cl_consoleHistory stores passwords in q3config.cfg
q3urt.undead at gmail.com
Sat Mar 31 14:28:47 EDT 2007
Sorry I couldn't check bugzilla to see if this is a known issue. I
get an internal error when I try to connect to bugs or bugzilla.
cl_consoleHistory saves all commands you type including /password and
A new user who doesn't view the config may not even be aware of this
issue. Here's how they could be exposed:
1) Join a server and use /password or /rcon password.
2) Exit the server and send someone your config
A lot of users aren't aware their q3config.cfg has the passwords. To
them it's a file generated by quake that they don't worry about.
I don't think you should scrub for 'password' because then that lets
typos pass through. Could you keep the console history in a separate
file like what id does with q3key? A lot of people have multiple
configs so perhaps changing/adding a cvar that points to a filename
would be best. As long as you set the cvar to a reasonable default,
the novice user doesn't have to worry about it.
More information about the quake3