r790 - trunk/code/client

DONOTREPLY at icculus.org DONOTREPLY at icculus.org
Sun May 28 10:36:37 EDT 2006


Author: thilo
Date: 2006-05-28 10:36:37 -0400 (Sun, 28 May 2006)
New Revision: 790

Modified:
   trunk/code/client/cl_main.c
Log:
Prevent servers from making clients download files that are written to non-quake3 directories.


Modified: trunk/code/client/cl_main.c
===================================================================
--- trunk/code/client/cl_main.c	2006-05-25 16:22:19 UTC (rev 789)
+++ trunk/code/client/cl_main.c	2006-05-28 14:36:37 UTC (rev 790)
@@ -1443,6 +1443,13 @@
 			*s++ = 0;
 		else
 			s = localName + strlen(localName); // point at the nul byte
+		
+		// Make sure the server cannot make us write to non-quake3 directories.
+		if(strstr(localName, "../"))
+		{
+			Com_Error(ERR_DROP, "CL_NextDownload: Invalid download name %s", localName);
+			return;
+		}
 
 		CL_BeginDownload( localName, remoteName );
 




More information about the quake3-commits mailing list