mirror of
https://github.com/yquake2/yquake2remaster.git
synced 2024-11-22 04:31:09 +00:00
Filter .., :, / and \\ from al_driver and cl_libcurl.
This is a poor mans safeguard against malicious server trying to download and inject libraries.
This commit is contained in:
parent
5e6a73dc3f
commit
852cec05e7
2 changed files with 11 additions and 1 deletions
|
@ -101,6 +101,11 @@ qboolean qcurlInit(void)
|
|||
|
||||
// Mkay, let's try to find a working libcurl.
|
||||
cl_libcurl = Cvar_Get("cl_libcurl", (char *)libcurl[0], CVAR_ARCHIVE);
|
||||
if (strstr(cl_libcurl->string, "..") || strstr(cl_libcurl->string, ":") || strstr(cl_libcurl->string, "/") || strstr(cl_libcurl->string, "\\"))
|
||||
{
|
||||
Com_Printf("cl_libcurl must not contain '..', ':', '/' or '\': %s\n", cl_libcurl->string);
|
||||
goto error;
|
||||
}
|
||||
|
||||
Com_Printf("Loading library: %s\n", cl_libcurl->string);
|
||||
Sys_LoadLibrary(cl_libcurl->string, NULL, &curlhandle);
|
||||
|
|
|
@ -406,9 +406,14 @@ QAL_Init()
|
|||
/* DEFAULT_OPENAL_DRIVER is defined at compile time via the compiler */
|
||||
al_driver = Cvar_Get("al_driver", DEFAULT_OPENAL_DRIVER, CVAR_ARCHIVE);
|
||||
|
||||
Com_Printf("Loading library: %s\n", al_driver->string);
|
||||
if (strstr(al_driver->string, "..") || strstr(al_driver->string, ":") || strstr(al_driver->string, "/") || strstr(al_driver->string, "\\"))
|
||||
{
|
||||
Com_Printf("al_driver must not contain '..', ':', '/' or '\': %s\n", al_driver->string);
|
||||
return false;
|
||||
}
|
||||
|
||||
/* Load the library */
|
||||
Com_Printf("Loading library: %s\n", al_driver->string);
|
||||
Sys_LoadLibrary(al_driver->string, NULL, &handle);
|
||||
|
||||
if (!handle)
|
||||
|
|
Loading…
Reference in a new issue