An issue with the way OTAPI manages client connections results in stale UUIDs remaining on RemoteClient
instances after a player disconnects.
Because of this, if the following conditions are met a player may assume the login state of a previously connected player:
1. The server has UUID login enabled
2. An authenticated player disconnects
3. A subsequent player connects with a modified client that does not send the ClientUUID#68
packet during connection
4. The server assigns the same RemoteClient
object that belonged to the originally authenticated player to the newly connected player
TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself.
Implement a RemoteClient reset event handler in a plugin like so:
public override void Initialize()
{
On.Terraria.RemoteClient.Reset += RemoteClient_Reset;
}
private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client)
{
client.ClientUUID = null;
orig(client);
}
{ "nvd_published_at": null, "cwe_ids": [ "CWE-305", "CWE-613", "CWE-863" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-12-18T18:19:12Z" }