BUG: Server specific commands registered when in client mode #902
Comments
|
Make sure you aren't using the https://github.com/QW-Group/ezquake-source/blob/master/src/sv_ccmds.c#L1856-L1857 |
osm
added a commit
to osm/ezquake-source
that referenced
this issue
Mar 2, 2024
A server can execute commands on the client via stufftext. Therefore, a malicious server can perform evil operations. To limit the attack vector, the following commands have been removed: - chmod - localcommand - ls - nslookup - rm - rmdir This addresses issue QW-Group#902
osm
added a commit
to osm/ezquake-source
that referenced
this issue
Mar 3, 2024
A server can execute commands on the client via stufftext. Therefore, a malicious server can perform evil operations. To limit the attack vector, the following commands have been removed: - chmod - localcommand - ls - nslookup - rcon - rm - rmdir This addresses issue QW-Group#902
|
Fixed with #903 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SV_InitOperatorCommands registers all sorts of fun stuff that a random server may invoke via stufftext. This set of commands should likely only be registered when starting a local ezquake server, and some of them should perhaps be completely removed.
The text was updated successfully, but these errors were encountered: