This review is from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.

The current version of Tiled is 0.11.2.

0.8.0 (older version) Rating: Negative Thoroughness: Medium Understanding: Medium

by MaulingMonkey on 2019-09-02

Do not use on User Generated Content! * Vulnerable to path traversal attacks if fed bogus .tmx files (see Tileset::new_reference) * No obvious protection against zipbombs * A couple cases where bad input will panic, a potential DoS vector.

For game engines, there's also no great way to inject your own virtual filesystem callbacks (again see Tileset::new_reference)

There's also a few missing features: * Wang Tiles * Terrains * "file" Custom Properties


File Rating Notes
assets/tiled_base64_external.tmx +1
assets/tiled_base64_gzip.tmx +1
assets/tiled_base64_zlib.tmx +1
assets/tiled_base64.tmx +1
assets/tiled_csv.tmx +1
assets/tiled_image_layers.tmx +1
assets/tiled_xml.tmx +1
tilesheet.png +1 Neat looking modern tileset... wonder what the source is!
tilesheet.tsx +1
examples/ +1
src/ +1
tests/ +1
.cargo-ok +1
.gitignore +1
.travis.yml +1 Sparse... no MSRV, beta/nightly, etc.
Cargo.toml +1
Cargo.toml.orig +1 +1 +1 Dead link to tileset source
Other Rating Notes
unsafe +1 No unsafe
fs -1 See Tileset::new_reference notes
io 0 Brittle XML parsing, but OK for limited inputs.
docs -1 Barely any.
tests +1


Line What Notes
28 get_attrs! Eep
53 parse_tag! Mishandles nested tags... fortunately that's probably not necessary.
97 Colour::from_str British... and a possible source of panics.
161 PropertyValue::new No "file" support (see
238 Map::new My kingdom for some variable names!
256 Map::new Still using try!
385 Tileset::new_reference Possible path traversal attacks, limits ability to inject your own virtual filesystem.
860 decode_csv I've heard decoding arbitrary CSV is way more complicated than this... but this probably works for tile data as used in tmx files.
883 convert_to_u32 Kinda want this to be based on iterators to avoid an extra alloc...

Crates in the registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball. To review the actual code of the crate, it's best to use cargo crev open tiled. Alternatively, you can download the tarball of tiled v0.11.2 or view the source online.