From 53ab3a1ba92237a15ce74b7b35ce78c1defbfa47 Mon Sep 17 00:00:00 2001 From: Fabio Alessandrelli Date: Thu, 28 Mar 2019 09:52:31 +0100 Subject: Multiplayer API now respects allow_object_decoding Add doc about allow_object_decoding in PacketPeer --- doc/classes/PacketPeer.xml | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc/classes') diff --git a/doc/classes/PacketPeer.xml b/doc/classes/PacketPeer.xml index a4cf0c8029..41f5eaf555 100644 --- a/doc/classes/PacketPeer.xml +++ b/doc/classes/PacketPeer.xml @@ -60,6 +60,8 @@ + If [code]true[/code] the PacketPeer will allow encoding and decoding of object via [method get_var] and [method put_var]. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). -- cgit v1.2.3 From 393e62b98a5a37ccdd7d860571e2f8cc7b970fe4 Mon Sep 17 00:00:00 2001 From: Fabio Alessandrelli Date: Tue, 26 Mar 2019 16:52:42 +0100 Subject: Add object encoding param to serialization methods Network peers get_var/put_var File get_var/store_var GDScript/Mono/VisualScript bytes2var/var2bytes Add MultiplayerAPI.allow_object_decoding member which deprecates PacketPeer.allow_object_decoding. Break ABI compatibaility (API compatibility for GDNative). --- doc/classes/@GDScript.xml | 9 +++++++-- doc/classes/File.xml | 9 +++++++-- doc/classes/Marshalls.xml | 9 +++++++-- doc/classes/MultiplayerAPI.xml | 4 ++++ doc/classes/PacketPeer.xml | 10 ++++++++-- doc/classes/StreamPeer.xml | 9 +++++++-- 6 files changed, 40 insertions(+), 10 deletions(-) (limited to 'doc/classes') diff --git a/doc/classes/@GDScript.xml b/doc/classes/@GDScript.xml index 0a430fea4d..e5d4256617 100644 --- a/doc/classes/@GDScript.xml +++ b/doc/classes/@GDScript.xml @@ -136,8 +136,11 @@ + + - Decodes a byte array back to a value. + Decodes a byte array back to a value. When [code]allow_objects[/code] is [code]true[/code] decoding objects is allowed. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). @@ -1112,8 +1115,10 @@ + + - Encodes a variable value to a byte array. + Encodes a variable value to a byte array. When [code]full_objects[/code] is [code]true[/code] encoding objects is allowed (and can potentially include code). diff --git a/doc/classes/File.xml b/doc/classes/File.xml index c9a8f18116..e8aa1caabd 100644 --- a/doc/classes/File.xml +++ b/doc/classes/File.xml @@ -204,8 +204,11 @@ + + - Returns the next [Variant] value from the file. + Returns the next [Variant] value from the file. When [code]allow_objects[/code] is [code]true[/code] decoding objects is allowed. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). @@ -398,8 +401,10 @@ + + - Stores any Variant value in the file. + Stores any Variant value in the file. When [code]full_objects[/code] is [code]true[/code] encoding objects is allowed (and can potentially include code). diff --git a/doc/classes/Marshalls.xml b/doc/classes/Marshalls.xml index 687f81eec7..c041cfb00a 100644 --- a/doc/classes/Marshalls.xml +++ b/doc/classes/Marshalls.xml @@ -34,8 +34,11 @@ + + - Return [Variant] of a given base64 encoded String. + Return [Variant] of a given base64 encoded String. When [code]allow_objects[/code] is [code]true[/code] decoding objects is allowed. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). @@ -61,8 +64,10 @@ + + - Return base64 encoded String of a given [Variant]. + Return base64 encoded String of a given [Variant]. When [code]full_objects[/code] is [code]true[/code] encoding objects is allowed (and can potentially include code). diff --git a/doc/classes/MultiplayerAPI.xml b/doc/classes/MultiplayerAPI.xml index f3e26a3bcb..59e0168f2c 100644 --- a/doc/classes/MultiplayerAPI.xml +++ b/doc/classes/MultiplayerAPI.xml @@ -89,6 +89,10 @@ + + If [code]true[/code] (or if the [member network_peer] [member PacketPeer.allow_object_decoding] the MultiplayerAPI will allow encoding and decoding of object during RPCs/RSETs. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). + The peer object to handle the RPC system (effectively enabling networking when set). Depending on the peer itself, the MultiplayerAPI will become a network server (check with [method is_network_server]) and will set root node's network mode to master (see NETWORK_MODE_* constants in [Node]), or it will become a regular peer with root node set to puppet. All child nodes are set to inherit the network mode by default. Handling of networking-related events (connection, disconnection, new clients) is done by connecting to MultiplayerAPI's signals. diff --git a/doc/classes/PacketPeer.xml b/doc/classes/PacketPeer.xml index 41f5eaf555..44d942e344 100644 --- a/doc/classes/PacketPeer.xml +++ b/doc/classes/PacketPeer.xml @@ -35,8 +35,11 @@ + + - Get a Variant. + Get a Variant. When [code]allow_objects[/code] (or [member allow_object_decoding]) is [code]true[/code] decoding objects is allowed. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). @@ -53,13 +56,16 @@ + + - Send a Variant as a packet. + Send a Variant as a packet. When [code]full_objects[/code] (or [member allow_object_decoding]) is [code]true[/code] encoding objects is allowed (and can potentially include code). + Deprecated. Use [code]get_var[/code] and [code]put_var[/code] parameters instead. If [code]true[/code] the PacketPeer will allow encoding and decoding of object via [method get_var] and [method put_var]. [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). diff --git a/doc/classes/StreamPeer.xml b/doc/classes/StreamPeer.xml index 74ac8a79c0..87a69be058 100644 --- a/doc/classes/StreamPeer.xml +++ b/doc/classes/StreamPeer.xml @@ -127,8 +127,11 @@ + + - Get a Variant from the stream. + Get a Variant from the stream. When [code]allow_objects[/code] is [code]true[/code] decoding objects is allowed. + [b]WARNING:[/b] Deserialized object can contain code which gets executed. Do not use this option if the serialized object comes from untrusted sources to avoid potential security threats (remote code execution). @@ -262,8 +265,10 @@ + + - Put a Variant into the stream. + Put a Variant into the stream. When [code]full_objects[/code] is [code]true[/code] encoding objects is allowed (and can potentially include code). -- cgit v1.2.3