From c96f10d40b3fcad79af8f48ed5c3309ca93227b3 Mon Sep 17 00:00:00 2001 From: Alibek Omarov Date: Tue, 2 Nov 2021 21:17:39 +0600 Subject: [PATCH] engine: client: restrict LOCALONLY cvars regardless of cl_filterstuffcmd value --- engine/client/cl_game.c | 9 +++++++++ engine/common/cvar.c | 13 ++----------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/engine/client/cl_game.c b/engine/client/cl_game.c index 7a2493f7..c5e260bf 100644 --- a/engine/client/cl_game.c +++ b/engine/client/cl_game.c @@ -1754,8 +1754,17 @@ static int GAME_EXPORT pfnFilteredClientCmd( const char *szCmdString ) if( !COM_CheckString( szCmdString )) return 0; + // a1ba: + // there should be stufftext validator, that checks + // hardcoded commands and disallows them before passing to + // filtered buffer, returning 0 + // I've replaced it by hooking potentially exploitable + // commands and variables(motd_write, motdfile, etc) in client interfaces + Cbuf_AddFilteredText( szCmdString ); Cbuf_AddFilteredText( "\n" ); + + return 1; } /* diff --git a/engine/common/cvar.c b/engine/common/cvar.c index 89584bad..48a3d6e9 100644 --- a/engine/common/cvar.c +++ b/engine/common/cvar.c @@ -769,21 +769,12 @@ static qboolean Cvar_ShouldSetCvar( convar_t *v, qboolean isPrivileged ) if( isPrivileged ) return true; - // TODO: figure this out - //if( v->flags & FCVAR_SERVER ) - // return false; + if( v->flags & FCVAR_LOCALONLY ) + return false; if( cl_filterstuffcmd.value <= 0.0f ) return true; - // TODO: figure this out too - //if( v->flags & FCVAR_EXTDLL ) - // return false; - - // a1ba: xash3d-fwgs extension - if( v->flags & FCVAR_LOCALONLY ) - return false; - for( i = 0; i < ARRAYSIZE( prefixes ); i++ ) { if( Q_stricmp( v->name, prefixes[i] ))