GitHub/amxmodx
2
0
Fork 0
mirror of https://github.com/alliedmodders/amxmodx.git synced 2024-10-16 23:37:04 +03:00
Code Issues Projects Releases Wiki Activity

admincmd.sma exploits fix (#822)

Browse Source 
* [admincmd.sma] Fix typo in isCommandArgSafe

'

* [admincmd.sma] Update amx_cvar command handler

- Fix exploiting of "mapchangecfgfile" cvar to execute potentially dangerous console commands
- Add newline delimiter check and restrict for ****cfgfile cvars values

* Restrict having ".." character sequence in amx_map command argument

Fixes exploit on Windows servers that allows executing potentially dangerous console commands

* Do not allow admins to change cvars with FCVAR_SPONLY flag when not in singleplayer via amx_cvar

1. Make amx_cvar command obey FCVAR_SPONLY flag.
2. Fix exploiting of amx_nextmap cvar value which is used in nextmap plugin.
This commit is contained in:
Juice 2020-05-29 02:10:38 +03:00 committed by GitHub
parent a5f2b5539f
commit 51ede1097d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
plugins/admincmd.sma
View File

@ -222,13 +222,13 @@ public cmdKick(id, level, cid)
}
/**
* ';' and '\n' are command delimiters. If a command arg contains these 2
* ';' and '^n' are command delimiters. If a command arg contains these 2
* it is not safe to be passed to server_cmd() as it may be trying to execute
* a command.
*/
isCommandArgSafe(const arg[])
{
return contain(arg, ";") == -1 && contain(arg, "\n") == -1;
return contain(arg, ";") == -1 && contain(arg, "^n") == -1;
}
public cmdUnban(id, level, cid)
@ -668,7 +668,7 @@ public cmdMap(id, level, cid)
new arg[32]
new arglen = read_argv(1, arg, charsmax(arg))
if (!is_map_valid(arg))
if (!is_map_valid(arg) || contain(arg, "..") != -1)
{
console_print(id, "[AMXX] %L", id, "MAP_NOT_FOUND")
return PLUGIN_HANDLED
@ -788,13 +788,23 @@ public cmdCvar(id, level, cid)
return PLUGIN_HANDLED
}
if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile"))
if ((get_pcvar_flags(pointer) & FCVAR_SPONLY) && MaxClients != 1)
{
console_print(id, "[AMXX] %L", id, "CVAR_NO_ACC")
return PLUGIN_HANDLED
}
if (equali(arg, "servercfgfile") || equali(arg, "lservercfgfile") || equali(arg, "mapchangecfgfile"))
{
new pos = contain(arg2, ";")
if (pos != -1)
{
arg2[pos] = '^0'
}
else if ((pos = contain(arg2, "^n")) != -1)
{
arg2[pos] = '^0'
}
}
new authid[32], name[MAX_NAME_LENGTH]