[quake3-commits] [ioquake/ioq3] 3a6af1: Fix VMs being able to change CVAR_PROTECTED cvars

Zack Middleton zack at cloemail.com
Sun Jan 21 07:13:48 EST 2018 

  Branch: refs/heads/master
  Home:   https://github.com/ioquake/ioq3
  Commit: 3a6af1bc48dca97d589b9643e39bc96be31acba9
      https://github.com/ioquake/ioq3/commit/3a6af1bc48dca97d589b9643e39bc96be31acba9
  Author: Zack Middleton <zack at cloemail.com>
  Date:   2018-01-21 (Sun, 21 Jan 2018)

  Changed paths:
    M code/qcommon/cvar.c

  Log Message:
  -----------
  Fix VMs being able to change CVAR_PROTECTED cvars

VM could use Cvar_Register to set a protected cvar as user created and
was then able to use Cvar_Register with CVAR_ROM to change the value.

Don't allow Cvar_Register to affect protected cvars and prevent VMs
from adding internal flags to any cvars (creator, modified, protected,
nonexistent).

Reported by Noah Metzger (Chomenor).


  Commit: adef4e6c9effb4d3e1c65bca4597116eca99ef4b
      https://github.com/ioquake/ioq3/commit/adef4e6c9effb4d3e1c65bca4597116eca99ef4b
  Author: Zack Middleton <zack at cloemail.com>
  Date:   2018-01-21 (Sun, 21 Jan 2018)

  Changed paths:
    M code/client/cl_ui.c
    M code/qcommon/common.c
    M code/qcommon/files.c
    M code/server/sv_client.c

  Log Message:
  -----------
  Don't register fs_game cvar everywhere just to get the value


  Commit: 78ca670d4f89ffa7f887f8f32d6d6e39bd9c78c3
      https://github.com/ioquake/ioq3/commit/78ca670d4f89ffa7f887f8f32d6d6e39bd9c78c3
  Author: Zack Middleton <zack at cloemail.com>
  Date:   2018-01-21 (Sun, 21 Jan 2018)

  Changed paths:
    M code/qcommon/cvar.c

  Log Message:
  -----------
  Don't let VMs change engine latch cvars immediately

If a VM increases sv_maxclients while a server is running the engine
will crash. The value should be latched until engine decides to update
the cvar; the same as when a user sets it.


  Commit: 3638f69dff3d6b3e624c0a6550f16482b172bc11
      https://github.com/ioquake/ioq3/commit/3638f69dff3d6b3e624c0a6550f16482b172bc11
  Author: Zack Middleton <zack at cloemail.com>
  Date:   2018-01-21 (Sun, 21 Jan 2018)

  Changed paths:
    M code/client/cl_main.c
    M code/client/cl_parse.c
    M code/qcommon/common.c
    M code/qcommon/files.c
    M code/qcommon/qcommon.h

  Log Message:
  -----------
  Fix fs_game '..' reading outside of home and base path

VMs could set fs_game to '..' at anytime to access files outside of home
and base path. fs_game sent by server to clients could also be '..' to
access files outside of home and base path.

'..' was not caught by FS_CheckDirTraversal() as it expects filenames
not a single directory.

I've made fs_game be latched to prevent VMs from changing it with no
good way to validate it before it's used. com_basegame and fs_basegame
are now latched as well.

Additionally, it's now possible to change com_basegame while the engine
is running. game_restart or vid_restart will make it take affect.
com_homepath is now CVAR_PROTECTED to prevent VMs from changing it
to a directory traversal.

This requires my two previous commits for preventing VMs from changing
engine latch cvars and only Cvar_Get fs_game in FS_Startup (so CVAR_INIT
isn't added in serveral other places).

Reported by Noah Metzger (Chomenor).


Compare: https://github.com/ioquake/ioq3/compare/917bca4f7d8b...3638f69dff3d

More information about the quake3-commits mailing list