Two routines in the Files processing code are using Cmd_TokenizeString to pick apart server info to build pack lists. The concern is that Cmd_TokenizeString has special features for handling user configuration files, and user inputs. Best case scenario is that this is a harmless bug.

A couple features which should not be extended into the SERVERINFO processing include:

• Cvar string interpolation ($)
• Single line comments
• Escape characters \0
• Quoted strings

These are the bounties

void FS_PureServerSetLoadedPaks(const char *pakSums, const char *pakNames)
{
    Cmd_TokenizeString(pakSums);

void FS_PureServerSetReferencedPaks(const char *pakSums, const char *pakNames)
{
    Cmd_TokenizeString(pakSums);