Skip to content

Commit

Permalink
Remove dangerous commands
Browse files Browse the repository at this point in the history
A server can execute commands on the client via stufftext. Therefore, a
malicious server can perform evil operations. To limit the attack
vector, the following commands have been removed:

- chmod
- localcommand
- ls
- nslookup
- rm
- rmdir

This addresses issue QW-Group#902
  • Loading branch information
osm committed Mar 2, 2024
1 parent 97a8468 commit 631964a
Show file tree
Hide file tree
Showing 6 changed files with 1 addition and 523 deletions.
5 changes: 0 additions & 5 deletions help_cmdline_params.json
Original file line number Diff line number Diff line change
Expand Up @@ -67,11 +67,6 @@
"incomplete"
]
},
"-enablelocalcommand": {
"flags": [
"incomplete"
]
},
"-forceTextureReload": {
"flags": [
"incomplete"
Expand Down
14 changes: 1 addition & 13 deletions help_commands.json
Original file line number Diff line number Diff line change
Expand Up @@ -1044,9 +1044,6 @@
"logtelnet": {
"system-generated": true
},
"ls": {
"system-generated": true
},
"macrolist": {
"description": "Prints a list of all available macros."
},
Expand Down Expand Up @@ -1237,9 +1234,6 @@
"description": "You can fly and go thru objects free mode as spectator",
"remarks": "Needs cheats support by server."
},
"nslookup": {
"system-generated": true
},
"observe": {
"description": "Connects you to a server as a spectator. If no address is specified, observe will reconnect to the last visited server as a spectator.\n\nExample:\nobserve 123.124.125.126",
"syntax": "<address>"
Expand Down Expand Up @@ -1480,12 +1474,6 @@
"reset": {
"system-generated": true
},
"rm": {
"system-generated": true
},
"rmdir": {
"system-generated": true
},
"rotate": {
"description": "Rotates the player by x degrees.\n\nExample: \"rotate 180\"\n - rotates your POV by 180 degrees.",
"remarks": "Negative values can also be used for the desired angle."
Expand Down Expand Up @@ -2095,4 +2083,4 @@
"z_ext_list": {
"system-generated": true
}
}
}
1 change: 0 additions & 1 deletion src/cmdline_params_ids.h
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,6 @@ CMDLINE_DEF(developer_mode, "-dev"),

CMDLINE_DEF(server_progtype, "-progtype"),
CMDLINE_DEF(server_enablecheats, "-cheats"),
CMDLINE_DEF(server_enablelocalcommand, "-enablelocalcommand"),
CMDLINE_DEF(server_democache_kb, "-democache"),
// leave trailing ,

2 changes: 0 additions & 2 deletions src/server.h
Original file line number Diff line number Diff line change
Expand Up @@ -1088,15 +1088,13 @@ void SV_SetClientConnectionTime(client_t* client);
#ifdef SERVERONLY
// mvdsv not changed over to enums yet, which was more about documentation
#define SV_CommandLineEnableCheats() (COM_CheckParm("-cheats"))
#define SV_CommandLineEnableLocalCommand() (COM_CheckParm("-enablelocalcommand"))
#define SV_CommandLineDemoCacheArgument() (COM_CheckParm("-democache"))
#define SV_CommandLineProgTypeArgument() (COM_CheckParm("-progtype"))
#define SV_CommandLineUseMinimumMemory() (COM_CheckParm("-minmemory"))
#define SV_CommandLineHeapSizeMemoryKB() (COM_CheckParm("-heapsize"))
#define SV_CommandLineHeapSizeMemoryMB() (COM_CheckParm("-mem"))
#else
#define SV_CommandLineEnableCheats() (COM_CheckParm(cmdline_param_server_enablecheats))
#define SV_CommandLineEnableLocalCommand() (COM_CheckParm(cmdline_param_server_enablelocalcommand))
#define SV_CommandLineDemoCacheArgument() (COM_CheckParm(cmdline_param_server_democache_kb))
#define SV_CommandLineProgTypeArgument() (COM_CheckParm(cmdline_param_server_progtype))
#define SV_CommandLineUseMinimumMemory() (COM_CheckParm(cmdline_param_host_memory_minimum))
Expand Down
Loading

0 comments on commit 631964a

Please sign in to comment.