From b900e8e57ce8be0dfef6c4e79601a071b0932a46 Mon Sep 17 00:00:00 2001
From: ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea>
Date: Sat, 17 Jan 2009 23:09:58 +0000
Subject: security fix: prevent command injection via callvote

git-svn-id: svn://svn.icculus.org/quake3/trunk@1493 edf5b092-35ff-0310-97b2-ce42778d08ea
---
 code/game/g_cmds.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

(limited to 'code/game/g_cmds.c')

diff --git a/code/game/g_cmds.c b/code/game/g_cmds.c
index b8fa2b3..1ecb0cb 100644
--- a/code/game/g_cmds.c
+++ b/code/game/g_cmds.c
@@ -1213,6 +1213,7 @@ Cmd_CallVote_f
 ==================
 */
 void Cmd_CallVote_f( gentity_t *ent ) {
+	char*	c;
 	int		i;
 	char	arg1[MAX_STRING_TOKENS];
 	char	arg2[MAX_STRING_TOKENS];
@@ -1239,9 +1240,16 @@ void Cmd_CallVote_f( gentity_t *ent ) {
 	trap_Argv( 1, arg1, sizeof( arg1 ) );
 	trap_Argv( 2, arg2, sizeof( arg2 ) );
 
-	if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
-		trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
-		return;
+	// check for command separators in arg2
+	for( c = arg2; *c; ++c) {
+		switch(*c) {
+			case '\n':
+			case '\r':
+			case ';':
+				trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
+				return;
+			break;
+		}
 	}
 
 	if ( !Q_stricmp( arg1, "map_restart" ) ) {
-- 
cgit v1.2.3