ubergames/lilium-voyager
0
0
Fork 0
mirror of https://github.com/UberGames/lilium-voyager.git synced 2024-11-12 23:44:21 +00:00
Code Issues Projects Releases Packages Wiki Activity
lilium-voyager/code/qcommon
History
Zack Middleton 3638f69dff Fix fs_game '..' reading outside of home and base path 
VMs could set fs_game to '..' at anytime to access files outside of home
and base path. fs_game sent by server to clients could also be '..' to
access files outside of home and base path.

'..' was not caught by FS_CheckDirTraversal() as it expects filenames
not a single directory.

I've made fs_game be latched to prevent VMs from changing it with no
good way to validate it before it's used. com_basegame and fs_basegame
are now latched as well.

Additionally, it's now possible to change com_basegame while the engine
is running. game_restart or vid_restart will make it take affect.
com_homepath is now CVAR_PROTECTED to prevent VMs from changing it
to a directory traversal.

This requires my two previous commits for preventing VMs from changing
engine latch cvars and only Cvar_Get fs_game in FS_Startup (so CVAR_INIT
isn't added in serveral other places).

Reported by Noah Metzger (Chomenor).
2018-01-21 06:02:28 -06:00
..
cm_load.c Bug 5094 - Code cleanup, patch by Zack Middleton and DevHC. Fixes unused-but-set gcc warnings 2011-07-29 12:27:00 +00:00
cm_local.h * Bug fix to collision optimisation (arQon) 2007-10-06 21:59:17 +00:00
cm_patch.c Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
cm_patch.h * Added STATUS 2005-10-29 01:53:09 +00:00
cm_polylib.c Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
cm_polylib.h * Added STATUS 2005-10-29 01:53:09 +00:00
cm_public.h Remove references to non-existent functions CM_MarkFragments and CM_LerpTag. 2012-11-19 05:48:27 +00:00
cm_test.c * Bug fix to collision optimisation (arQon) 2007-10-06 21:59:17 +00:00
cm_trace.c Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
cmd.c Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
common.c Fix fs_game '..' reading outside of home and base path 2018-01-21 06:02:28 -06:00
cvar.c Don't let VMs change engine latch cvars immediately 2018-01-21 06:02:08 -06:00
files.c Fix fs_game '..' reading outside of home and base path 2018-01-21 06:02:28 -06:00
huffman.c Remove extra plus sign from Huff_Compress() 2018-01-14 18:38:38 -06:00
ioapi.c Just unix2dos, nothing to see here ... 2009-10-19 14:00:16 +00:00
ioapi.h Just unix2dos, nothing to see here ... 2009-10-19 14:00:16 +00:00
json.h OpenGL2: Add named cubemaps and per-map env.json parsing. 2016-02-10 16:25:32 -08:00
md4.c Change shift expressions to unsigned types. Shifting signed values to 2018-01-21 06:01:50 -06:00
md5.c Remove FS_Read2(). 2017-03-17 04:21:11 -07:00
msg.c Fix/improve buffer overflow in MSG_ReadBits/MSG_WriteBits 2017-08-02 14:55:22 -05:00
net_chan.c Change shift expressions to unsigned types. Shifting signed values to 2018-01-21 06:01:50 -06:00
net_ip.c Fix Makefile for OSX 2016-06-12 17:17:33 -04:00
puff.c * PNG support from Joerg Dietrich <dietrich_joerg@t-online.de> 2007-08-23 17:23:15 +00:00
puff.h * PNG support from Joerg Dietrich <dietrich_joerg@t-online.de> 2007-08-23 17:23:15 +00:00
q_math.c [qcommon] Use unsigned types where wrapping arithmetic is intended 2017-10-02 19:46:37 -05:00
q_platform.h Fix Makefile for OSX 2016-06-12 17:17:33 -04:00
q_shared.c fix a stupid use of strcpy() 2015-06-18 17:24:50 -05:00
q_shared.h Use standard offsetof facility. Dereferencing a null pointer results 2018-01-21 06:01:50 -06:00
qcommon.h Fix fs_game '..' reading outside of home and base path 2018-01-21 06:02:28 -06:00
qfiles.h #6069: Remove md4 model support. 2013-11-29 16:13:47 -08:00
surfaceflags.h Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
unzip.c Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
unzip.h Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
vm.c Fix comment 2017-05-25 09:44:18 +01:00
vm_armv7l.c Fix set-but-not-used variable warnings in vm_armv7l.c 2017-07-08 16:48:23 -05:00
vm_interpreted.c Allow unaligned load/store in QVM interpreter/x86 compiler 2017-05-25 09:44:18 +01:00
vm_local.h Allow unaligned load/store in QVM interpreter/x86 compiler 2017-05-25 09:44:18 +01:00
vm_none.c revert int->long change as it breaks on 64bit. Actually only 2005-09-26 22:23:46 +00:00
vm_powerpc.c Correct spelling mistakes. 2017-11-22 01:40:20 -06:00
vm_powerpc_asm.c REFACTOR [a vs an] 2012-06-18 16:31:16 +00:00
vm_powerpc_asm.h new PowerPC vm 2008-11-10 09:46:01 +00:00
vm_sparc.c fix some "\n"-related stuff 2013-05-30 15:32:44 -05:00
vm_sparc.h qcommon: vm: Add sparc JIT compiler. 2009-03-02 17:29:40 +00:00
vm_x86.c Change shift expressions to unsigned types. Shifting signed values to 2018-01-21 06:01:50 -06:00