r1900 - branches/nexuiz-2.0/data/qcsrc/server
DONOTREPLY at icculus.org
DONOTREPLY at icculus.org
Sun Oct 29 04:17:01 EST 2006
Author: div0
Date: 2006-10-29 04:17:01 -0500 (Sun, 29 Oct 2006)
New Revision: 1900
Modified:
branches/nexuiz-2.0/data/qcsrc/server/clientcommands.qc
Log:
backport fix "cmd" security hole by redundantly copying over the checks from DP
Modified: branches/nexuiz-2.0/data/qcsrc/server/clientcommands.qc
===================================================================
--- branches/nexuiz-2.0/data/qcsrc/server/clientcommands.qc 2006-10-29 09:06:32 UTC (rev 1899)
+++ branches/nexuiz-2.0/data/qcsrc/server/clientcommands.qc 2006-10-29 09:17:01 UTC (rev 1900)
@@ -353,6 +353,29 @@
Say(self, TRUE, substring(s, 9, strlen(s) - 9));
//clientcommand(self, formatmessage(s));
} else {
+ string cmd;
+ cmd = argv(0);
+ if(cmd != "status")
+ if(cmd != "name")
+ //if(cmd != "say") // handled above
+ //if(cmd != "say_team") // handled above
+ if(cmd != "tell")
+ if(cmd != "color")
+ if(cmd != "kill")
+ if(cmd != "pause")
+ if(cmd != "kick")
+ if(cmd != "ping")
+ if(cmd != "pings")
+ if(cmd != "ban")
+ if(cmd != "pmodel")
+ if(cmd != "rate")
+ if(cmd != "playermodel")
+ if(cmd != "playerskin")
+ if(cmd != "god") if(cmd != "notarget") if(cmd != "fly") if(cmd != "give") if(cmd != "noclip")
+ {
+ ServerConsoleEcho(strcat("WARNING: Invalid clientcommand by ", self.netname, ": ", s), TRUE);
+ return;
+ }
clientcommand(self,s);
}
}
More information about the nexuiz-commits
mailing list