From f0b74a27c97f6b03cc270d0536a77bdfcc1e8fad Mon Sep 17 00:00:00 2001
From: Zack Middleton <zack@cloemail.com>
Date: Wed, 9 Aug 2017 18:27:39 -0500
Subject: [PATCH] Check for all command separators in callTeamVote

Make callTeamVote check for all command separators like in callVote.
It's not exploitable as the only vote option (leader) always uses an
integer argument.

Also the ioquake3 engine remove command separators from client game
commands in Cmd_Args_Sanitize().
---
 code/game/g_cmds.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/code/game/g_cmds.c b/code/game/g_cmds.c
index 46a69ca8..b02a19e7 100644
--- a/code/game/g_cmds.c
+++ b/code/game/g_cmds.c
@@ -1489,9 +1489,16 @@ void Cmd_CallTeamVote_f( gentity_t *ent ) {
 		trap_Argv( i, &arg2[strlen(arg2)], sizeof( arg2 ) - strlen(arg2) );
 	}
 
-	if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
-		trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
-		return;
+	// check for command separators in arg2
+	for( c = arg2; *c; ++c) {
+		switch(*c) {
+			case '\n':
+			case '\r':
+			case ';':
+				trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
+				return;
+			break;
+		}
 	}
 
 	if ( !Q_stricmp( arg1, "leader" ) ) {