Saving Game Setting Changes [4.1.2]

RPGguy

I've been working on a game settings menu. The setting changes to Audio, Font Size changes and Font options do not stay after exiting the game settings scene.

What method is best suited for saving game settings?

DaveTheCoder

I've used ConfigFile for a couple of apps.
https://docs.godotengine.org/en/4.1/classes/class_configfile.html#

I put the settings in a Dictionary, and use save_encrypted_pass() and load_encrypted_pass() to save and load the settings. The encryption has the side benefit of ensuring that the file is not corrupted by doing an MD5 check. For testing purposes, I also use save() to create an unencrypted save-file that can be viewed in a text editor.

For retaining settings between different scenes or dialogs, I store them as global variables in an autoload.

award

Be careful when using ConfigFile or Resource to save game data, as there is currently (still) a security vulnerability related to them.

ConfigFile: https://github.com/godotengine/godot/issues/80562
Resource: https://github.com/godotengine/godot-proposals/issues/4925

Does the MD5 check circumvent this issue?

DaveTheCoder

award Does the MD5 check circumvent this issue?

It might not. I don't fully understand the security issue, but it sounds like the exploit could occur before ConfigFile has done the MD5 check.

That's overdue for a fix.

DaveTheCoder

award Does the MD5 check circumvent this issue?

DaveTheCoder It might not. I don't fully understand the security issue, but it sounds like the exploit could occur before ConfigFile has done the MD5 check.

I just did a test using Godot 4.2-dev6. I was able to duplicate the exploit described here:
https://github.com/godotengine/godot/issues/80562

But when I change the saved config file to encrypted, the loading of the file fails with the error ERR_FILE_UNRECOGNIZED or ERR_FILE_CORRUPT, depending on where I insert the text, and the "malicious code" does not run.

So it appears that the MD5 check does avoid the issue. That's assuming that the encryption password is not known. If you're able to discover the password, which is not impossible, then you could decrypt the file, add the malicious code, re-encrypt the modified file and run the app.

RPGguy

I furthered my learning of saving by using a tutorial made for Godot 4. It did raise a question for me. How do I make my save human readable? And yes, I'm okay with someone being able to read and edit them. It's no big deal for me.

Opening them up ends up looking like this...

award

RPGguy

That's because it's in binary. Do like DaveTheCoder mentioned he does and save a regular, non-encrypted version in addition to the encrypted one, just for debug purposes. You only load the encrypted one back in, though.