search

zturtleman / sgfork

Automatically exported from code.google.com/p/sgfork for archive purposes. I do not maintain it. Don't report issues here.
GNU General Public License v2.0
0 stars 0 forks source link

Callvote security bug #50

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Overall description:
It is possible to do the following in SG 1.0:
\callvote g_doWarmup 1;g_readteamname 11;g_blueteamname 10;scorelimit 4;map 
br_alamo_tiny

But the scorelimit, g_readteamname and g_blueteamname are forbidden to vote 
in game code.

The similar is allowed in SGFork:
\callvote g_redteam 10;g_blueteam 11;scorelimit 5;map br_alamo_tiny

scorelimit isn't in available votable variables.
You can vote via this trick anything you want.

Checked only in offline game with bots. But the code is the same for real 
players too.

And the code has the check:
    // make sure it is a valid command to vote on
    trap_Argv( 1, arg1, sizeof( arg1 ) );
    trap_Argv( 2, arg2, sizeof( arg2 ) );

    // check for command separators in arg2
    for( c = arg2; *c; ++c) {
        switch(*c) {
            case '\n':
            case '\r':
            case ';':
                trap_SendServerCommand( ent-g_entities, 
"print \"Invalid vote string.\n\"" );
                return;
            break;
        }
    }
Variables affected:
void Cmd_CallVote_f( gentity_t *ent )

Original issue reported on code.google.com by igorpana...@gmail.com on 31 Aug 2009 at 6:52

GoogleCodeExporter commented 9 years ago 
No bug.
Such callvote will call call vote only for callvote 1 argument. Other commands 
followed 
by semicolon will be executed without callvote.
The check will be applied only to arguments in double quotes. like:
\callvote "g_redteam 10;g_blueteam 11;scorelimit 5;map br_alamo_tiny"
And then it will work.

Closed due to no fix required.

Original comment by igorpana...@gmail.com on 31 Aug 2009 at 10:13