small security fix update
nothing special. thank you to emi.pet and sodium fluoride for finding and alerting me to a particular vulnerability involving remote code execution - scary!
update 2024-08-03, in response to some comments:
maybe i should not have had such a casual tone about this patch, as it fixed a rather severe exploit, but the actual change was something like 10 new lines of code, and yomih has never had issues with hackers or cheaters, so i see this as a preventative measure and peace of mind. i should clarify this exploit had been in the game for a long time, but i've never heard any reports of anyone actually using it.
basically, networking in Godot works like this: rpc calls allow your game to call functions on the other player's computer. previously, YOMIH allowed one client to rpc call *any function on the Network object*, including base Node methods. i hesitate to offer excruciating detail, but that had all sorts of wide-reaching implications, and RCE was the worst of them. this update only allows the client to call script functions, not built-in Godot methods. so you can no longer do the bad thing.
on that note, this does NOT prevent mods from doing whatever the hell they want. this has been and always will be the case, as the modloader is pretty laissez-faire (and probably can't be restricted much more on this old version of Godot). workshop mods of questionable ethics are always removed and the modders banned, and mods are open-source by necessity so mods are unlikely to contain anything like that, but it can technically happen, so use mods and old versions online at your own peril.
update 2024-08-03, in response to some comments:
>nothing special
>fixed RCE
...what?
why not explain what the vulnerability was? im curious, this is scary. i dont want to play a game without transparency within the code construction and the potential vulnerabilities, especially since im a cybersec freak. would love to hear from you about this
maybe i should not have had such a casual tone about this patch, as it fixed a rather severe exploit, but the actual change was something like 10 new lines of code, and yomih has never had issues with hackers or cheaters, so i see this as a preventative measure and peace of mind. i should clarify this exploit had been in the game for a long time, but i've never heard any reports of anyone actually using it.
basically, networking in Godot works like this: rpc calls allow your game to call functions on the other player's computer. previously, YOMIH allowed one client to rpc call *any function on the Network object*, including base Node methods. i hesitate to offer excruciating detail, but that had all sorts of wide-reaching implications, and RCE was the worst of them. this update only allows the client to call script functions, not built-in Godot methods. so you can no longer do the bad thing.
on that note, this does NOT prevent mods from doing whatever the hell they want. this has been and always will be the case, as the modloader is pretty laissez-faire (and probably can't be restricted much more on this old version of Godot). workshop mods of questionable ethics are always removed and the modders banned, and mods are open-source by necessity so mods are unlikely to contain anything like that, but it can technically happen, so use mods and old versions online at your own peril.