Permalink
Browse files

Sanitize servercfgfile and lservercfgfile values with sm_cvar (bug 65…

…79).
1 parent 9d7d00d commit f6144a29d7a93186644763ab17baa3a658c6e396 @psychonic psychonic committed Jan 20, 2017
Showing with 10 additions and 0 deletions.
  1. +10 −0 plugins/basecommands.sp
@@ -308,6 +308,16 @@ public Action Command_Cvar(int client, int args)
}
GetCmdArg(2, value, sizeof(value));
+
+ // The server passes the values of these directly into ServerCommand, following exec. Sanitize.
+ if (StrEqual(cvarname, "servercfgfile", false) || StrEqual(cvarname, "lservercfgfile", false))
+ {
+ int pos = StrContains(value, ";", true);
+ if (pos != -1)
+ {
+ value[pos] = '\0';
+ }
+ }
if ((hndl.Flags & FCVAR_PROTECTED) != FCVAR_PROTECTED)
{

0 comments on commit f6144a2

Please sign in to comment.