Check skin privacy before calling getTexture in _drawThese

GarboMuffin · GarboMuffin · commit 7961940b38f6 · 2025-08-23T20:24:28.000-05:00
Fixes a theoretical side channel where a private skin's getTexture()
function could be easily timed (eg. using stamps) which could
possibly leak information to the project. No known case where this
would be even remotely possible.
diff --git a/src/RenderWebGL.js b/src/RenderWebGL.js
@@ -2111,12 +2111,15 @@ class RenderWebGL extends EventEmitter {
                 drawable.scale[1] * opts.framebufferHeight / this._nativeSize[1]
             ] : drawable.scale;
 
-            // If the skin or texture isn't ready yet, skip it.
-            if (!drawable.skin || !drawable.skin.getTexture(drawableScale)) continue;
+            // Skip drawables with no skin.
+            if (!drawable.skin) continue;
 
             // Skip private skins, if requested.
             if (opts.skipPrivateSkins && drawable.skin.private) continue;
 
+            // Skip drawables with a skin that does not have a texture.
+            if (!drawable.skin.getTexture(drawableScale)) continue;
+
             const uniforms = {};
 
             let effectBits = drawable.enabledEffects;
