Do not call Cmd_TokenizeString to parse serverinfo pk3 names
wtfbbqhax opened this issue · comments
Victor Roemer commented
Two routines in the Files processing code are using Cmd_TokenizeString to pick apart server info to build pack lists. The concern is that Cmd_TokenizeString has special features for handling user configuration files, and user inputs. Best case scenario is that this is a harmless bug.
A couple features which should not be extended into the SERVERINFO processing include:
- Cvar string interpolation (
$
) - Single line comments
- Escape characters
\0
- Quoted strings
These are the bounties
void FS_PureServerSetLoadedPaks(const char *pakSums, const char *pakNames)
{
Cmd_TokenizeString(pakSums);
void FS_PureServerSetReferencedPaks(const char *pakSums, const char *pakNames)
{
Cmd_TokenizeString(pakSums);