From f3ac82e11249501fffa3337dca92d3b83bbffe33 Mon Sep 17 00:00:00 2001
From: Christoph Oelckers <coelckers@users.noreply.github.com>
Date: Wed, 13 Dec 2017 22:14:30 +0100
Subject: [PATCH] - do not allow outside access to the variable storing the
 CCMD for OptionMenuItemCommand.

This can be abused to execute atbitrary commands from inside script code.
---
 wadsrc/static/zscript/menu/optionmenuitems.txt | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/wadsrc/static/zscript/menu/optionmenuitems.txt b/wadsrc/static/zscript/menu/optionmenuitems.txt
index f08dca713..3405ae549 100644
--- a/wadsrc/static/zscript/menu/optionmenuitems.txt
+++ b/wadsrc/static/zscript/menu/optionmenuitems.txt
@@ -126,9 +126,12 @@ class OptionMenuItemSubmenu : OptionMenuItem
 
 class OptionMenuItemCommand : OptionMenuItemSubmenu
 {
+	private String ccmd;	// do not allow access to this from the outside.
+	
 	OptionMenuItemCommand Init(String label, Name command, bool centered = false)
 	{
 		Super.Init(label, command, 0, centered);
+		ccmd = command;
 		return self;
 	}
 
@@ -146,7 +149,7 @@ class OptionMenuItemCommand : OptionMenuItemSubmenu
 			if (m.GetItem(mAction) != self) return false;
 		}
 		Menu.MenuSound("menu/choose");
-		DoCommand(mAction);
+		DoCommand(ccmd);
 		return true;
 	}