r790 - trunk/code/client
DONOTREPLY at icculus.org
DONOTREPLY at icculus.org
Sun May 28 10:36:37 EDT 2006
Author: thilo
Date: 2006-05-28 10:36:37 -0400 (Sun, 28 May 2006)
New Revision: 790
Modified:
trunk/code/client/cl_main.c
Log:
Prevent servers from making clients download files that are written to non-quake3 directories.
Modified: trunk/code/client/cl_main.c
===================================================================
--- trunk/code/client/cl_main.c 2006-05-25 16:22:19 UTC (rev 789)
+++ trunk/code/client/cl_main.c 2006-05-28 14:36:37 UTC (rev 790)
@@ -1443,6 +1443,13 @@
*s++ = 0;
else
s = localName + strlen(localName); // point at the nul byte
+
+ // Make sure the server cannot make us write to non-quake3 directories.
+ if(strstr(localName, "../"))
+ {
+ Com_Error(ERR_DROP, "CL_NextDownload: Invalid download name %s", localName);
+ return;
+ }
CL_BeginDownload( localName, remoteName );
More information about the quake3-commits
mailing list