aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea>2009-01-17 23:09:58 +0000
committerludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea>2009-01-17 23:09:58 +0000
commitb900e8e57ce8be0dfef6c4e79601a071b0932a46 (patch)
tree4899d0cb166c492eba38d3ca1e1a293d1955bcfe
parentf95b5a79bdcbe7820b308b5f000809701ac20013 (diff)
downloadioquake3-aero-b900e8e57ce8be0dfef6c4e79601a071b0932a46.tar.gz
ioquake3-aero-b900e8e57ce8be0dfef6c4e79601a071b0932a46.zip
security fix: prevent command injection via callvote
git-svn-id: svn://svn.icculus.org/quake3/trunk@1493 edf5b092-35ff-0310-97b2-ce42778d08ea
-rw-r--r--code/game/g_cmds.c14
-rw-r--r--code/qcommon/cmd.c16
-rw-r--r--code/qcommon/qcommon.h1
-rw-r--r--code/server/sv_client.c1
4 files changed, 29 insertions, 3 deletions
diff --git a/code/game/g_cmds.c b/code/game/g_cmds.c
index b8fa2b3..1ecb0cb 100644
--- a/code/game/g_cmds.c
+++ b/code/game/g_cmds.c
@@ -1213,6 +1213,7 @@ Cmd_CallVote_f
==================
*/
void Cmd_CallVote_f( gentity_t *ent ) {
+ char* c;
int i;
char arg1[MAX_STRING_TOKENS];
char arg2[MAX_STRING_TOKENS];
@@ -1239,9 +1240,16 @@ void Cmd_CallVote_f( gentity_t *ent ) {
trap_Argv( 1, arg1, sizeof( arg1 ) );
trap_Argv( 2, arg2, sizeof( arg2 ) );
- if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
- trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
- return;
+ // check for command separators in arg2
+ for( c = arg2; *c; ++c) {
+ switch(*c) {
+ case '\n':
+ case '\r':
+ case ';':
+ trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
+ return;
+ break;
+ }
}
if ( !Q_stricmp( arg1, "map_restart" ) ) {
diff --git a/code/qcommon/cmd.c b/code/qcommon/cmd.c
index 08af301..8b14c2a 100644
--- a/code/qcommon/cmd.c
+++ b/code/qcommon/cmd.c
@@ -434,6 +434,22 @@ char *Cmd_Cmd(void)
}
/*
+ Replace command separators with space to prevent interpretation
+ This is a hack to protect buggy qvms
+ https://bugzilla.icculus.org/show_bug.cgi?id=3593
+*/
+void Cmd_Args_Sanitize( void ) {
+ int i;
+ for ( i = 1 ; i < cmd_argc ; i++ ) {
+ char* c = cmd_argv[i];
+ while ((c = strpbrk(c, "\n\r;"))) {
+ *c = ' ';
+ ++c;
+ }
+ }
+}
+
+/*
============
Cmd_TokenizeString
diff --git a/code/qcommon/qcommon.h b/code/qcommon/qcommon.h
index 6a264d3..34cb2e9 100644
--- a/code/qcommon/qcommon.h
+++ b/code/qcommon/qcommon.h
@@ -434,6 +434,7 @@ char *Cmd_Args (void);
char *Cmd_ArgsFrom( int arg );
void Cmd_ArgsBuffer( char *buffer, int bufferLength );
char *Cmd_Cmd (void);
+void Cmd_Args_Sanitize( void );
// The functions that execute commands get their parameters with these
// functions. Cmd_Argv () will return an empty string, not a NULL
// if arg > argc, so string operations are allways safe.
diff --git a/code/server/sv_client.c b/code/server/sv_client.c
index 5554ebf..01f4d8b 100644
--- a/code/server/sv_client.c
+++ b/code/server/sv_client.c
@@ -1500,6 +1500,7 @@ void SV_ExecuteClientCommand( client_t *cl, const char *s, qboolean clientOK ) {
if (clientOK) {
// pass unknown strings to the game
if (!u->name && sv.state == SS_GAME) {
+ Cmd_Args_Sanitize();
VM_Call( gvm, GAME_CLIENT_COMMAND, cl - svs.clients );
}
}