okseby/Quake-III-Arena
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Forgot to check for windows-style path seperator in precaution against directory traversal abuse.

Browse source
This commit is contained in:
Thilo Schulz 2006-06-01 00:23:46 +00:00
parent 503c0a22c6
commit 9af85d9378
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
code/client/cl_main.c
View file

@ -1445,7 +1445,7 @@ void CL_NextDownload(void) {
s = localName + strlen(localName); // point at the nul byte s = localName + strlen(localName); // point at the nul byte
// Make sure the server cannot make us write to non-quake3 directories. // Make sure the server cannot make us write to non-quake3 directories.
if(strstr(localName, "../")) if(strstr(localName, "../") || strstr(localName, "..\\"))
{ {
Com_Error(ERR_DROP, "CL_NextDownload: Invalid download name %s", localName); Com_Error(ERR_DROP, "CL_NextDownload: Invalid download name %s", localName);
return; return;