NetworkBehaviour.lastCommandSender

Assets/Mirror/Core/NetworkBehaviour.cs

@@ -163,6 +163,13 @@ public bool authority
         // hook guard prevents that.
         ulong syncVarHookGuard;
 
+        // [Command(requiresAuthority=false)] on global objects allow any sender.
+        // senders can be verified with optional (NetworkConnectionToClient) parameter.
+        // if a studio forgot to add that parameter, then validating senders would requires a full server + client rebuild.
+        // sometimes that's not possible in time (i.e. urgent exploits), in that case - this field can be used.
+        protected NetworkConnectionToClient lastCommandSender = null;
+        internal void SetLastCommandSender(NetworkConnectionToClient conn) => lastCommandSender = conn;
+
         protected virtual void OnValidate()
         {
             // Skip if Editor is in Play mode

Assets/Mirror/Core/RemoteCalls.cs

@@ -129,6 +129,9 @@ internal static bool Invoke(ushort functionHash, RemoteCallType remoteCallType,
             if (GetInvokerForHash(functionHash, remoteCallType, out Invoker invoker) &&
                 invoker.componentType.IsInstanceOfType(component))
             {
+                // set sender in case it's needed
+                component.SetLastCommandSender(senderConnection);
+
                 // invoke function on this component
                 invoker.function(component, reader, senderConnection);
                 return true;