I agree, that's a very good point. It seems to me like one solution would be for them to put a folder within the srcds directory for uploads and make the engine use it. They could always create a cvar to specify a different location for uploaded files which admins could use if they wanted to override the default. Similar to how logging works right now.
- Dave ----- Original Message ----- From: Jeff Sugar <jeffsu...@gmail.com> Date: Monday, December 7, 2009 9:37 pm Subject: Re: [hlds_linux] [hlds] Team Fortress 2/Day of Defeat: Source Update Released To: Half-Life dedicated Linux server mailing list <hlds_linux@list.valvesoftware.com> > Well put, neph. > > On Mon, Dec 7, 2009 at 6:29 PM, Nephyrin Zey > <nephy...@doublezen.net> wrote: > > > > > > Engine: > > > - Added checks to prevent transferring .smx, .gcf, and .sys > files between > > client/server > > > - Fixed upload/download exploits with spaces in the file > extension or a > > path separator at the beginning of the requested file (as > reported on the > > HLDS mailing lists) > > > > > > This is sad. You can still upload/download random files as > long as their > > extension isn't blacklisted? There's so many ways to cause > problems with > > this... even if you switch to an extension WHITELIST there'd > still be > > problems. Whose to say addons dont use other extensions to store > > settings? Or bash/apache/other services dont read certain > files? Is > > .bashrc blocked? What if someone uses their home directory as > the server > > root? What if someone doesn't want script kiddies uploading > > special_note_from_valve.readme to their server? > > > > Why not replace this interface with something that doesn't allow > > arbitrary file uploads/downloads with something as laughable > as a > > extension blacklist making 'safe'. When someone finds yet > another way to > > abuse this (I can think of two separate ways to continue to > use this > > exploit for remote code execution) its going to come up again, years > > after the issues with it was first noted... > > > > - Neph > > > > > > On 12/07/2009 06:20 PM, Jason Ruymen wrote: > > > Required updates for Team Fortress 2 and Day of Defeat: > Source are now > > available. Please run hldsupdatetool to receive the > updates. The specific > > changes include: > > > > > > Engine: > > > - Added checks to prevent transferring .smx, .gcf, and .sys > files between > > client/server > > > - Fixed upload/download exploits with spaces in the file > extension or a > > path separator at the beginning of the requested file (as > reported on the > > HLDS mailing lists) > > > > > > Team Fortress 2: > > > - Fixed custom particle systems inside maps causing > particles to break in > > successive maps > > > - Fixed a rare vphysics crash > > > - Fixed background highlight for KOTH timers not being > aligned properly > > in minmode > > > - Fixed the Heavy's fists being hidden while taunting > > > - Fixed cloaked Spies having the critboost effect on their weapon > > > - Fixed banned clients being able to spamming a server with > the "joined" > > chat text > > > - Fixed seeing the wrong class counts if the game swapped > teams while the > > class menu was open > > > - Fixed Spies being able to disguise while performing a taunt > > > - Fixed having to press the voice menu key twice if the menu > timed out > > and closed itself last time it was open > > > - Fixed the "Confirm Delete" dialog in the Items menu not > handling the > > key correctly > > > - Fixed dispenser not healing players at the correct rate if it's > > upgraded while the players are already touching the dispenser > > > - Fixed exec'ing the .cfg file for a class change before the > player has > > actually changed class > > > > > > Jason > > > > > > > > > _______________________________________________ > > > To unsubscribe, edit your list preferences, or view the list > archives,> please visit: > > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list > archives,> please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
