Stickers have been discontinued. New donors can no longer request stickers.

Welcome to TShock 4.3.12 for Terraria 1.3.0.8 and TerrariaAPI v1.22. This release fixes some bugs with Terraria functionality, as well as introduces some changes for the stat tracking system. Download now, via Github Releases.

Notable changes include:

• Fixed issues with TSPlayer.SetTeam not working (@Wight)
• Fixed /butcher not killing bosses in expert difficulty (@Wight)
• API: Deprecated PacketBufferer (now obviated by SendQ) (@Wight)
• API: Building on Windows no longer breaks traps (@Wolfje)
• Fixed bombs, dynamite, and sticky bombs (@Wolfje)
• Removed spammy messages from OnSecondUpdate that confused some server owners (@Wolfje)
• Rewrote some stat tracker code to send actually relevant data to the stats server (@George)
• Added an opt-out command line switch to disable the stat tracker (--stats-optout) (@George)
• Added a unique provider token which can be passed to the stat tracker (--provider-token [token]) for tracking servers from the same GSP. (@George)

Welcome to TShock v4.3.11 for Terraria v1.3.08. Download now.

This version features a drop-in tile replacement system by @Wolfje that reduces RAM requirements by up to 70% on all worlds and CPU requirements up to 10% in the running process.

• Large worlds: from 700MB-1GB -> ~325MB
• Medium worlds: from 500MB -> ~200MB
• Small worlds: from 400MB -> ~125MB

Plugin developers: any current plugin that makes use of Main.tile must be recompiled with a reference to the new terrariaserver.exe.

Other notable changes include:

• API: Fixed some possible packet leaks in sendq (@Wolfje)
• API: API Version 1.22 - please update your plugins accordingly
• API: Added crash protection around malicious and/or invalid packets (@Wolfje)
• API: Fixed worlds not loading sometimes (@tysonstrange)
• API: Fixed living leaf walls not working as housing (@hastinbe)
  
• Fixed an issue preventing some players from joining when the world is saving (@Wolfje)
• Fixed an issue adding a ban on a player who has previously been banned (@Wolfje)
• Fixed /invade martian (@Wolfje)
• Fixed target dummies not working properly (@Wight)
• Added a config option (DisableSecondUpdateLogs) to prevent log spam from OnSecondUpdate() (@Wight)
• Added RESTful API login rate limiting (@George)
• Added config options (MaximumRequestsPerInterval, RequestBucketDecreaseIntervalMinutes, LimitOnlyFailedLoginRequests) for rate limiting (@George)
• DEPRECATION: Deprecated Disable(string, bool) and added Disable(string, DisableFlags). Please update your plugins accordingly (@Wight)
• Fixed Halloween and Christmas events not working properly...

We recently became aware of an ongoing attack targeting TShock for Terraria servers. No exploit exists, and no passwords can be immediately determined, however, bruteforce attempts are possible over REST.

If you need help, please join Slack immediately and discuss your situation with us. Please error on the side of caution and take mitigation steps as soon as possible to avoid account compromises.

Scope:

• Attackers can bruteforce passwords from open REST ports.
• Attackers can cause latency (lag) by bruteforcing passwords with high BCrypt work factors.

Mitigation:

• Servers which rely on REST should protect their REST endpoint. If the REST service is being used only on the same server or on a private network, firewall the REST port off (7878) from outside traffic. If the service must be accessed from the internet, move the RestApiPort (set in the config file) to a higher value, to avoid attacks that only target the default port, 7878.
• If the rest port is not being used for anything, disable the REST service entirely (set the RestApiEnabled setting in the config file to "false").
• Follow best practices when setting passwords. Ensure that administrators do not use passwords that are easily found in dictionaries or otherwise easy to crack. Encourage users to set safe, secure passwords for their TShock accounts.

Long Term Solution:

• IP based throttling of REST endpoint login attempts will be implemented in the next version of TShock, within 48 hours of this notice.

Repeat: TShock is secure. REST can be attacked to slowly try passwords.

Welcome to TShock for Terraria 4.3.9 for Terraria 1.3.0.8. This release includes protocol compatibility with Terraria 1.3.0.8 (Protocol 156). In addition, it includes a new crash reporting mechanism that can be used to help further diagnose problems on Windows. On Mono, it simply creates a more detailed crash report that we can then use. Download now, via Github.

Notable changes include:

• API: Update to Terraria 1.3.0.8 (@Patrikkk)
• API: Added a crash reporter which collects memory dumps on Windows (@Wolfje)
• API: New commandline param: -crashdir - Writes crash reports to the specified directory (@Wolfje)
• API: Sendq now doesn't disconnect people when it cant send a packet (@Wolfje)
• API: Fixed more crashes on disconnect in sendq (@Wolfje)
• API: Now ignores unknown server packets (@Wolfje)
• API: Potentially removed arithmetic overflows in server (@Wolfje)

Using the Crash Reporter
TShock now has a crash reporter built in which writes crash logs to the crashes directory in the event of a catastrophic failure. To change where TShock writes its crash logs, specify the -crashdir parameter on the command line.

1. In the event of a crash, look for a file called crash_xxxx.zip in the crashes directory
2. Upload the file somewhere, beware the crash file may be quite large (>100MB), anywhere like google drive, dropbox or mega will be fine
3. Post a link to the crash with reproduction steps in the TShock support forum

Alternatively, if you do not want to report the crash, just delete the file.