From 83334ce6338184fae4d5a55eac4e72dbba03c415 Mon Sep 17 00:00:00 2001 From: Brian Koropoff Date: Wed, 20 Aug 2003 07:22:34 +0000 Subject: [PATCH] In response to an apparent server-side exploit that has shown up on execpc's ProzacTF server, info strings for other players are checked to ensure that they contain the "name" key. If the key is not present, it is set to "user-%i [exploit]", where %i is the userid of the player. Players using this exploit should now show up on the scoreboard and users list and be visible during gameplay. Although this renders the exploit useless against players using QF, the exact way in which it bypasses the extensive checks of a player's name by the server needs to be discovered so that it can be fixed. The server in question uses a bastarized version of QF 0.5.2, so it's possible that the problem still exists in QF today. --- qw/source/cl_parse.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/qw/source/cl_parse.c b/qw/source/cl_parse.c index 4f222bbe8..5be3856ed 100644 --- a/qw/source/cl_parse.c +++ b/qw/source/cl_parse.c @@ -997,6 +997,9 @@ CL_ProcessUserInfo (int slot, player_info_t *player) QFS_StripExtension (s, skin); if (!strequal (s, skin)) Info_SetValueForKey (player->userinfo, "skin", skin, 1); + s = Info_ValueForKey (player->userinfo, "name"); + if (!*s) + Info_SetValueForKey (player->userinfo, "name", va ("user-%i [exploit]", player->userid), 1); strncpy (player->name, Info_ValueForKey (player->userinfo, "name"), sizeof (player->name) - 1); player->_topcolor = player->_bottomcolor = -1;