From 0f1bdde92cc0c17c72ecb86e4649f701bab55a13 Mon Sep 17 00:00:00 2001 From: betalars Date: Mon, 14 Oct 2024 13:29:39 +0200 Subject: [PATCH] @GGScdipt Doc: advising against using load for untrusted resoruces due to possible Remote Code xecution. --- modules/gdscript/doc_classes/@GDScript.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/gdscript/doc_classes/@GDScript.xml b/modules/gdscript/doc_classes/@GDScript.xml index 5fe47d69df6..c5cb49ea656 100644 --- a/modules/gdscript/doc_classes/@GDScript.xml +++ b/modules/gdscript/doc_classes/@GDScript.xml @@ -170,6 +170,7 @@ [/codeblock] [b]Important:[/b] Relative paths are [i]not[/i] relative to the script calling this method, instead it is prefixed with [code]"res://"[/code]. Loading from relative paths might not work as expected. This function is a simplified version of [method ResourceLoader.load], which can be used for more advanced scenarios. + [b]Warning:[/b] Do not use this for save files, as it may lead to remote code execution when users share saves. You should only use this to load files that you know are trusted. [b]Warning:[/b] Do not use this for save files, as it may lead to remote code execution when users share saves. You should only use this to load files that you know are trusted. Read the "Saving Games" tutorial for further guidance. [b]Note:[/b] Files have to be imported into the engine first to load them using this function. If you want to load [Image]s at run-time, you may use [method Image.load]. If you want to import audio files, you can use the snippet described in [member AudioStreamMP3.data]. [b]Note:[/b] If [member ProjectSettings.editor/export/convert_text_resources_to_binary] is [code]true[/code], [method @GDScript.load] will not be able to read converted files in an exported project. If you rely on run-time loading of files present within the PCK, set [member ProjectSettings.editor/export/convert_text_resources_to_binary] to [code]false[/code].