Index: Makefile
===================================================================
RCS file: /cvs/ports/games/ezquake/Makefile,v
retrieving revision 1.15
diff -u -p -r1.15 Makefile
--- Makefile 6 Mar 2023 13:37:15 -0000 1.15
+++ Makefile 2 Nov 2023 02:41:48 -0000
@@ -1,5 +1,6 @@
N = ezquake
V = 3.6.1
+REVISION = 0
COMMENT = modern QuakeWorld client
PKGNAME = ${N}-${V}
Index: patches/patch-cl_cmd_c
===================================================================
RCS file: patches/patch-cl_cmd_c
diff -N patches/patch-cl_cmd_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-cl_cmd_c 2 Nov 2023 02:41:48 -0000
@@ -0,0 +1,49 @@
+commit df38450a75ef7492c51c6e9f3012235521a01b98
+Author: Daniel Svensson <dsvensson@gmail.com>
+Date: Fri Oct 20 21:37:34 2023 +0200
+
+ DOWNLOAD: Harmonize download filter.
+
+see: https://github.com/QW-Group/ezquake-source/issues/857
+
+Index: cl_cmd.c
+--- cl_cmd.c.orig
++++ cl_cmd.c
+@@ -622,6 +622,28 @@ void CL_Rcon_f (void) {
+ NET_SendPacket (NS_CLIENT, strlen(message)+1, message, to);
+ }
+
++qbool CL_Download_Accept(const char *filename)
++{
++ if (strstr(filename, "..") || !strcmp(filename, "") || filename[0] == '/' || strchr(filename, '\\') || strchr(filename, ':') || strstr(filename, "//")) {
++ Com_Printf("Warning: Invalid characters in filename \"%s\"\n", filename);
++ return false;
++ }
++
++ const char *tmp = strrchr(filename, '.');
++ if (tmp != NULL && (!strcasecmp(tmp, ".dll") || !strcasecmp(tmp, ".so"))) {
++ Com_Printf("Warning: Non-allowed file \"%s\" skipped\n", filename);
++ return false;
++ }
++
++ vfsfile_t *f = FS_OpenVFS(filename, "rb", FS_ANY);
++ if (f) {
++ VFS_CLOSE(f);
++ return false;
++ }
++
++ return true;
++}
++
+ void CL_Download_f (void){
+ char *dir; // we save to demo_dir or gamedir
+ char *filename; // which file to dl, will be sent to server
+@@ -636,7 +658,7 @@ void CL_Download_f (void){
+ filename = Cmd_Argv(1);
+ strlcpy(ondiskname, filename, sizeof(ondiskname)); // in most cases this is same as filename
+
+- if (Cmd_Argc() != 2 || !filename[0]) {
++ if (Cmd_Argc() != 2 || !filename[0] || !CL_Download_Accept(filename)) {
+ Com_Printf ("Usage: %s <datafile>\n", Cmd_Argv(0));
+ return;
+ }
Index: patches/patch-cl_parse_c
===================================================================
RCS file: patches/patch-cl_parse_c
diff -N patches/patch-cl_parse_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-cl_parse_c 2 Nov 2023 02:41:48 -0000
@@ -0,0 +1,41 @@
+commit df38450a75ef7492c51c6e9f3012235521a01b98
+Author: Daniel Svensson <dsvensson@gmail.com>
+Date: Fri Oct 20 21:37:34 2023 +0200
+
+ DOWNLOAD: Harmonize download filter.
+
+see: https://github.com/QW-Group/ezquake-source/issues/857
+
+Index: cl_parse.c
+--- cl_parse.c.orig
++++ cl_parse.c
+@@ -472,25 +472,13 @@ int CL_CalcNetStatistics(
+
+ //=============================================================================
+
++qbool CL_Download_Accept(const char *filename);
++
+ // Returns true if the file exists, otherwise it attempts to start a download from the server.
+ qbool CL_CheckOrDownloadFile(char *filename)
+ {
+- vfsfile_t *f;
+- char *tmp;
+-
+- if (strstr(filename, "..") || !strcmp(filename, "") || filename[0] == '/' || strchr(filename, '\\') || strchr(filename, ':') || strstr(filename, "//")) {
+- Com_Printf("Warning: Invalid characters in filename \"%s\"\n", filename);
+- return true;
+- }
+-
+- if ((tmp = strrchr(filename, '.')) && (!strcasecmp(tmp, ".dll") || !strcasecmp(tmp, ".so"))) {
+- Com_Printf("Warning: Non-allowed file \"%s\" skipped\n", filename);
+- return true;
+- }
+-
+- f = FS_OpenVFS(filename, "rb", FS_ANY);
+- if (f) {
+- VFS_CLOSE(f);
++ if (!CL_Download_Accept(filename))
++ {
+ return true;
+ }
+
Tom Murphy writes:
> Hi again,
>
> Apologies, in the Makefile shuffle I took out PKGNAME by mistake.
> Updated diff below. Thanks!
>
> -Tom
>
Please find two diffs: an attached diff for -stable and an inline diff
for -current with some additional tweaks on top of tom's diff:
- stable diff backports the security fix preventing download of .so
files and bumps REVISION
see:
https://github.com/QW-Group/ezquake-source/commit/df38450a75ef7492c51c6e9f3012235521a01b98
https://github.com/QW-Group/ezquake-source/issues/857
- Break up DIST_TUPLE to 80 char long lines and add license markers.
- Add a second ${GAMEDIR} substition in EX_browser_sources.c patch. With
this, server browser now successfully reads from
/usr/local/share/ezquake/na-sv.txt. The lists are outdated by 12 years
so I will try to add some servers upstream.
- when resizing in cwm or xmonad, I get a black window. This is caused
by vid_software_palette changing from 0 to 1 default. I have a patch
to revert this to 0, which should be a good default for
users. Alternatively, you can specify "vid_software_palette 0" in your
config and we can not use this patch.
see:
https://github.com/QW-Group/ezquake-source/issues/858
Tom asked me to test runtime. I tested -stable and -current and gameplay
was good other than the black window upon resizing in cwm or xmonad,
which is addressed by the patch.
OK?
No comments:
Post a Comment