[quake3] Re: Auto Downloads

Thilo Schulz arny at ats.s.bawue.de
Tue Jul 24 11:46:14 EDT 2007


On Tuesday 24 July 2007 17:17, Dirk wrote:
> fine... but there won't be much of a future without auto downloads
> anyways...

The download feature in quake3 is a gaping security hole as there is no 
protection whatsoever against malicious data files. As a matter of fact, I 
know *right now* which kind of malicious data files could be used to trigger 
an exploitable buffer overflow in any clients unfortunate enough to download 
such a file. We don't bother to fix this condition, as there has never been 
any effort to make the client secure when it comes to interpreting 
maps/models etc. and it would pretty much be a Sisyphean task to clear it all 
up.
What we don't need now is an autodownload feature set to "1" per default. If a 
mod wants to set it to 1 per default, then it should at least leave the user 
the choice whether he trusts that server to proceed downloading the data. But 
that really is up to the developers of those mods, and not to ioquake3 as we 
want to stay compatible with id's original mod and they simply don't have 
that check. So there's simply no point in bothering us about this.

-- 
Thilo Schulz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://icculus.org/pipermail/quake3/attachments/20070724/818df912/attachment.pgp>


More information about the quake3 mailing list