adminvote.sma exploit fix (#823)

* Restrict having ".." character sequence in amx_votemap command arguments

Fixes exploit on Windows servers that allows executing potentially dangerous console commands

* Fix typo

containi -> contain
This commit is contained in:
Juice 2020-05-29 02:04:16 +03:00 committed by GitHub
parent 307e71455a
commit a5f2b5539f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -238,7 +238,10 @@ public cmdVoteMap(id, level, cid)
for (new i = 1; i < argc; ++i) for (new i = 1; i < argc; ++i)
{ {
read_argv(i, g_optionName[g_validMaps], 31) read_argv(i, g_optionName[g_validMaps], 31)
if (contain(g_optionName[g_validMaps], "..") != -1)
continue
if (is_map_valid(g_optionName[g_validMaps])) if (is_map_valid(g_optionName[g_validMaps]))
g_validMaps++ g_validMaps++
} }