security fix: prevent command injection via callvote

git-svn-id: svn://svn.icculus.org/quake3/trunk@1493 edf5b092-35ff-0310-97b2-ce42778d08ea

2 files changed, 17 insertions, 0 deletions

diff --git a/code/qcommon/cmd.c b/code/qcommon/cmd.c
index 08af301..8b14c2a 100644
--- a/code/qcommon/cmd.c
+++ b/code/qcommon/cmd.c
@@ -434,6 +434,22 @@ char *Cmd_Cmd(void)
 }
 
 /*
+   Replace command separators with space to prevent interpretation
+   This is a hack to protect buggy qvms
+   https://bugzilla.icculus.org/show_bug.cgi?id=3593
+*/
+void Cmd_Args_Sanitize( void ) {
+	int i;
+	for ( i = 1 ; i < cmd_argc ; i++ ) {
+		char* c = cmd_argv[i];
+		while ((c = strpbrk(c, "\n\r;"))) {
+			*c = ' ';
+			++c;
+		}
+	}
+}
+
+/*
 ============
 Cmd_TokenizeString
 
diff --git a/code/qcommon/qcommon.h b/code/qcommon/qcommon.h
index 6a264d3..34cb2e9 100644
--- a/code/qcommon/qcommon.h
+++ b/code/qcommon/qcommon.h
@@ -434,6 +434,7 @@ char	*Cmd_Args (void);
 char	*Cmd_ArgsFrom( int arg );
 void	Cmd_ArgsBuffer( char *buffer, int bufferLength );
 char	*Cmd_Cmd (void);
+void	Cmd_Args_Sanitize( void );
 // The functions that execute commands get their parameters with these
 // functions. Cmd_Argv () will return an empty string, not a NULL
 // if arg > argc, so string operations are allways safe.