qf/quake2forge
0
0
Fork 0
mirror of https://git.code.sf.net/p/quake/quake2forge synced 2025-03-29 22:01:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix win32 path exploit in download command

Browse source
This commit is contained in:
Jay Dolan 2006-01-14 14:53:05 +00:00
parent e1326ba6f7
commit 805aec460b
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/sv_user.c
View file

@ -294,7 +294,7 @@ void SV_BeginDownload_f(void){
// hacked by zoid to allow more conrol over download
// first off, no .. or global allow check
if(strstr(name, "..") || !allow_download->value
if(strstr(name, "..") || strstr(name, "\\/") || !allow_download->value
// leading dot is no good
|| *name == '.'
// leading slash bad as well, must be in subdir