From c0d2aa0e92c6ac4c794234c3e1952707f5cebb63 Mon Sep 17 00:00:00 2001 From: Timo Smit Date: Mon, 16 Jan 2017 19:49:00 +0100 Subject: [PATCH] Sanitizing some client input (fixes #67) --- luascripts/commands/admin/dewarn.lua | 4 ++-- luascripts/commands/admin/listaliases.lua | 4 ++-- luascripts/commands/admin/listlevels.lua | 4 ++-- luascripts/commands/admin/plock.lua | 4 ++-- luascripts/commands/admin/punlock.lua | 4 ++-- luascripts/commands/admin/setlevel.lua | 4 ++-- luascripts/commands/admin/showwarns.lua | 4 ++-- luascripts/commands/admin/stats.lua | 4 ++-- luascripts/commands/admin/vmute.lua | 4 ++-- luascripts/commands/admin/vunmute.lua | 4 ++-- luascripts/commands/admin/warn.lua | 4 ++-- luascripts/commands/client/pm.lua | 4 ++-- luascripts/commands/commands.lua | 4 ++-- 13 files changed, 26 insertions(+), 26 deletions(-) diff --git a/luascripts/commands/admin/dewarn.lua b/luascripts/commands/admin/dewarn.lua index 5a2fb37..e6d75da 100644 --- a/luascripts/commands/admin/dewarn.lua +++ b/luascripts/commands/admin/dewarn.lua @@ -35,7 +35,7 @@ function commandRemoveWarn(clientId, cmdArguments) cmdClient = tonumber(cmdArguments[1]) end - if cmdClient == -1 then + if cmdClient == -1 or cmdClient > et.trap_Cvar_Get("sv_maxclients") then et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^ddewarn: ^9no or multiple matches for '^7"..cmdArguments[1].."^9'.\";") return true @@ -57,4 +57,4 @@ function commandRemoveWarn(clientId, cmdArguments) return true end -commands.addadmin("dewarn", commandRemoveWarn, "R", "remove a warning for a certain player", "^9[^3name|slot#^9] ^9[^3warn#^9]", function() return (settings.get("g_warnHistory") == 0 or not db.isconnected()) end) \ No newline at end of file +commands.addadmin("dewarn", commandRemoveWarn, "R", "remove a warning for a certain player", "^9[^3name|slot#^9] ^9[^3warn#^9]", function() return (settings.get("g_warnHistory") == 0 or not db.isconnected()) end) diff --git a/luascripts/commands/admin/listaliases.lua b/luascripts/commands/admin/listaliases.lua index 35bc116..49a6fb4 100644 --- a/luascripts/commands/admin/listaliases.lua +++ b/luascripts/commands/admin/listaliases.lua @@ -31,7 +31,7 @@ function commandListAliases(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dlistaliases usage: "..commands.getadmin("listaliases")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > et.trap_Cvar_Get("sv_maxclients") then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -76,4 +76,4 @@ function commandListAliases(clientId, cmdArguments) return true end -commands.addadmin("listaliases", commandListAliases, "f", "display all known aliases for a player", "^9[^3name|slot#^9] ^9(^hoffset^9)", function() return (not db.isconnected()) end) \ No newline at end of file +commands.addadmin("listaliases", commandListAliases, "f", "display all known aliases for a player", "^9[^3name|slot#^9] ^9(^hoffset^9)", function() return (not db.isconnected()) end) diff --git a/luascripts/commands/admin/listlevels.lua b/luascripts/commands/admin/listlevels.lua index 56852c4..1974f22 100644 --- a/luascripts/commands/admin/listlevels.lua +++ b/luascripts/commands/admin/listlevels.lua @@ -57,7 +57,7 @@ function commandListLevels(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dlistlevels: ^9level history is disabled.\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -93,4 +93,4 @@ function commandListLevels(clientId, cmdArguments) return true end -commands.addadmin("listlevels", commandListLevels, "s", "display all levels on the server", (not db.isconnected() and nil or "^9(^3name|slot#^9) ^9(^hoffset^9)")) \ No newline at end of file +commands.addadmin("listlevels", commandListLevels, "s", "display all levels on the server", (not db.isconnected() and nil or "^9(^3name|slot#^9) ^9(^hoffset^9)")) diff --git a/luascripts/commands/admin/plock.lua b/luascripts/commands/admin/plock.lua index 3b3dbf8..ee56ae3 100644 --- a/luascripts/commands/admin/plock.lua +++ b/luascripts/commands/admin/plock.lua @@ -25,7 +25,7 @@ function commandPlayerLock(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dplock usage: "..commands.getadmin("plock")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -61,4 +61,4 @@ function commandPlayerLock(clientId, cmdArguments) return true end -commands.addadmin("plock", commandPlayerLock, "K", "locks a player to a specific team", "^9[^3name|slot#^9]") \ No newline at end of file +commands.addadmin("plock", commandPlayerLock, "K", "locks a player to a specific team", "^9[^3name|slot#^9]") diff --git a/luascripts/commands/admin/punlock.lua b/luascripts/commands/admin/punlock.lua index 6f0b393..3e0eb2a 100644 --- a/luascripts/commands/admin/punlock.lua +++ b/luascripts/commands/admin/punlock.lua @@ -25,7 +25,7 @@ function commandPlayerUnlock(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dpunlock usage: "..commands.getadmin("punlock")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -53,4 +53,4 @@ function commandPlayerUnlock(clientId, cmdArguments) return true end -commands.addadmin("punlock", commandPlayerUnlock, "K", "unlocks a player", "^9[^3name|slot#^9]") \ No newline at end of file +commands.addadmin("punlock", commandPlayerUnlock, "K", "unlocks a player", "^9[^3name|slot#^9]") diff --git a/luascripts/commands/admin/setlevel.lua b/luascripts/commands/admin/setlevel.lua index 3ed8eba..348a3ee 100644 --- a/luascripts/commands/admin/setlevel.lua +++ b/luascripts/commands/admin/setlevel.lua @@ -23,7 +23,7 @@ local admin = require "luascripts.wolfadmin.admin.admin" function commandSetLevel(clientId, cmdArguments) if #cmdArguments < 2 then return false - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -46,4 +46,4 @@ function commandSetLevel(clientId, cmdArguments) return false end -commands.addadmin("setlevel", commandSetLevel, "s", "sets the admin level of a player", "^9[^3name|slot#^9] ^9[^3level^9]", true) \ No newline at end of file +commands.addadmin("setlevel", commandSetLevel, "s", "sets the admin level of a player", "^9[^3name|slot#^9] ^9[^3level^9]", true) diff --git a/luascripts/commands/admin/showwarns.lua b/luascripts/commands/admin/showwarns.lua index 520e0ce..26bca94 100644 --- a/luascripts/commands/admin/showwarns.lua +++ b/luascripts/commands/admin/showwarns.lua @@ -32,7 +32,7 @@ function commandShowWarns(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dshowwarns usage: "..commands.getadmin("showwarns")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -66,4 +66,4 @@ function commandShowWarns(clientId, cmdArguments) return true end -commands.addadmin("showwarns", commandShowWarns, "R", "display warnings for a specific player", "^9[^3name|slot#^9] ^9(^hoffset^9)", function() return (settings.get("g_warnHistory") == 0 or not db.isconnected()) end) \ No newline at end of file +commands.addadmin("showwarns", commandShowWarns, "R", "display warnings for a specific player", "^9[^3name|slot#^9] ^9(^hoffset^9)", function() return (settings.get("g_warnHistory") == 0 or not db.isconnected()) end) diff --git a/luascripts/commands/admin/stats.lua b/luascripts/commands/admin/stats.lua index 9b0b457..dbb1085 100644 --- a/luascripts/commands/admin/stats.lua +++ b/luascripts/commands/admin/stats.lua @@ -23,7 +23,7 @@ function commandShowStats(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dstats usage: "..commands.getadmin("stats")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -94,4 +94,4 @@ function commandShowStats(clientId, cmdArguments) return true end -commands.addadmin("stats", commandShowStats, "I", "display the statistics for a specific player", "^9[^3name|slot#^9]") \ No newline at end of file +commands.addadmin("stats", commandShowStats, "I", "display the statistics for a specific player", "^9[^3name|slot#^9]") diff --git a/luascripts/commands/admin/vmute.lua b/luascripts/commands/admin/vmute.lua index dd5f8ba..6d6272f 100644 --- a/luascripts/commands/admin/vmute.lua +++ b/luascripts/commands/admin/vmute.lua @@ -24,7 +24,7 @@ function commandVoiceMute(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dvmute usage: "..commands.getadmin("vmute")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -75,4 +75,4 @@ function commandVoiceMute(clientId, cmdArguments) return true end -commands.addadmin("vmute", commandVoiceMute, "m", "voicemutes a player", "^9[^3name|slot#^9]") \ No newline at end of file +commands.addadmin("vmute", commandVoiceMute, "m", "voicemutes a player", "^9[^3name|slot#^9]") diff --git a/luascripts/commands/admin/vunmute.lua b/luascripts/commands/admin/vunmute.lua index 5877309..1f610f5 100644 --- a/luascripts/commands/admin/vunmute.lua +++ b/luascripts/commands/admin/vunmute.lua @@ -23,7 +23,7 @@ function commandVoiceUnmute(clientId, cmdArguments) et.trap_SendConsoleCommand(et.EXEC_APPEND, "csay "..clientId.." \"^dvunmute usage: "..commands.getadmin("vunmute")["syntax"].."\";") return true - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -51,4 +51,4 @@ function commandVoiceUnmute(clientId, cmdArguments) return true end -commands.addadmin("vunmute", commandVoiceUnmute, "m", "unvoicemutes a player", "^9[^3name|slot#^9]") \ No newline at end of file +commands.addadmin("vunmute", commandVoiceUnmute, "m", "unvoicemutes a player", "^9[^3name|slot#^9]") diff --git a/luascripts/commands/admin/warn.lua b/luascripts/commands/admin/warn.lua index 1b2d158..70d69a7 100644 --- a/luascripts/commands/admin/warn.lua +++ b/luascripts/commands/admin/warn.lua @@ -25,7 +25,7 @@ function commandAddWarn(clientId, cmdArguments) return false elseif #cmdArguments < 2 then return false - elseif tonumber(cmdArguments[1]) == nil then + elseif tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -41,4 +41,4 @@ function commandAddWarn(clientId, cmdArguments) return false end -commands.addadmin("warn", commandAddWarn, "R", "warns a player by displaying the reason", "^9[^3name|slot#^9] ^9[^3reason^9]", true) \ No newline at end of file +commands.addadmin("warn", commandAddWarn, "R", "warns a player by displaying the reason", "^9[^3name|slot#^9] ^9[^3reason^9]", true) diff --git a/luascripts/commands/client/pm.lua b/luascripts/commands/client/pm.lua index bdc7571..c0aa6d7 100644 --- a/luascripts/commands/client/pm.lua +++ b/luascripts/commands/client/pm.lua @@ -22,7 +22,7 @@ function commandPersonalMessage(clientId, cmdArguments) if #cmdArguments > 1 then local cmdClient - if tonumber(cmdArguments[1]) == nil then + if tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -36,4 +36,4 @@ function commandPersonalMessage(clientId, cmdArguments) end end commands.addclient("pm", commandPersonalMessage, "", "", true) -commands.addclient("m", commandPersonalMessage, "", "", true) \ No newline at end of file +commands.addclient("m", commandPersonalMessage, "", "", true) diff --git a/luascripts/commands/commands.lua b/luascripts/commands/commands.lua index 17a596a..1e7e457 100644 --- a/luascripts/commands/commands.lua +++ b/luascripts/commands/commands.lua @@ -127,7 +127,7 @@ function commands.log(clientId, command, cmdArguments) if cmdArguments[1] then local cmdClient - if tonumber(cmdArguments[1]) == nil then + if tonumber(cmdArguments[1]) == nil or tonumber(cmdArguments[1]) > tonumber(et.trap_Cvar_Get("sv_maxclients")) then cmdClient = et.ClientNumberFromString(cmdArguments[1]) else cmdClient = tonumber(cmdArguments[1]) @@ -333,4 +333,4 @@ function commands.onclientcommand(clientId, cmdText) end events.handle("onClientCommand", commands.onclientcommand) -return commands \ No newline at end of file +return commands