From cdc40956d38987591a9bdaf199fa0f9fcc6eb989 Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Sat, 7 Nov 2009 11:37:56 +0000
Subject: [PATCH] fix config.cfg writing (properly escape cvar names and
 values) to fix seta exploits

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@9444 d7cf8633-e32d-0410-b094-e92efae38249
---
 cvar.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cvar.c b/cvar.c
index 47af3757..125f554b 100644
--- a/cvar.c
+++ b/cvar.c
@@ -653,11 +653,16 @@ with the archive flag set to true.
 void Cvar_WriteVariables (qfile_t *f)
 {
 	cvar_t	*var;
+	char buf1[MAX_INPUTLINE], buf2[MAX_INPUTLINE];
 
 	// don't save cvars that match their default value
 	for (var = cvar_vars ; var ; var = var->next)
 		if ((var->flags & CVAR_SAVE) && (strcmp(var->string, var->defstring) || (var->flags & CVAR_ALLOCATED)))
-			FS_Printf(f, "%s%s \"%s\"\n", var->flags & CVAR_ALLOCATED ? "seta " : "", var->name, var->string);
+		{
+			Cmd_QuoteString(buf1, sizeof(buf1), var->name, "\"\\$");
+			Cmd_QuoteString(buf2, sizeof(buf2), var->string, "\"\\$");
+			FS_Printf(f, "%s\"%s\" \"%s\"\n", var->flags & CVAR_ALLOCATED ? "seta " : "", buf1, buf2);
+		}
 }
 
 
-- 
2.39.2