fix config.cfg writing (properly escape cvar names and values) to fix seta exploits

author divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>

Sat, 7 Nov 2009 11:37:56 +0000 (11:37 +0000)

committer divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>

Sat, 7 Nov 2009 11:37:56 +0000 (11:37 +0000)
author divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Sat, 7 Nov 2009 11:37:56 +0000 (11:37 +0000)
committer divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Sat, 7 Nov 2009 11:37:56 +0000 (11:37 +0000)
diff --git a/cvar.c b/cvar.c

index 47af3757c643c1dec4835bab2a316a42ffccfea1..125f554b8d3cb970054c38f059c4943fb7a29396 100644 (file)
--- a/cvar.c
+++ b/cvar.c
@@ -653,11 +653,16 @@ with the archive flag set to true.
  void Cvar_WriteVariables (qfile_t *f)
  {
         cvar_t  *var;
+       char buf1[MAX_INPUTLINE], buf2[MAX_INPUTLINE];
  
         // don't save cvars that match their default value
         for (var = cvar_vars ; var ; var = var->next)
                 if ((var->flags & CVAR_SAVE) && (strcmp(var->string, var->defstring) || (var->flags & CVAR_ALLOCATED)))
-                       FS_Printf(f, "%s%s \"%s\"\n", var->flags & CVAR_ALLOCATED ? "seta " : "", var->name, var->string);
+               {
+                       Cmd_QuoteString(buf1, sizeof(buf1), var->name, "\"\\$");
+                       Cmd_QuoteString(buf2, sizeof(buf2), var->string, "\"\\$");
+                       FS_Printf(f, "%s\"%s\" \"%s\"\n", var->flags & CVAR_ALLOCATED ? "seta " : "", buf1, buf2);
+               }
  }
author	divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
	Sat, 7 Nov 2009 11:37:56 +0000 (11:37 +0000)
committer	divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
	Sat, 7 Nov 2009 11:37:56 +0000 (11:37 +0000)