diff options
| author | ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2009-01-17 23:09:58 +0000 |
|---|---|---|
| committer | ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2009-01-17 23:09:58 +0000 |
| commit | b900e8e57ce8be0dfef6c4e79601a071b0932a46 (patch) | |
| tree | 4899d0cb166c492eba38d3ca1e1a293d1955bcfe /code/game | |
| parent | f95b5a79bdcbe7820b308b5f000809701ac20013 (diff) | |
| download | ioquake3-aero-b900e8e57ce8be0dfef6c4e79601a071b0932a46.tar.gz ioquake3-aero-b900e8e57ce8be0dfef6c4e79601a071b0932a46.zip | |
security fix: prevent command injection via callvote
git-svn-id: svn://svn.icculus.org/quake3/trunk@1493 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code/game')
| -rw-r--r-- | code/game/g_cmds.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/code/game/g_cmds.c b/code/game/g_cmds.c index b8fa2b3..1ecb0cb 100644 --- a/code/game/g_cmds.c +++ b/code/game/g_cmds.c @@ -1213,6 +1213,7 @@ Cmd_CallVote_f ================== */ void Cmd_CallVote_f( gentity_t *ent ) { + char* c; int i; char arg1[MAX_STRING_TOKENS]; char arg2[MAX_STRING_TOKENS]; @@ -1239,9 +1240,16 @@ void Cmd_CallVote_f( gentity_t *ent ) { trap_Argv( 1, arg1, sizeof( arg1 ) ); trap_Argv( 2, arg2, sizeof( arg2 ) ); - if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) { - trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" ); - return; + // check for command separators in arg2 + for( c = arg2; *c; ++c) { + switch(*c) { + case '\n': + case '\r': + case ';': + trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" ); + return; + break; + } } if ( !Q_stricmp( arg1, "map_restart" ) ) { |