ioquake
/
ioq3
mirror of https://github.com/ioquake/ioq3.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix exploit to bypass filename restrictions on Windows 

Windows API ignores all trailing spaces and periods which can get around
Quake 3 file system restrictions. QVM opening 'uix86.dll.' actually
opens 'uix86.dll' which allows QVM to write native code.

This is done in the low-level Sys_FOpen() instead of the function
directly used by VMs ( FS_FOpenFileByMode() ) in case there are engine
commands now or in the future that can read or write arbitrary files.

Reported by Noah Metzger (Chomenor).
This commit is contained in:
Zack Middleton 2018-01-30 07:43:36 -06:00
parent acce0e5452
commit df8f657f09
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
code/sys/sys_win32.c
View File

@ -357,6 +357,14 @@ Sys_FOpen
==============
*/
FILE *Sys_FOpen( const char *ospath, const char *mode ) {
size_t length;
// Windows API ignores all trailing spaces and periods which can get around Quake 3 file system restrictions.
length = strlen( ospath );
if ( length == 0 || ospath[length-1] == ' ' || ospath[length-1] == '.' ) {
return NULL;
}
return fopen( ospath, mode );
}