r3311 - trunk/data/qcsrc/server

[DONOTREPLY at icculus.org]

Author: div0
Date: 2008-01-30 06:52:43 -0500 (Wed, 30 Jan 2008)
New Revision: 3311

Modified:
   trunk/data/qcsrc/server/clientcommands.qc
Log:
possibly this does nothing, possibly this fixes a security hole in voting


Modified: trunk/data/qcsrc/server/clientcommands.qc
===================================================================
--- trunk/data/qcsrc/server/clientcommands.qc	2008-01-30 11:49:53 UTC (rev 3310)
+++ trunk/data/qcsrc/server/clientcommands.qc	2008-01-30 11:52:43 UTC (rev 3311)
@@ -130,6 +130,17 @@
 	strunzone(msgstr);
 }
 
+float VoteCheckNasty(string cmd)
+{
+	if(strstrofs(cmd, ";", 0) >= 0)
+		return FALSE;
+	if(strstrofs(cmd, "\n", 0) >= 0)
+		return FALSE;
+	if(strstrofs(cmd, "\r", 0) >= 0)
+		return FALSE;
+	return TRUE;
+}
+
 string GetKickVoteVictim_newcommand;
 entity GetKickVoteVictim(string vote, string cmd)
 {
@@ -216,6 +227,8 @@
 						sprint(self, "^1Your vote is empty. See help for more info.\n");
 					} else if(time < self.vote_next) {
 						sprint(self, strcat("^1You have to wait ^2", ftos(self.vote_next - time), "^1 seconds before you can again call a vote.\n"));
+					} else if(VoteCheckNasty(vote)) {
+						sprint(self, "Syntax error in command.\n");
 					} else if(VoteAllowed(strcat1(argv(2)))) { // strcat seems to be necessary
 						// remap chmap to gotomap (forces intermission)
 						if(vote == "chmap" || vote == "gotomap") // won't work without arguments
@@ -306,6 +319,8 @@
 				dovote = VoteParse();
 				if(dovote == "") {
 					sprint(self, "^1Your command was empty. See help for more info.\n");
+				} else if(VoteCheckNasty(dovote)) {
+					sprint(self, "Syntax error in command.\n");
 				} else if(VoteAllowed(strcat1(argv(2)))) { // strcat seems to be necessary
 					if(dovote == "chmap" || dovote == "gotomap") // won't work without arguments
 						return;