From b900e8e57ce8be0dfef6c4e79601a071b0932a46 Mon Sep 17 00:00:00 2001 From: ludwig Date: Sat, 17 Jan 2009 23:09:58 +0000 Subject: security fix: prevent command injection via callvote git-svn-id: svn://svn.icculus.org/quake3/trunk@1493 edf5b092-35ff-0310-97b2-ce42778d08ea --- code/qcommon/cmd.c | 16 ++++++++++++++++ code/qcommon/qcommon.h | 1 + 2 files changed, 17 insertions(+) (limited to 'code/qcommon') diff --git a/code/qcommon/cmd.c b/code/qcommon/cmd.c index 08af301..8b14c2a 100644 --- a/code/qcommon/cmd.c +++ b/code/qcommon/cmd.c @@ -433,6 +433,22 @@ char *Cmd_Cmd(void) return cmd_cmd; } +/* + Replace command separators with space to prevent interpretation + This is a hack to protect buggy qvms + https://bugzilla.icculus.org/show_bug.cgi?id=3593 +*/ +void Cmd_Args_Sanitize( void ) { + int i; + for ( i = 1 ; i < cmd_argc ; i++ ) { + char* c = cmd_argv[i]; + while ((c = strpbrk(c, "\n\r;"))) { + *c = ' '; + ++c; + } + } +} + /* ============ Cmd_TokenizeString diff --git a/code/qcommon/qcommon.h b/code/qcommon/qcommon.h index 6a264d3..34cb2e9 100644 --- a/code/qcommon/qcommon.h +++ b/code/qcommon/qcommon.h @@ -434,6 +434,7 @@ char *Cmd_Args (void); char *Cmd_ArgsFrom( int arg ); void Cmd_ArgsBuffer( char *buffer, int bufferLength ); char *Cmd_Cmd (void); +void Cmd_Args_Sanitize( void ); // The functions that execute commands get their parameters with these // functions. Cmd_Argv () will return an empty string, not a NULL // if arg > argc, so string operations are allways safe. -- cgit v1.2.3