Plenty of exploits and fixes missing from OpenJK/ioquake3

[ensiform]

When I have time to crawl through more, I can start showing which things exactly.

• [x] Challenge spoofing from servers to redirect clients to proxy servers
• [x] Client side download code workaround for larger downloads
• [ ] Cheat cvars aren't protected as well as in OpenJK and ioquake3 (on client connect)
• [ ] sv_cheats can just be initialized to 1 in the engine and reset to 1 upon server disconnect on the client as well. This allows clients to use cheat cvars during demo playback instead of the current workaround.
• [x] Is there any particular reason why systeminfo cvars aren't protected better on the client like this? - https://github.com/JACoders/OpenJK/blob/master/codemp/client/cl_parse.cpp#L467-L489
• [x] Not all cases of dir traversal appear fixed
• [ ] LACKING BUFFER SAFETY EVERYWHERE with vsprintf/sprintf instead of Q_vsnprintf/Com_sprintf can't fix broken mods still using it either and non-use of "%s" before printing strings in several areas.
• [x] Servers can send download packets to clients who don't even request
• [ ] Rcon code doesn't work with quotes and spaces properly on client or server
• [x] Rcon code is not buffer safe on client
• [x] Anyone can send print packets to clients
• [x] Missing fix for hosting listen server with non-4:3 res causing crash

[ouned]

hmm I never heard about most of these problems.

Is there any particular reason why systeminfo cvars aren't protected better on the client like this?

I think @Daggolin fixed the CVAR_SYSTEMINFO somehow a while ago.

Not all cases of dir traversal appear fixed

the fs_game fixes from the link? q3dirtrav is fixed

[ensiform]

Currently looking at an alternative sv_filterCommands implementation:

sv_filterCommands 0/1 was implemented by OpenJK. The Cmd_Args_Sanatise feature wasn't optional in ioquake3 (but we felt it was too strict and we are looking to make it even less strict when 1 now, hence removing the default ; check and leaving that to ONLY for callvote unless sv_filterCommands has bitflag 2.

https://gist.github.com/ensiform/5de0ba2901a9a956905e

https://gist.github.com/ensiform/4e1c418a25ebfd47c25c

// flags for sv_filterCommands
#define SVFC_GENERAL_NORMAL 1
#define SVFC_GENERAL_STRICT 2
#define SVFC_FIX_CHAT 4
#define SVFC_FIX_CALLVOTE 8
#define SVFC_FIX_BADTEAMS 16

I have not yet submitted this or tested it much. But this is the POC because of this thread: https://github.com/JACoders/OpenJK/issues/726

[ensiform]

Added more things. Working on diffing codebases right now.

[ensiform]

https://github.com/JACoders/OpenJK/blame/master/codemp/client/cl_scrn.cpp#L502-L519

Trying to host a server ie via the menu and non dedicated will crash your client if using a ratio that is not 4:3. Was a q3 bug so I doubt its not affected in jk2 since it was affected in jka.

[ouned]

closing this for now as everything important is finished