Chat commands (and by extension many more commands) bypass sv_cheats

[lvaness]

Describe the bug
Chat commands will execute certain concommands through IVEngineClient::ClientCmd. Some of these commands will accept parameters. Since these are not sanitized, you can chain a second command by appending ;<command> to the parameter.

These commands are not checked against sv_cheats, however, allowing you to execute some protected commands. It appears only GAMEDLL-flagged concommands work. I didn't find a way to change cvars since you need to add spaces for the parameters but I'm sure there's a way.

To Reproduce

• Launch a map without sv_cheats on
• Open chat
• Enter /spec *nullptr;cast_hull and submit
• See the raycasted hull
• Now try again in console
• See sv_cheats warning

Expected behavior
At least, it should verify sv_cheats, even if parameters remain executable. Still, there should probably be some sanitization.

Desktop/Branch (please complete the following information):

• OS: Linux
• Branch: 0.8.8 as of April push

Additional context
This is also apparent because /triggers works from chat but not from console. Since we do want that to be available anyways, it's not an issue though (same for the other chat commands). You can enable noclip this way but it has its own safeguard, stopping the timer, which makes it pretty useless. Finding a proper abuse scenario is left as an exercise to the reader.

[patrickmoc]

chat command parameters appear to be sanitized properly as of the most recent update.