From df8f657f09b43c8e097c0f61e170c4b6599ffd74 Mon Sep 17 00:00:00 2001 From: Zack Middleton Date: Tue, 30 Jan 2018 07:43:36 -0600 Subject: [PATCH] Fix exploit to bypass filename restrictions on Windows Windows API ignores all trailing spaces and periods which can get around Quake 3 file system restrictions. QVM opening 'uix86.dll.' actually opens 'uix86.dll' which allows QVM to write native code. This is done in the low-level Sys_FOpen() instead of the function directly used by VMs ( FS_FOpenFileByMode() ) in case there are engine commands now or in the future that can read or write arbitrary files. Reported by Noah Metzger (Chomenor). --- code/sys/sys_win32.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/code/sys/sys_win32.c b/code/sys/sys_win32.c index 6979dce9..ee026bd8 100644 --- a/code/sys/sys_win32.c +++ b/code/sys/sys_win32.c @@ -357,6 +357,14 @@ Sys_FOpen ============== */ FILE *Sys_FOpen( const char *ospath, const char *mode ) { + size_t length; + + // Windows API ignores all trailing spaces and periods which can get around Quake 3 file system restrictions. + length = strlen( ospath ); + if ( length == 0 || ospath[length-1] == ' ' || ospath[length-1] == '.' ) { + return NULL; + } + return fopen( ospath, mode ); }