amethyst Gemtree text. (@hakusaro)
  • Fixed CTRL + C / interactive console interrupt not safely shutting down the server. Now, interrupts will cause a safe shutdown (saving the world and disconnecting all players before fully shutting down). Previously, interrupts caused an unsafe shutdown (not saving the world). (@hakusaro)
  • Changed "success message" color to Color.LimeGreen instead of Color.Green. Color.Green looks ugly. Color.LimeGreen looks less ugly but isn't as offensively bright as pure green. (@hakusaro)
  • Changed the default respawn timer to 10 seconds, so as to not desynchronize from the game by default. (@hakusaro)
  • Fixed /home allowing players to bypass the respawn timer. (@hakusaro, @moisterrific, @Arthri)
  • Added the config option SuppressPermissionFailureNotices. When set to true, the server will not send warning messages to players when they fail a build permission check from TSPlayer.HasBuildPermission (even if shouldWarnPlayer is set to true. (@hakusaro)
  • Fixed /warp send failing a nullcheck if the warp didn't exist. The previous behavior may have always been buggy or broken. In other words, sending someone to a warp that doesn't exist should result in a nicer error. (@hakusaro, @punchready)
  • Fixed /group del allowing server operators to delete the default group that guests are put into. This is a really critical group and the server doesn't behave correctly when it happens. As a result, it's better to prevent this from happening than not. Additionally, GroupManagerExceptions will be thrown if this is attempted programmatically. Finally, if the exception is thrown in response to /group del (or if any other exception is thrown that the command handler can handle), the stack trace will no longer be present. Fixes #2165. (@hakusaro, @DeveloperLuxo, @Rozen4334, @moisterrific, @bartico6, @Quinci135)
  • Removed the old ConfigFile class. If you are updating a plugin, you should use TShock.Config.Settings instead of the accessor you were using. This is typically a really easy change. For most plugin authors, updating to the new config format is as simple as changing the reference to the old static config to point to the new location. If you were using this for your own configs, you should swap to using a IConfigFile (see TShockAPI.Configuration.ConfigFile). (@hakusaro, @bartico6)
  • Added Main.worldPathName to /worldinfo command. Now, if you need to see what the location on disk for your world file is, you can simply run /worldinfo to find out. This is particularly helpful on Linux and macOS, where the world path isn't obvious. (@hakusaro)
  • Correct rejection message in LandGolfBallInCupHandler to output the proper expected player id. (@drunderscore)
  • Clarified the error mesage that the console is presented if a rate-limit is reached over REST to indicate that "tokens" actually refers to rate-limit tokens, and not auth tokens, and added a hint as to what config setting determines this. (@hakusaro, @patsore)
  • Fixed an issue where, when the console was redirected, input was disabled and commands didn't work, in TSAPI. You can now pass -disable-commands to disable the input thread, but by default, it will be enabled. Fixes #1450. (@DeathCradle, @QuiCM)
  • Added summonboss permission check for Prismatic Lacewing. Players who do not have said permission will be unable to kill this critter, as it will summon the Empress of Light. Also added support for the AnonymousBossInvasions config option, if this is set to false it will now broadcast the name of the player who summoned her. (@moisterrific)
  • Added ForceTime config setting check for Enchanted Sundial usage. If ForceTime is set to anything other than normal, Sundial use will be rejected as this would lead to very janky game behavior. Additionally, players with cfgreload permission will be advised to change it back to normal in order to use sundial. (@moisterrific, @bartico6)
  • Added %onlineplayers% and %serverslots% placeholders for MOTD. The default MOTD message was also updated to use this. (@moisterrific, @bartico6)
  • Fixed Bouncer inconsistently using TilePlacementValid when validating tile coordinates, which could cause a DoS attack due to unexpectedly large world framing. The list below shows the corrected methods within Bouncer. This was assigned GHSA-jq4j-v8pr-jv7j. (@drunderscore)
    • OnTileEdit: The check was moved to be the first, and will no longer SendTileSquare upon failure.
    • OnPlaceObject: The check was moved to be the first, and will no longer SendTileSquare upon failure.
    • OnPlaceTileEntity: The check was newly added.
    • OnPlaceItemFrame: The check was newly added.
    • OnFoodPlatterTryPlacing: The check was newly added.

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

Compare
Choose a tag to compare

This version of TShock stops loading two dangerous plugins. If your server has a dangerous plugin, it will warn you about that when you start it. Information about AutoRegister (versions 1.2.0.0 and prior) is available at GHSA-w3h6-j2gm-qf7q. We also have an updated policy for security reports.

Notable changes

  • Fixed ridiculous typo in GetDataHandlers which caused TShock to read the wrong field in the packet for usingBiomeTorches. (@hakusaro, @Arthri)
  • Fixed torchgod settings to include whether or not torchgod has been fought by the player before and respect usingBiomeTorches setting. (@Quinci135)
  • Fixed /worldmode not synchronising data to players after updating the world state (@bartico6, @Arthri)
  • Added OnSendNetData hook to TSAPI, which enables developers to intercept traffic being sent from the server to clients using the new NetPacket protocol. (@Stealownz)
  • Fixed false positive OnNPCAddBuff detection when throwing rotten eggs at town NPCs while wearing Frost armor set. (@moisterrific)
  • Moved the emoji player index check into a new class of handlers called IllegalPerSe, which is designed to help isolate parts of TShock and make it so that "protocol violations" are treated separately from heuristic based anti-cheat checks. (@hakusaro)
  • Changed TSPlayer.FindByNameOrID so that it will continue searching for players and return a list of many players whem ambiguous matches exist in all cases. Specifically, this avoids a scenario where a griefer names themselves 1 and is difficult to enact justice on, because their name will not be found by the matching system used to kick players. To help with ambiguity, this method now processes requests with prefixes tsi: and tsn:. tsi:[number] will process the search as looking for an exact player by ID. tsn: will process the search as looking for an exact name, case sensitive. In both cases, the system will return an exact result in the "old-style" result, i.e., a List<TSPlayer> with exactly one result. For example, /kick tsid:1 will match the player with the ID 1. /kick tsn:1 will match the username 1. In addition, players who attempt to join the server with the name prefixes tsn: and tsi: will be rejected for having invalid names. (@hakusaro, @onusai)
  • Added warnings for conditions where a password is set at runtime but can be bypassed. The thinking is that if a user sets a password when they're booting the server, that's what they expect to be the password. The only thing is that sometimes, other config options can basically defeat this as a security feature. The goal is just to communicate more and make things clearer. The server also warns users when UUID login is enabled, because it can be confusing and insecure. (@hakusaro, @onusai)
  • Fixed Torch God's Favor biome torch placement being rejected by the server. (@moisterrific)
  • Changed backups created by the backup manager to use ISO8601-style timestamps. I say "style" because it's impossible to implement ISO8601 or RFC3389 dates in a filename on most modern filesystems. So instead of the proper ISO separators, we've got dashes and dots. (@hakusaro, change sponsored by @drunderscore)
  • Added hook for OnDoorUse (DoorUse) and associated DoorUseEventArgs fired when a door is used. Also added GetDataHandlers.DoorAction enum for determining the action of a door. (@hakusaro)
  • Disallowed loading of the AutoRegister plugin version 1.2.0 or lower. Versions of this plugin at or equal to 1.2.0 use low entropy material to create passwords. This effectively means that it's possible for any user to be easily impersonated on a server running AutoRegister by simply convincing a user to join a malicious server, even when UUID login is disabled. This was assigned GHSA-w3h6-j2gm-qf7q. (@hakusaro)
  • Disallowed loading of another plugin due to security issue GHSA-qj59-99v9-3gww. Due to the importance of this issue and severity, information is not available in the changelog. Information will be available June 8th, 2021, at 12:00 MDT. (@hakusaro)

Updating

To update TShock, simply replace all of the files in your server folder with those from the release folder.

914cdb1
Compare
Choose a tag to compare

This version adds support for Terraria 1.4.2.3, and fixes GHSA-q776-cv3j-4q6m, an issue reported to us and fixed by @bartico6.

Please make a backup of your configuration files before updating. Remember, you can normally just overwrite all files from the release in your server. However, a late breaking bug reported less than 30 minutes before the update may cause your SSC config file to be overwritten.

Notable changes

  • Added permissions for using Teleportation Potions, Magic Conch, and Demon Conch. (@drunderscore)
    • tshock.tp.tppotion, tshock.tp.magicconch, and tshock.tp.demonconch respectively.
  • Updated HealOtherPlayer damage check to make more sense by respecting ignoredamagecap permission. (@moisterrific)
  • Added preliminary support for Terraria 1.4.2.3 (@moisterrific, @Moneylover3246, @DeathCradle)
  • Added celebration mk2 explosive to explosives ItemID set in TSAPI. Solves #2304. (@Quinci135)
  • TShock now writes its log files to the logs folder inside the tshock folder by default, as opposed to just the tshock folder. (@QuiCM)
  • The default MOTD is now prettier. The MOTD format can now contain %specifier% to send the command specifier. (@moisterrific)
  • The buff commands now support -1 as a time option to set buffs that last 415 days (the maximum buff time the game supports). (@moisterrific)
  • TShock defaults to saving backups every 10 minutes, and defaults to keeping backups for 4 hours. (@hakusaro)
  • Updated SSC bypass messaging. Now, when you connect, you're told if you're bypassing SSC. Console logging has been improved to warn when players are not being saved due to the bypass SSC permission. To turn this warning off, change WarnPlayersAboutBypassPermission to false in the sscconfig.json file. (@hakusaro)
  • Fix oversight & exploit allowing specially crafted SendTileRectangle packets to perform large-scale world griefing. In addition, NetTile.Slope is now the native value (byte), and accessor methods Slope1, Slope2, and Slope3 can be used to get the old style of values out. HalfBrick and Actuator were removed from NetTile because these were initialized to zero and never changed or used. (@bartico6)

In other news

A total lunar eclipse is scheduled to take place on May 26th, 2021, and as a result, this version was named Blood Moon edition, accordingly. Have fun staring at the sky! Thanks to @moisterrific for the awesome news!

Note: this release was created twice, due to a bug with GitHub Releases at the exact moment of release. Hooray!