qf
/
quakeforge
mirror of https://git.code.sf.net/p/quake/quakeforge
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

In response to an apparent server-side exploit that has shown up on 

execpc's ProzacTF server, info strings for other players are checked to
ensure that they contain the "name" key.  If the key is not present, it is
set to "user-%i [exploit]", where %i is the userid of the player.  Players
using this exploit should now show up on the scoreboard and users list
and be visible during gameplay.  Although this renders the exploit useless
against players using QF, the exact way in which it bypasses the extensive
checks of a player's name by the server needs to be discovered so that it
can be fixed.  The server in question uses a bastarized version of QF
0.5.2, so it's possible that the problem still exists in QF today.
This commit is contained in:
Brian Koropoff 2003-08-20 07:22:34 +00:00
parent 054d2b61e8
commit 83334ce633
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
qw/source/cl_parse.c
View File

@ -997,6 +997,9 @@ CL_ProcessUserInfo (int slot, player_info_t *player)
QFS_StripExtension (s, skin);
if (!strequal (s, skin))
Info_SetValueForKey (player->userinfo, "skin", skin, 1);
s = Info_ValueForKey (player->userinfo, "name");
if (!*s)
Info_SetValueForKey (player->userinfo, "name", va ("user-%i [exploit]", player->userid), 1);
strncpy (player->name, Info_ValueForKey (player->userinfo, "name"),
sizeof (player->name) - 1);
player->_topcolor = player->_bottomcolor = -1;