summaryrefslogtreecommitdiff
path: root/src/map
diff options
context:
space:
mode:
authormekolat <mekolat@users.noreply.github.com>2016-04-02 20:01:54 -0400
committermekolat <mekolat@users.noreply.github.com>2016-04-02 20:01:54 -0400
commit9d3dd9aa9e35c9b2592a778da0699dcb8a69b3ff (patch)
treea9cfd02596ab383887c4c8d471a28ed553ca2ec2 /src/map
parent2ba1812b8315b5df8291f68144b0c380a6cd749d (diff)
downloadtmwa-9d3dd9aa9e35c9b2592a778da0699dcb8a69b3ff.tar.gz
tmwa-9d3dd9aa9e35c9b2592a778da0699dcb8a69b3ff.tar.bz2
tmwa-9d3dd9aa9e35c9b2592a778da0699dcb8a69b3ff.tar.xz
tmwa-9d3dd9aa9e35c9b2592a778da0699dcb8a69b3ff.zip
remote execution vulnerability fix
Diffstat (limited to 'src/map')
-rw-r--r--src/map/clif.cpp29
1 files changed, 12 insertions, 17 deletions
diff --git a/src/map/clif.cpp b/src/map/clif.cpp
index 349d2e9..a38151f 100644
--- a/src/map/clif.cpp
+++ b/src/map/clif.cpp
@@ -5670,10 +5670,6 @@ AString clif_validate_chat(dumb_ptr<map_session_data> sd, ChatType type, XString
if (sd->auto_ban_info.in_progress)
return AString();
- Session *s = sd->sess;
- size_t name_len = sd->status_key.name.to__actual().size();
- XString pbuf = buf;
-
/*
* The client attempted to exceed the maximum message length.
*
@@ -5688,21 +5684,20 @@ AString clif_validate_chat(dumb_ptr<map_session_data> sd, ChatType type, XString
return AString();
}
- if (type == ChatType::Global && sd->client_version < 6)
+ // ManaPlus remote command vulnerability fix
+ if (buf.contains_seq("@@="_s) && buf.contains('|'))
{
- XString p = pbuf;
- if (!(p.startswith(sd->status_key.name.to__actual()) && p.xslice_t(name_len).startswith(" : "_s)))
- {
- /* Disallow malformed/spoofed messages. */
- clif_setwaitclose(s);
- WARN_MALFORMED_MSG(sd, "spoofed name/invalid format"_s);
- return AString();
- }
- /* Step beyond the separator. */
- XString xs = p.xslice_t(name_len + 3);
- return xs;
+ clif_setwaitclose(sd->sess);
+ WARN_MALFORMED_MSG(sd, "remote command exploit attempt"_s);
+ return AString();
}
- return pbuf;
+
+ // Step beyond the separator. for older clients
+ if (type == ChatType::Global && sd->client_version < 6)
+ return buf.xslice_t(sd->status_key.name.to__actual().size() + 3);
+
+ // newer clients will not send the name
+ return buf;
}
/*==========================================