diff options
author | ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2009-01-17 23:09:58 +0000 |
---|---|---|
committer | ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2009-01-17 23:09:58 +0000 |
commit | b900e8e57ce8be0dfef6c4e79601a071b0932a46 (patch) | |
tree | 4899d0cb166c492eba38d3ca1e1a293d1955bcfe | |
parent | f95b5a79bdcbe7820b308b5f000809701ac20013 (diff) | |
download | ioquake3-aero-b900e8e57ce8be0dfef6c4e79601a071b0932a46.tar.gz ioquake3-aero-b900e8e57ce8be0dfef6c4e79601a071b0932a46.zip |
security fix: prevent command injection via callvote
git-svn-id: svn://svn.icculus.org/quake3/trunk@1493 edf5b092-35ff-0310-97b2-ce42778d08ea
-rw-r--r-- | code/game/g_cmds.c | 14 | ||||
-rw-r--r-- | code/qcommon/cmd.c | 16 | ||||
-rw-r--r-- | code/qcommon/qcommon.h | 1 | ||||
-rw-r--r-- | code/server/sv_client.c | 1 |
4 files changed, 29 insertions, 3 deletions
diff --git a/code/game/g_cmds.c b/code/game/g_cmds.c index b8fa2b3..1ecb0cb 100644 --- a/code/game/g_cmds.c +++ b/code/game/g_cmds.c @@ -1213,6 +1213,7 @@ Cmd_CallVote_f ================== */ void Cmd_CallVote_f( gentity_t *ent ) { + char* c; int i; char arg1[MAX_STRING_TOKENS]; char arg2[MAX_STRING_TOKENS]; @@ -1239,9 +1240,16 @@ void Cmd_CallVote_f( gentity_t *ent ) { trap_Argv( 1, arg1, sizeof( arg1 ) ); trap_Argv( 2, arg2, sizeof( arg2 ) ); - if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) { - trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" ); - return; + // check for command separators in arg2 + for( c = arg2; *c; ++c) { + switch(*c) { + case '\n': + case '\r': + case ';': + trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" ); + return; + break; + } } if ( !Q_stricmp( arg1, "map_restart" ) ) { diff --git a/code/qcommon/cmd.c b/code/qcommon/cmd.c index 08af301..8b14c2a 100644 --- a/code/qcommon/cmd.c +++ b/code/qcommon/cmd.c @@ -434,6 +434,22 @@ char *Cmd_Cmd(void) } /* + Replace command separators with space to prevent interpretation + This is a hack to protect buggy qvms + https://bugzilla.icculus.org/show_bug.cgi?id=3593 +*/ +void Cmd_Args_Sanitize( void ) { + int i; + for ( i = 1 ; i < cmd_argc ; i++ ) { + char* c = cmd_argv[i]; + while ((c = strpbrk(c, "\n\r;"))) { + *c = ' '; + ++c; + } + } +} + +/* ============ Cmd_TokenizeString diff --git a/code/qcommon/qcommon.h b/code/qcommon/qcommon.h index 6a264d3..34cb2e9 100644 --- a/code/qcommon/qcommon.h +++ b/code/qcommon/qcommon.h @@ -434,6 +434,7 @@ char *Cmd_Args (void); char *Cmd_ArgsFrom( int arg ); void Cmd_ArgsBuffer( char *buffer, int bufferLength ); char *Cmd_Cmd (void); +void Cmd_Args_Sanitize( void ); // The functions that execute commands get their parameters with these // functions. Cmd_Argv () will return an empty string, not a NULL // if arg > argc, so string operations are allways safe. diff --git a/code/server/sv_client.c b/code/server/sv_client.c index 5554ebf..01f4d8b 100644 --- a/code/server/sv_client.c +++ b/code/server/sv_client.c @@ -1500,6 +1500,7 @@ void SV_ExecuteClientCommand( client_t *cl, const char *s, qboolean clientOK ) { if (clientOK) { // pass unknown strings to the game if (!u->name && sv.state == SS_GAME) { + Cmd_Args_Sanitize(); VM_Call( gvm, GAME_CLIENT_COMMAND, cl - svs.clients ); } } |