mirror of
https://github.com/ioquake/jedi-academy.git
synced 2024-11-25 13:41:34 +00:00
CVE-2006-2082 Directory traversal vulnerability in Quake 3 engine
CVE-2006-2082 Directory traversal vulnerability in Quake 3 engine, as used in products including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is enabled, allows remote attackers to read arbitrary files from the server via ".." sequences in a .pk3 file request. from Thilo Schulz in ioquake3 svn 777 git 60293f49ee8c665673202e80ecd103f13a9fa6ab Fix bug that permits download of arbitrary files from a download enabled server by checking requested file name against the list of loaded pk3 files. See CVE-2006-2082
This commit is contained in:
parent
c9da283d84
commit
85caaddab4
1 changed files with 46 additions and 9 deletions
|
@ -1092,24 +1092,59 @@ void SV_WriteDownloadToClient( client_t *cl , msg_t *msg )
|
|||
int curindex;
|
||||
int rate;
|
||||
int blockspersnap;
|
||||
int idPack, missionPack;
|
||||
int idPack, missionPack, unreferenced = 1;
|
||||
char errorMessage[1024];
|
||||
char pakbuf[MAX_QPATH], *pakptr;
|
||||
int numRefPaks;
|
||||
|
||||
if (!*cl->downloadName)
|
||||
return; // Nothing being downloaded
|
||||
|
||||
if (!cl->download) {
|
||||
// Chop off filename extension.
|
||||
Com_sprintf(pakbuf, sizeof(pakbuf), "%s", cl->downloadName);
|
||||
pakptr = Q_strrchr(pakbuf, '.');
|
||||
|
||||
if(pakptr)
|
||||
{
|
||||
*pakptr = '\0';
|
||||
|
||||
// Check for pk3 filename extension
|
||||
if(!Q_stricmp(pakptr + 1, "pk3"))
|
||||
{
|
||||
const char *referencedPaks = FS_ReferencedPakNames();
|
||||
|
||||
// Check whether the file appears in the list of referenced
|
||||
// paks to prevent downloading of arbitrary files.
|
||||
Cmd_TokenizeStringIgnoreQuotes(referencedPaks);
|
||||
numRefPaks = Cmd_Argc();
|
||||
|
||||
for(curindex = 0; curindex < numRefPaks; curindex++)
|
||||
{
|
||||
if(!FS_FilenameCompare(Cmd_Argv(curindex), pakbuf))
|
||||
{
|
||||
unreferenced = 0;
|
||||
|
||||
// now that we know the file is referenced,
|
||||
// check whether it's legal to download it.
|
||||
missionPack = FS_idPak(pakbuf, "missionpack");
|
||||
idPack = missionPack || FS_idPak(pakbuf, "base");
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// We open the file here
|
||||
|
||||
Com_Printf( "clientDownload: %d : begining \"%s\"\n", cl - svs.clients, cl->downloadName );
|
||||
|
||||
missionPack = FS_idPak(cl->downloadName, "missionpack");
|
||||
idPack = missionPack || FS_idPak(cl->downloadName, "base");
|
||||
|
||||
if ( !sv_allowDownload->integer || idPack ||
|
||||
if ( !sv_allowDownload->integer || idPack || unreferenced ||
|
||||
( cl->downloadSize = FS_SV_FOpenFileRead( cl->downloadName, &cl->download ) ) <= 0 ) {
|
||||
// cannot auto-download file
|
||||
if (idPack) {
|
||||
if(unreferenced)
|
||||
{
|
||||
Com_Printf("clientDownload: %d : \"%s\" is not referenced and cannot be downloaded.\n", (int) (cl - svs.clients), cl->downloadName);
|
||||
Com_sprintf(errorMessage, sizeof(errorMessage), "File \"%s\" is not referenced and cannot be downloaded.", cl->downloadName);
|
||||
}
|
||||
else if (idPack) {
|
||||
Com_Printf("clientDownload: %d : \"%s\" cannot download id pk3 files\n", cl - svs.clients, cl->downloadName);
|
||||
if (missionPack) {
|
||||
Com_sprintf(errorMessage, sizeof(errorMessage), "Cannot autodownload Team Arena file \"%s\"\n"
|
||||
|
@ -1141,6 +1176,8 @@ void SV_WriteDownloadToClient( client_t *cl , msg_t *msg )
|
|||
*cl->downloadName = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
Com_Printf( "clientDownload: %d : begining \"%s\"\n", cl - svs.clients, cl->downloadName );
|
||||
|
||||
// Init
|
||||
cl->downloadCurrentBlock = cl->downloadClientBlock = cl->downloadXmitBlock = 0;
|
||||
|
|
Loading…
Reference in a new issue