Saving Game Setting Changes [4.1.2]

I've used ConfigFile for a couple of apps.
https://docs.godotengine.org/en/4.1/classes/class_configfile.html#

I put the settings in a Dictionary, and use save_encrypted_pass() and load_encrypted_pass() to save and load the settings. The encryption has the side benefit of ensuring that the file is not corrupted by doing an MD5 check. For testing purposes, I also use save() to create an unencrypted save-file that can be viewed in a text editor.

For retaining settings between different scenes or dialogs, I store them as global variables in an autoload.

award Does the MD5 check circumvent this issue?

It might not. I don't fully understand the security issue, but it sounds like the exploit could occur before ConfigFile has done the MD5 check.

That's overdue for a fix.

award Does the MD5 check circumvent this issue?

DaveTheCoder It might not. I don't fully understand the security issue, but it sounds like the exploit could occur before ConfigFile has done the MD5 check.

I just did a test using Godot 4.2-dev6. I was able to duplicate the exploit described here:
https://github.com/godotengine/godot/issues/80562

But when I change the saved config file to encrypted, the loading of the file fails with the error ERR_FILE_UNRECOGNIZED or ERR_FILE_CORRUPT, depending on where I insert the text, and the "malicious code" does not run.

So it appears that the MD5 check does avoid the issue. That's assuming that the encryption password is not known. If you're able to discover the password, which is not impossible, then you could decrypt the file, add the malicious code, re-encrypt the modified file and run the app.