Skip to content

Commit

Permalink
ResourceLoader Doc: Adding warnings to encourage remote code ececutio…
Browse files Browse the repository at this point in the history
…n midigation
  • Loading branch information
betalars authored Oct 14, 2024
1 parent 92e51fc commit 528fbaf
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions doc/classes/ResourceLoader.xml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
<description>
A singleton used to load resource files from the filesystem.
It uses the many [ResourceFormatLoader] classes registered in the engine (either built-in or from a plugin) to load files into memory and convert them to a format that can be used by the engine.
[b]See also:[/b] If you want to load player data, look at <link title="Saving Games">$DOCS_URL/tutorials/io/saving_games.html</link> instead for information on saving and loading game progression.
[b]Note:[/b] You have to import the files into the engine first to load them using [method load]. If you want to load [Image]s at run-time, you may use [method Image.load]. If you want to import audio files, you can use the snippet described in [member AudioStreamMP3.data].
</description>
<tutorials>
Expand Down Expand Up @@ -86,6 +87,7 @@
The [param cache_mode] property defines whether and how the cache should be used or updated when loading the resource. See [enum CacheMode] for details.
Returns an empty resource if no [ResourceFormatLoader] could handle the file, and prints an error if no file is found at the specified path.
GDScript has a simplified [method @GDScript.load] built-in method which can be used in most situations, leaving the use of [ResourceLoader] for more advanced scenarios.
[b]Warning:[/b] Do not use this for save files, as it may lead to remote code execution when users share saves. You should only use this to load files that you know are trusted. Read <link title="Saving Games">$DOCS_URL/tutorials/io/saving_games.html</link> for further guidance.
[b]Note:[/b] If [member ProjectSettings.editor/export/convert_text_resources_to_binary] is [code]true[/code], [method @GDScript.load] will not be able to read converted files in an exported project. If you rely on run-time loading of files present within the PCK, set [member ProjectSettings.editor/export/convert_text_resources_to_binary] to [code]false[/code].
[b]Note:[/b] Relative paths will be prefixed with [code]"res://"[/code] before loading, to avoid unexpected results make sure your paths are absolute.
</description>
Expand All @@ -105,6 +107,7 @@
<description>
Returns the status of a threaded loading operation started with [method load_threaded_request] for the resource at [param path]. See [enum ThreadLoadStatus] for possible return values.
An array variable can optionally be passed via [param progress], and will return a one-element array containing the percentage of completion of the threaded loading.
[b]Warning:[/b] Do not use this for save files, as it may lead to remote code execution when users share saves. You should only use this to load files that you know are trusted. Read <link title="Saving Games">$DOCS_URL/tutorials/io/saving_games.html</link> for further guidance.
[b]Note:[/b] The recommended way of using this method is to call it during different frames (e.g., in [method Node._process], instead of a loop).
</description>
</method>
Expand All @@ -117,6 +120,7 @@
<description>
Loads the resource using threads. If [param use_sub_threads] is [code]true[/code], multiple threads will be used to load the resource, which makes loading faster, but may affect the main thread (and thus cause game slowdowns).
The [param cache_mode] property defines whether and how the cache should be used or updated when loading the resource. See [enum CacheMode] for details.
[b]Warning:[/b] Do not use this for save files, as it may lead to remote code execution when users share saves. You should only use this to load files that you know are trusted. Read <link title="Saving Games">$DOCS_URL/tutorials/io/saving_games.html</link> for further guidance.
</description>
</method>
<method name="remove_resource_format_loader">
Expand Down

0 comments on commit 528fbaf

Please sign in to comment.