Faless
commented
5 years ago This must be a bug down the line. allow_object_decoding is false by default, so the label should not be decoded. I'm investigating.
Closed LunaticExperimentalist closed 5 years ago
Faless
commented
5 years ago This must be a bug down the line. allow_object_decoding is false by default, so the label should not be decoded. I'm investigating.
Godot version: 3.1
OS/device including version: Debian 9
Issue description: High level multiplayer API allows passing Objects with scripts to peers. This opens up a remote code execution exploit.
Steps to reproduce: Initialize NetworkedMultiplayerENet on a client and server, connect them, and set them as the network peer interfaces for their respective scene trees. Pass scripted object over RPC.
Minimal reproduction project: Exploit.zip