admincmd.sma exploits fix (#822)
* [admincmd.sma] Fix typo in isCommandArgSafe ' * [admincmd.sma] Update amx_cvar command handler - Fix exploiting of "mapchangecfgfile" cvar to execute potentially dangerous console commands - Add newline delimiter check and restrict for ****cfgfile cvars values * Restrict having ".." character sequence in amx_map command argument Fixes exploit on Windows servers that allows executing potentially dangerous console commands * Do not allow admins to change cvars with FCVAR_SPONLY flag when not in singleplayer via amx_cvar 1. Make amx_cvar command obey FCVAR_SPONLY flag. 2. Fix exploiting of amx_nextmap cvar value which is used in nextmap plugin.
This commit is contained in:
Juice
Arkshine
parent
936c9477be
commit
bdeb2a133f
|
|
@ -222,13 +222,13 @@ public cmdKick(id, level, cid)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* ';' and '\n' are command delimiters. If a command arg contains these 2
|
* ';' and '^n' are command delimiters. If a command arg contains these 2
|
||||||
* it is not safe to be passed to server_cmd() as it may be trying to execute
|
* it is not safe to be passed to server_cmd() as it may be trying to execute
|
||||||
* a command.
|
* a command.
|
||||||
*/
|
*/
|
||||||
isCommandArgSafe(const arg[])
|
isCommandArgSafe(const arg[])
|
||||||
{
|
{
|
||||||
return contain(arg, ";") == -1 && contain(arg, "\n") == -1;
|
return contain(arg, ";") == -1 && contain(arg, "^n") == -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
public cmdUnban(id, level, cid)
|
public cmdUnban(id, level, cid)
|
||||||
|
|
@ -668,7 +668,7 @@ public cmdMap(id, level, cid)
|
||||||
new arg[32]
|
new arg[32]
|
||||||
new arglen = read_argv(1, arg, charsmax(arg))
|
new arglen = read_argv(1, arg, charsmax(arg))
|
||||||
|
|
||||||
if (!is_map_valid(arg))
|
if (!is_map_valid(arg) || contain(arg, "..") != -1)
|
||||||
{
|
{
|
||||||
console_print(id, "[AMXX] %L", id, "MAP_NOT_FOUND")
|
console_print(id, "[AMXX] %L", id, "MAP_NOT_FOUND")
|
||||||
return PLUGIN_HANDLED
|
return PLUGIN_HANDLED
|
||||||
|
|
@ -788,13 +788,23 @@ public cmdCvar(id, level, cid)
|
||||||
return PLUGIN_HANDLED
|
return PLUGIN_HANDLED
|
||||||
}
|
}
|
||||||
|
|
||||||
if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile"))
|
if ((get_pcvar_flags(pointer) & FCVAR_SPONLY) && MaxClients != 1)
|
||||||
|
{
|
||||||
|
console_print(id, "[AMXX] %L", id, "CVAR_NO_ACC")
|
||||||
|
return PLUGIN_HANDLED
|
||||||
|
}
|
||||||
|
|
||||||
|
if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile") || equali(arg, "mapchangecfgfile"))
|
||||||
{
|
{
|
||||||
new pos = contain(arg2, ";")
|
new pos = contain(arg2, ";")
|
||||||
if (pos != -1)
|
if (pos != -1)
|
||||||
{
|
{
|
||||||
arg2[pos] = '^0'
|
arg2[pos] = '^0'
|
||||||
}
|
}
|
||||||
|
else if ((pos = contain(arg2, "^n")) != -1)
|
||||||
|
{
|
||||||
|
arg2[pos] = '^0'
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
new authid[32], name[MAX_NAME_LENGTH]
|
new authid[32], name[MAX_NAME_LENGTH]
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user