Fix CVE-2017-6903 - Githubissues

FrozenSand / ioq3-for-UrbanTerror-4

The officially supported ioquake3 engine by the Frozen Sand Development Team for the game Urban Terror 4.x

http://www.urbanterror.info

GNU General Public License v2.0

148 stars 65 forks source link

Closed mickael9 closed 6 years ago

mickael9 commented 7 years ago

This fixes the issues mentioned in CVE-2017-6903 and adds more general security improvements as well.

Don't load q3config.cfg or autoexec.cfg from any pk3 file
Don't load QVMs from untrusted pk3 files in the download directory (this was previously detected but not actually blocked)
Disallow loading of DLL/so/dylib with a .pk3 extension
Add FS_CheckFilenameIsMutable from ioquake3
Ensure condump can only write to .txt files
Ensure writeconfig can only write to .cfg files
Improve malicious pk3 reporting (and add check for .cfg files as well)

Fixes #71

mickael9 commented 7 years ago

~~Don't merge this yet, I think it will prevent downloads because I didn't add the safe argument to FS_SV_Rename~~

Barbatos commented 7 years ago

Thank you. This one will need lots of testing that I don't have the time to do right now, so I'll leave the PR open for now. :)

ThomasBrierley commented 7 years ago

Don't merge this yet, I think it will prevent downloads because I didn't add the safe argument to FS_SV_Rename

I just tried it out on linux, downloads seem to work fine. Although i know the linux build uses curl, is that different on other platforms?

mickael9 commented 7 years ago

@ThomasBrierley That was fixed in afde689 and no, all platforms use curl for auto downloads

ThomasBrierley commented 7 years ago

Oh yeah, great, what else needs testing then? Currently using this patch and haven't come across anything, not that I know what to look for.

dundee commented 7 years ago

Any progress here?