Posted 14 October 2010 - 01:26 AM
I'm working on a new patch called "checkuserinfo.patch" after I discovered that it's possible to send specially crafted connect or userinfo packets that contain funny characters such as ';' (semicolon) or '\r' (carriage return) in the userinfo string proper.
In particular, I found the following disturbing. I sent a userinfo that looks like this more or less:
\challenge\1019066863\qport\303\protocol\68\name\Ramb;etter\rate\8000\cg_predictitems\0\snaps\20\model\sarge\headmodel\sarge\team_model\james\team_headmodel\*james\color1\4\color2\5\handicap\0\sex\male\cl_anonymous\0\teamtask\0\cl_guid\0BFCD16926A21814B98E42AAAF4ABF01
Note the semicolon in the name. The server accepted this just fine. In ioquake3 if I do an "/rcon status" I get the semicolon in the name, sure enough. However, the game engine converts this player's name to "badinfo". In fact if there is a semicolon anywhere in the userinfo the player's name becomes "badinfo" in the game engine.
However, since there is a semicolon in the name as far as the ioquake3 code is concerned, I'm worried that some kind of exploit is possible, although I have not been able to come up with one.
So, I'm writing a patch that has very strict guidelines on the structure and contents of the userinfo string for a client, just to be safe nothing bad happens in the future.