[quake3] Re: Auto Downloads
Thilo Schulz
arny at ats.s.bawue.de
Tue Jul 24 11:46:14 EDT 2007
On Tuesday 24 July 2007 17:17, Dirk wrote:
> fine... but there won't be much of a future without auto downloads
> anyways...
The download feature in quake3 is a gaping security hole as there is no
protection whatsoever against malicious data files. As a matter of fact, I
know *right now* which kind of malicious data files could be used to trigger
an exploitable buffer overflow in any clients unfortunate enough to download
such a file. We don't bother to fix this condition, as there has never been
any effort to make the client secure when it comes to interpreting
maps/models etc. and it would pretty much be a Sisyphean task to clear it all
up.
What we don't need now is an autodownload feature set to "1" per default. If a
mod wants to set it to 1 per default, then it should at least leave the user
the choice whether he trusts that server to proceed downloading the data. But
that really is up to the developers of those mods, and not to ioquake3 as we
want to stay compatible with id's original mod and they simply don't have
that check. So there's simply no point in bothering us about this.
--
Thilo Schulz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://icculus.org/pipermail/quake3/attachments/20070724/818df912/attachment.pgp>
More information about the quake3
mailing list