Fixed handling of header fields. This is a major security bug fix (omission bug). Added some additional measures to prevent client exploitation also (clients should do this themselves too). Used some snprintfs instead of sprintfs due to paranoia, but these will fix nothing as it currently stands.

git-svn-id: https://svn.code.sf.net/p/fteqw/code/trunk@3016 fc73d0e0-1445-4013-8a0c-d673dee63da5
This commit is contained in:
Spoike 2008-06-25 07:13:47 +00:00
parent 2c2560eef4
commit 4dfdca03f5

View file

@ -155,7 +155,7 @@ static void HTTPSV_SendHTMLFooter(cluster_t *cluster, oproxy_t *dest)
char *s;
char buffer[2048];
sprintf(buffer, "<br/>QTV Version: %i <a href=\"http://www.fteqw.com\">www.fteqw.com</a><br />", cluster->buildnumber);
snprintf(buffer, sizeof(buffer), "<br/>QTV Version: %i <a href=\"http://www.fteqw.com\">www.fteqw.com</a><br />", cluster->buildnumber);
Net_ProxySend(cluster, dest, buffer, strlen(buffer));
s = "</body>\n"
@ -188,7 +188,7 @@ static void HTTPSV_GenerateNowPlaying(cluster_t *cluster, oproxy_t *dest)
HTMLPRINT("<dt>");
HTMLprintf(buffer, sizeof(buffer), "%s (%s: %s)", streams->server, streams->gamedir, streams->mapname);
Net_ProxySend(cluster, dest, buffer, strlen(buffer));
sprintf(buffer, "<span class=\"qtvfile\"> [ <a href=\"/watch.qtv?sid=%i\">Watch Now</a> ]</span>", streams->streamid);
snprintf(buffer, sizeof(buffer), "<span class=\"qtvfile\"> [ <a href=\"/watch.qtv?sid=%i\">Watch Now</a> ]</span>", streams->streamid);
Net_ProxySend(cluster, dest, buffer, strlen(buffer));
HTMLPRINT("</dt><dd><ul class=\"playerslist\">");
@ -277,11 +277,12 @@ static qboolean HTTPSV_GetHeaderField(char *s, char *field, char *buffer, int bu
colon++;
while (*colon == ' ')
colon++;
while (buffersize > 1)
while (buffersize > 2)
{
if (*colon == '\r' || *colon == '\n')
break;
*buffer++ = *colon++;
buffersize--;
}
*buffer = 0;
return true;
@ -335,8 +336,17 @@ static void HTTPSV_GenerateQTVStub(cluster_t *cluster, oproxy_t *dest, char *str
else if (*streamid >= '0' && *streamid <= '9')
*s += *streamid-'0';
//don't let hackers try adding extra commands to it.
if (*s == '$' || *s == ';' || *s == '\r' || *s == '\n')
continue;
s++;
}
else if (*streamid == '$' || *streamid == ';' || *streamid == '\r' || *streamid == '\n')
{
//don't let hackers try adding extra commands to it.
streamid++;
}
else
*s++ = *streamid++;
}
@ -360,9 +370,10 @@ static void HTTPSV_GenerateQTVStub(cluster_t *cluster, oproxy_t *dest, char *str
HTTPSV_SendHTTPHeader(cluster, dest, "200", "text/x-quaketvident", false);
sprintf(buffer, "[QTV]\r\n"
snprintf(buffer, sizeof(buffer), "[QTV]\r\n"
"Stream: %s%s@%s\r\n"
"",
//5, 256, 64. snprintf is not required, but paranoia is a wonderful thing.
streamtype, streamid, hostname);
@ -553,7 +564,7 @@ static void HTTPSV_GenerateDemoListing(cluster_t *cluster, oproxy_t *dest)
Net_ProxySend(cluster, dest, link, strlen(link));
}
sprintf(link, "<P>Total: %i demos</P>", cluster->availdemoscount);
snprintf(link, sizeof(link), "<P>Total: %i demos</P>", cluster->availdemoscount);
Net_ProxySend(cluster, dest, link, strlen(link));
HTTPSV_SendHTMLFooter(cluster, dest);