cl_consoleHistory stores passwords in q3config.cfg

un dead q3urt.undead at
Sat Mar 31 14:28:47 EDT 2007

Hi all,

Sorry I couldn't check bugzilla to see if this is a known issue.  I
get an internal error when I try to connect to bugs or bugzilla.

cl_consoleHistory saves all commands you type including /password and
/rcon password.

A new user who doesn't view the config may not even be aware of this
issue.  Here's how they could be exposed:

1) Join a server and use /password or /rcon password.
2) Exit the server and send someone your config

A lot of users aren't aware their q3config.cfg has the passwords.  To
them it's a file generated by quake that they don't worry about.

I don't think you should scrub for 'password' because then that lets
typos pass through.  Could you keep the console history in a separate
file like what id does with q3key?  A lot of people have multiple
configs so perhaps changing/adding a cvar that points to a filename
would be best.  As long as you set the cvar to a reasonable default,
the novice user doesn't have to worry about it.

More information about the quake3 mailing list