From 46841aa463009df7ecf31964a93e2a25aa0259ce Mon Sep 17 00:00:00 2001 From: thilo Date: Thu, 1 Jun 2006 00:23:46 +0000 Subject: Forgot to check for windows-style path seperator in precaution against directory traversal abuse. git-svn-id: svn://svn.icculus.org/quake3/trunk@794 edf5b092-35ff-0310-97b2-ce42778d08ea --- code/client/cl_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'code') diff --git a/code/client/cl_main.c b/code/client/cl_main.c index da5d116..12b102d 100644 --- a/code/client/cl_main.c +++ b/code/client/cl_main.c @@ -1445,7 +1445,7 @@ void CL_NextDownload(void) { s = localName + strlen(localName); // point at the nul byte // Make sure the server cannot make us write to non-quake3 directories. - if(strstr(localName, "../")) + if(strstr(localName, "../") || strstr(localName, "..\\")) { Com_Error(ERR_DROP, "CL_NextDownload: Invalid download name %s", localName); return; -- cgit v1.2.3