> Engine: > - Added checks to prevent transferring .smx, .gcf, and .sys files between > client/server > - Fixed upload/download exploits with spaces in the file extension or a path > separator at the beginning of the requested file (as reported on the HLDS > mailing lists)
This is sad. You can still upload/download random files as long as their extension isn't blacklisted? There's so many ways to cause problems with this... even if you switch to an extension WHITELIST there'd still be problems. Whose to say addons dont use other extensions to store settings? Or bash/apache/other services dont read certain files? Is .bashrc blocked? What if someone uses their home directory as the server root? What if someone doesn't want script kiddies uploading special_note_from_valve.readme to their server? Why not replace this interface with something that doesn't allow arbitrary file uploads/downloads with something as laughable as a extension blacklist making 'safe'. When someone finds yet another way to abuse this (I can think of two separate ways to continue to use this exploit for remote code execution) its going to come up again, years after the issues with it was first noted... - Neph On 12/07/2009 06:20 PM, Jason Ruymen wrote: > Required updates for Team Fortress 2 and Day of Defeat: Source are now > available. Please run hldsupdatetool to receive the updates. The specific > changes include: > > Engine: > - Added checks to prevent transferring .smx, .gcf, and .sys files between > client/server > - Fixed upload/download exploits with spaces in the file extension or a path > separator at the beginning of the requested file (as reported on the HLDS > mailing lists) > > Team Fortress 2: > - Fixed custom particle systems inside maps causing particles to break in > successive maps > - Fixed a rare vphysics crash > - Fixed background highlight for KOTH timers not being aligned properly in > minmode > - Fixed the Heavy's fists being hidden while taunting > - Fixed cloaked Spies having the critboost effect on their weapon > - Fixed banned clients being able to spamming a server with the "joined" chat > text > - Fixed seeing the wrong class counts if the game swapped teams while the > class menu was open > - Fixed Spies being able to disguise while performing a taunt > - Fixed having to press the voice menu key twice if the menu timed out and > closed itself last time it was open > - Fixed the "Confirm Delete" dialog in the Items menu not handling the key > correctly > - Fixed dispenser not healing players at the correct rate if it's upgraded > while the players are already touching the dispenser > - Fixed exec'ing the .cfg file for a class change before the player has > actually changed class > > Jason > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
