Module darkplaces: Change committed
havoc at icculus.org
havoc at icculus.org
Thu Jan 11 22:40:45 EST 2007
Commiter : havoc
CVSROOT : /cvs/cvsroot/twilight
Module : darkplaces
Commit time: 2007-01-12 03:40:45 UTC
Log message:
changed Cmd_AddCommand to only work for console commands, not client commands executed on the server, Cmd_AddCommand_WithClientCommand has been added to allow separate command functions for console commands and client commands, this got rid of a lot of cmd_source == src_command checks
this refactoring fixes a security vulnerability in the clcommand builtin provided by KRIMZON_SV_PARSECLIENTCOMMAND, which was able to execute many commands on the server console, and that put the burden on the QC code to validate command safety, which was not intended
in short: this fixes a remote console command execution vulnerability that affected a few games/mods
Modified files:
cl_demo.c cmd.c cmd.h host_cmd.c sv_user.c
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: darkplaces.20070112.034045.havoc.diff
URL: <http://icculus.org/pipermail/twilight-commits/attachments/20070111/69affd22/attachment.diff>
More information about the twilight-commits
mailing list