In response to an apparent server-side exploit that has shown up on

execpc's ProzacTF server, info strings for other players are checked to
ensure that they contain the "name" key.  If the key is not present, it is
set to "user-%i [exploit]", where %i is the userid of the player.  Players
using this exploit should now show up on the scoreboard and users list
and be visible during gameplay.  Although this renders the exploit useless
against players using QF, the exact way in which it bypasses the extensive
checks of a player's name by the server needs to be discovered so that it
can be fixed.  The server in question uses a bastarized version of QF
0.5.2, so it's possible that the problem still exists in QF today.
This commit is contained in:
Brian Koropoff 2003-08-20 07:22:34 +00:00
parent 054d2b61e8
commit 83334ce633

View file

@ -997,6 +997,9 @@ CL_ProcessUserInfo (int slot, player_info_t *player)
QFS_StripExtension (s, skin);
if (!strequal (s, skin))
Info_SetValueForKey (player->userinfo, "skin", skin, 1);
s = Info_ValueForKey (player->userinfo, "name");
if (!*s)
Info_SetValueForKey (player->userinfo, "name", va ("user-%i [exploit]", player->userid), 1);
strncpy (player->name, Info_ValueForKey (player->userinfo, "name"),
sizeof (player->name) - 1);
player->_topcolor = player->_bottomcolor = -1;