zdoom/gzdoom
0
0
Fork 0
mirror of https://github.com/ZDoom/gzdoom.git synced 2025-02-01 06:10:42 +00:00
Code Issues Projects Releases Packages Wiki Activity

- changed save and load commands to work within the 'save' directory.

Browse source 
Escaping via absolute paths and '..' is blocked now.
This commit is contained in:
Christoph Oelckers 2022-10-20 00:46:47 +02:00
parent 33afe45dda
commit f0601a49a2
1 changed files with 36 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
src/console/c_cmds.cpp
View file

@ -633,8 +633,23 @@ UNSAFE_CCMD (load)
return;
}
FString fname = argv[1];
DefaultExtension (fname, "." SAVEGAME_EXT);
G_LoadGame (fname);
FixPathSeperator(fname);
if (fname[0] == '/')
{
Printf("saving to an absolute path is not allowed\n");
return;
}
#ifdef _WIN32
// block all invalid characters for Windows file names
if (fname.IndexOfAny(":?*<>|") >= 0)
{
Printf("file name contains invalid characters\n");
return;
}
#endif
fname = G_BuildSaveName(fname, -1);
DefaultExtension(fname, "." SAVEGAME_EXT);
G_LoadGame (fname);
}
//==========================================================================
@ -645,15 +660,30 @@ UNSAFE_CCMD (load)
//
//==========================================================================
UNSAFE_CCMD (save)
UNSAFE_CCMD(save)
{
if (argv.argc() < 2 || argv.argc() > 3)
if (argv.argc() < 2 || argv.argc() > 3 || argv[1][0] == 0)
{
Printf ("usage: save <filename> [description]\n");
return;
}
FString fname = argv[1];
DefaultExtension (fname, "." SAVEGAME_EXT);
FString fname = argv[1];
FixPathSeperator(fname);
if (fname[0] == '/')
{
Printf("saving to an absolute path is not allowed\n");
return;
}
#ifdef _WIN32
// block all invalid characters for Windows file names
if (fname.IndexOfAny(":?*<>|") >= 0)
{
Printf("file name contains invalid characters\n");
return;
}
#endif
fname = G_BuildSaveName(fname, -1);
DefaultExtension(fname, "." SAVEGAME_EXT);
G_SaveGame (fname, argv.argc() > 2 ? argv[2] : argv[1]);
}