From 73dd26090d2e38cf25976d4e257453e2f405c2a1 Mon Sep 17 00:00:00 2001 From: lost-werewolf Date: Wed, 11 Mar 2026 03:58:04 -0400 Subject: [PATCH] fix clients being able to change their UUID at will --- TerrariaServerAPI/TerrariaApi.Server/HookManager.cs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/TerrariaServerAPI/TerrariaApi.Server/HookManager.cs b/TerrariaServerAPI/TerrariaApi.Server/HookManager.cs index ba14ebae..6cb1985b 100644 --- a/TerrariaServerAPI/TerrariaApi.Server/HookManager.cs +++ b/TerrariaServerAPI/TerrariaApi.Server/HookManager.cs @@ -470,7 +470,14 @@ internal bool InvokeNetGetData(ref byte msgId, MessageBuffer buffer, ref int ind //We copy the bytes of the UUID then convert it to string. Then validating the GUID so its the correct format. //Then the bytes get hashed, and set as ClientUUID (and gets written in DB for auto-login) //length minus 2 = 36, the length of a UUID. + //We only accept this packet during the initial connectioon state (1), and only if their current UUID is blank, + //to prevent malicious clients from changing their UUID after connecting. case PacketTypes.ClientUUID: + if ((Netplay.Clients[buffer.whoAmI].State != 1 || !string.IsNullOrEmpty(Netplay.Clients[buffer.whoAmI].ClientUUID))) + { + return true; + } + if (length == 38) { byte[] uuid = new byte[length - 2];