mirror of
https://git.code.sf.net/p/quake/quakeforge
synced 2024-11-26 22:31:05 +00:00
In response to an apparent server-side exploit that has shown up on
execpc's ProzacTF server, info strings for other players are checked to ensure that they contain the "name" key. If the key is not present, it is set to "user-%i [exploit]", where %i is the userid of the player. Players using this exploit should now show up on the scoreboard and users list and be visible during gameplay. Although this renders the exploit useless against players using QF, the exact way in which it bypasses the extensive checks of a player's name by the server needs to be discovered so that it can be fixed. The server in question uses a bastarized version of QF 0.5.2, so it's possible that the problem still exists in QF today.
This commit is contained in:
parent
054d2b61e8
commit
83334ce633
1 changed files with 3 additions and 0 deletions
|
@ -997,6 +997,9 @@ CL_ProcessUserInfo (int slot, player_info_t *player)
|
|||
QFS_StripExtension (s, skin);
|
||||
if (!strequal (s, skin))
|
||||
Info_SetValueForKey (player->userinfo, "skin", skin, 1);
|
||||
s = Info_ValueForKey (player->userinfo, "name");
|
||||
if (!*s)
|
||||
Info_SetValueForKey (player->userinfo, "name", va ("user-%i [exploit]", player->userid), 1);
|
||||
strncpy (player->name, Info_ValueForKey (player->userinfo, "name"),
|
||||
sizeof (player->name) - 1);
|
||||
player->_topcolor = player->_bottomcolor = -1;
|
||||
|
|
Loading…
Reference in a new issue