[ioquake3] 05/34: Check for all command separators in callTeamVote

[Simon McVittie]

This is an automated email from the git hooks/post-receive script.

smcv pushed a commit to annotated tag debian/1.36+u20170908+dfsg1-1
in repository ioquake3.

commit f0b74a27c97f6b03cc270d0536a77bdfcc1e8fad
Author: Zack Middleton <zack at cloemail.com>
Date:   Wed Aug 9 18:27:39 2017 -0500

    Check for all command separators in callTeamVote
    
    Make callTeamVote check for all command separators like in callVote.
    It's not exploitable as the only vote option (leader) always uses an
    integer argument.
    
    Also the ioquake3 engine remove command separators from client game
    commands in Cmd_Args_Sanitize().
---
 code/game/g_cmds.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/code/game/g_cmds.c b/code/game/g_cmds.c
index 46a69ca..b02a19e 100644
--- a/code/game/g_cmds.c
+++ b/code/game/g_cmds.c
@@ -1489,9 +1489,16 @@ void Cmd_CallTeamVote_f( gentity_t *ent ) {
 		trap_Argv( i, &arg2[strlen(arg2)], sizeof( arg2 ) - strlen(arg2) );
 	}
 
-	if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
-		trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
-		return;
+	// check for command separators in arg2
+	for( c = arg2; *c; ++c) {
+		switch(*c) {
+			case '\n':
+			case '\r':
+			case ';':
+				trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
+				return;
+			break;
+		}
 	}
 
 	if ( !Q_stricmp( arg1, "leader" ) ) {

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-games/ioquake3.git