From 68688385a0edda1dcc38995f7ce4fcb72360e275 Mon Sep 17 00:00:00 2001 From: Timo Smit Date: Wed, 8 Feb 2017 14:48:56 +0100 Subject: [PATCH] Sanitizing client input (refs #67) --- luamods/wolfadmin/commands/admin/ban.lua | 2 +- luamods/wolfadmin/commands/admin/finger.lua | 2 +- luamods/wolfadmin/commands/admin/gib.lua | 2 +- luamods/wolfadmin/commands/admin/kick.lua | 2 +- luamods/wolfadmin/commands/admin/listaliases.lua | 2 +- luamods/wolfadmin/commands/admin/listlevels.lua | 2 +- luamods/wolfadmin/commands/admin/mute.lua | 2 +- luamods/wolfadmin/commands/admin/plock.lua | 2 +- luamods/wolfadmin/commands/admin/punlock.lua | 2 +- luamods/wolfadmin/commands/admin/put.lua | 2 +- luamods/wolfadmin/commands/admin/setlevel.lua | 4 ++-- luamods/wolfadmin/commands/admin/showhistory.lua | 2 +- luamods/wolfadmin/commands/admin/slap.lua | 2 +- luamods/wolfadmin/commands/admin/stats.lua | 2 +- luamods/wolfadmin/commands/admin/unmute.lua | 2 +- luamods/wolfadmin/commands/admin/vmute.lua | 2 +- luamods/wolfadmin/commands/admin/vunmute.lua | 2 +- luamods/wolfadmin/commands/admin/warn.lua | 4 ++-- luamods/wolfadmin/commands/commands.lua | 2 +- 19 files changed, 21 insertions(+), 21 deletions(-) diff --git a/luamods/wolfadmin/commands/admin/ban.lua b/luamods/wolfadmin/commands/admin/ban.lua index 088ae5a..107e42e 100644 --- a/luamods/wolfadmin/commands/admin/ban.lua +++ b/luamods/wolfadmin/commands/admin/ban.lua @@ -30,7 +30,7 @@ function commandBan(clientId, command, victim, ...) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dban usage: "..commands.getadmin("ban")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/finger.lua b/luamods/wolfadmin/commands/admin/finger.lua index 1008050..7fa6de6 100644 --- a/luamods/wolfadmin/commands/admin/finger.lua +++ b/luamods/wolfadmin/commands/admin/finger.lua @@ -29,7 +29,7 @@ function commandFinger(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dfinger usage: "..commands.getadmin("finger")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/gib.lua b/luamods/wolfadmin/commands/admin/gib.lua index da2af55..134601b 100644 --- a/luamods/wolfadmin/commands/admin/gib.lua +++ b/luamods/wolfadmin/commands/admin/gib.lua @@ -28,7 +28,7 @@ function commandGib(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dgib usage: "..commands.getadmin("gib")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/kick.lua b/luamods/wolfadmin/commands/admin/kick.lua index 870930a..5eb1a03 100644 --- a/luamods/wolfadmin/commands/admin/kick.lua +++ b/luamods/wolfadmin/commands/admin/kick.lua @@ -29,7 +29,7 @@ function commandKick(clientId, command, victim, ...) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dkick usage: "..commands.getadmin("kick")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/listaliases.lua b/luamods/wolfadmin/commands/admin/listaliases.lua index 487f63e..16b234e 100644 --- a/luamods/wolfadmin/commands/admin/listaliases.lua +++ b/luamods/wolfadmin/commands/admin/listaliases.lua @@ -36,7 +36,7 @@ function commandListAliases(clientId, command, victim, offset) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dlistaliases usage: "..commands.getadmin("listaliases")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/listlevels.lua b/luamods/wolfadmin/commands/admin/listlevels.lua index 7a2c0fe..3754ee4 100644 --- a/luamods/wolfadmin/commands/admin/listlevels.lua +++ b/luamods/wolfadmin/commands/admin/listlevels.lua @@ -68,7 +68,7 @@ function commandListLevels(clientId, command, victim, offset) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dlistlevels: ^9level history is disabled.\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/mute.lua b/luamods/wolfadmin/commands/admin/mute.lua index 972a6af..5f248e6 100644 --- a/luamods/wolfadmin/commands/admin/mute.lua +++ b/luamods/wolfadmin/commands/admin/mute.lua @@ -33,7 +33,7 @@ function commandMute(clientId, command, victim, ...) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dmute usage: "..commands.getadmin("mute")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/plock.lua b/luamods/wolfadmin/commands/admin/plock.lua index 3a3b863..e3d5e95 100644 --- a/luamods/wolfadmin/commands/admin/plock.lua +++ b/luamods/wolfadmin/commands/admin/plock.lua @@ -28,7 +28,7 @@ function commandPlayerLock(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dplock usage: "..commands.getadmin("plock")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/punlock.lua b/luamods/wolfadmin/commands/admin/punlock.lua index b012d69..251fd47 100644 --- a/luamods/wolfadmin/commands/admin/punlock.lua +++ b/luamods/wolfadmin/commands/admin/punlock.lua @@ -28,7 +28,7 @@ function commandPlayerUnlock(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dpunlock usage: "..commands.getadmin("punlock")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/put.lua b/luamods/wolfadmin/commands/admin/put.lua index f1a0607..0416922 100644 --- a/luamods/wolfadmin/commands/admin/put.lua +++ b/luamods/wolfadmin/commands/admin/put.lua @@ -30,7 +30,7 @@ function commandPlayerLock(clientId, command, victim, team) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dput usage: "..commands.getadmin("put")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/setlevel.lua b/luamods/wolfadmin/commands/admin/setlevel.lua index 00d7e2c..2be6545 100644 --- a/luamods/wolfadmin/commands/admin/setlevel.lua +++ b/luamods/wolfadmin/commands/admin/setlevel.lua @@ -28,7 +28,7 @@ local settings = require (wolfa_getLuaPath()..".util.settings") function commandSetLevel(clientId, command, victim, level) if not victim or not level then return false - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) @@ -59,7 +59,7 @@ function commandSetLevel(clientId, command, victim, level) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dsetlevel usage: "..commands.getadmin("setlevel")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/showhistory.lua b/luamods/wolfadmin/commands/admin/showhistory.lua index 49ac967..1b10b2b 100644 --- a/luamods/wolfadmin/commands/admin/showhistory.lua +++ b/luamods/wolfadmin/commands/admin/showhistory.lua @@ -36,7 +36,7 @@ function commandListHistory(clientId, command, victim, offset) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dshowhistory usage: "..commands.getadmin("showwarns")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/slap.lua b/luamods/wolfadmin/commands/admin/slap.lua index b942324..bd5023e 100644 --- a/luamods/wolfadmin/commands/admin/slap.lua +++ b/luamods/wolfadmin/commands/admin/slap.lua @@ -28,7 +28,7 @@ function commandSlap(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dslap usage: "..commands.getadmin("slap")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/stats.lua b/luamods/wolfadmin/commands/admin/stats.lua index 87d6c6e..5abefa9 100644 --- a/luamods/wolfadmin/commands/admin/stats.lua +++ b/luamods/wolfadmin/commands/admin/stats.lua @@ -26,7 +26,7 @@ function commandShowStats(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dstats usage: "..commands.getadmin("stats")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/unmute.lua b/luamods/wolfadmin/commands/admin/unmute.lua index e4416f5..77438c1 100644 --- a/luamods/wolfadmin/commands/admin/unmute.lua +++ b/luamods/wolfadmin/commands/admin/unmute.lua @@ -30,7 +30,7 @@ function commandUnmute(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dunmute usage: "..commands.getadmin("unmute")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/vmute.lua b/luamods/wolfadmin/commands/admin/vmute.lua index b107087..cd8610b 100644 --- a/luamods/wolfadmin/commands/admin/vmute.lua +++ b/luamods/wolfadmin/commands/admin/vmute.lua @@ -31,7 +31,7 @@ function commandVoiceMute(clientId, command, victim, ...) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dvmute usage: "..commands.getadmin("vmute")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/vunmute.lua b/luamods/wolfadmin/commands/admin/vunmute.lua index 9304972..5db2254 100644 --- a/luamods/wolfadmin/commands/admin/vunmute.lua +++ b/luamods/wolfadmin/commands/admin/vunmute.lua @@ -26,7 +26,7 @@ function commandVoiceUnmute(clientId, command, victim) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dvunmute usage: "..commands.getadmin("vunmute")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/admin/warn.lua b/luamods/wolfadmin/commands/admin/warn.lua index 6cf5c23..e92662f 100644 --- a/luamods/wolfadmin/commands/admin/warn.lua +++ b/luamods/wolfadmin/commands/admin/warn.lua @@ -32,7 +32,7 @@ function commandWarn(clientId, command, victim, ...) return false elseif not victim or not ... then return false - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) @@ -55,7 +55,7 @@ function commandWarn(clientId, command, victim, ...) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dwarn usage: "..commands.getadmin("warn")["syntax"].."\";") return true - elseif tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + elseif tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim) diff --git a/luamods/wolfadmin/commands/commands.lua b/luamods/wolfadmin/commands/commands.lua index 894ac99..56e1643 100644 --- a/luamods/wolfadmin/commands/commands.lua +++ b/luamods/wolfadmin/commands/commands.lua @@ -128,7 +128,7 @@ function commands.log(clientId, command, victim, ...) if victim then local cmdClient - if tonumber(victim) == nil or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then + if tonumber(victim) == nil or tonumber(victim) < 0 or tonumber(victim) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(victim) else cmdClient = tonumber(victim)