admincmd.sma exploits fix (#822)
* [admincmd.sma] Fix typo in isCommandArgSafe ' * [admincmd.sma] Update amx_cvar command handler - Fix exploiting of "mapchangecfgfile" cvar to execute potentially dangerous console commands - Add newline delimiter check and restrict for ****cfgfile cvars values * Restrict having ".." character sequence in amx_map command argument Fixes exploit on Windows servers that allows executing potentially dangerous console commands * Do not allow admins to change cvars with FCVAR_SPONLY flag when not in singleplayer via amx_cvar 1. Make amx_cvar command obey FCVAR_SPONLY flag. 2. Fix exploiting of amx_nextmap cvar value which is used in nextmap plugin.
This commit is contained in:
parent
a5f2b5539f
commit
51ede1097d
@ -222,13 +222,13 @@ public cmdKick(id, level, cid)
|
||||
}
|
||||
|
||||
/**
|
||||
* ';' and '\n' are command delimiters. If a command arg contains these 2
|
||||
* ';' and '^n' are command delimiters. If a command arg contains these 2
|
||||
* it is not safe to be passed to server_cmd() as it may be trying to execute
|
||||
* a command.
|
||||
*/
|
||||
isCommandArgSafe(const arg[])
|
||||
{
|
||||
return contain(arg, ";") == -1 && contain(arg, "\n") == -1;
|
||||
return contain(arg, ";") == -1 && contain(arg, "^n") == -1;
|
||||
}
|
||||
|
||||
public cmdUnban(id, level, cid)
|
||||
@ -668,7 +668,7 @@ public cmdMap(id, level, cid)
|
||||
new arg[32]
|
||||
new arglen = read_argv(1, arg, charsmax(arg))
|
||||
|
||||
if (!is_map_valid(arg))
|
||||
if (!is_map_valid(arg) || contain(arg, "..") != -1)
|
||||
{
|
||||
console_print(id, "[AMXX] %L", id, "MAP_NOT_FOUND")
|
||||
return PLUGIN_HANDLED
|
||||
@ -788,13 +788,23 @@ public cmdCvar(id, level, cid)
|
||||
return PLUGIN_HANDLED
|
||||
}
|
||||
|
||||
if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile"))
|
||||
if ((get_pcvar_flags(pointer) & FCVAR_SPONLY) && MaxClients != 1)
|
||||
{
|
||||
console_print(id, "[AMXX] %L", id, "CVAR_NO_ACC")
|
||||
return PLUGIN_HANDLED
|
||||
}
|
||||
|
||||
if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile") || equali(arg, "mapchangecfgfile"))
|
||||
{
|
||||
new pos = contain(arg2, ";")
|
||||
if (pos != -1)
|
||||
{
|
||||
arg2[pos] = '^0'
|
||||
}
|
||||
else if ((pos = contain(arg2, "^n")) != -1)
|
||||
{
|
||||
arg2[pos] = '^0'
|
||||
}
|
||||
}
|
||||
|
||||
new authid[32], name[MAX_NAME_LENGTH]
|
||||
|
Loading…
Reference in New Issue
Block a user