Godot logo (CC-BY 3.0)

The new release candidate includes security fixes (related to the deserialization of objects sent over the network). Unfortunately repairing the error forced developers to break compatibility (GDNative).

An example program is available:

https://github.com/godotengine/godot/files/3001649/Exploit.zip

In short, the problem is that we can send to the connected player, a scene with a script and it will run, but should not (allow_object_decoding is set to false by default).

For example, when:

rpc_id(id, "do_thing", load("res://Injected Label.tscn").instance())

And the scene Injected Label.tscn has script with function:

func _ready():
	print("I ran a script in your game!")
	text = "I ran a script in your game!"

After connecting, the client will load the scene and launch the script attached to it.

In version 3.1.1, to run the script, you must change the value of allow_object_decoding to true:

var peer := NetworkedMultiplayerENet.new()
peer.allow_object_decoding = true

Changes for mobile games developers

It’s good to update the engine, especially when your target is mobile games. The amendments are related to support older iOS devices (iPhone 5s, 6 and iPad Pro). On this devices GLES2 framebuffer (FBO) initialization can fail.

For Android, getting the unique device ID has been fixed. In the previous version of the engine, the function always returned the same string “android_id” instead of the real identifier. This can be easily tested by calling the OS.get_unique_id() function.

If you have used this function before, for example to encrypt the game saves, you will also have to check this static string when reading.

Other changes

  • Depth textures has been fixed – regression in version 3.1
  • The ability to play animations back to AnimatedSprite has been added (just set the second play() attribute to true).
  • Emission mask has been added to CPUParticles2D
  • Snapping in the animation window can now be set to seconds or frames per second.
  • New audio features has been backported from 3.2 to 3.1.1 (AudioStreamGenerator, AudioEffectSpectrumAnalyzer).
  • Improvements in GLTF2 import
Download