Security fix for executing server-side commands via ban reasons.

2015-01-04 01:52:05 -07:00 · 2015-01-04 01:52:05 -07:00 · bb0c8a8bd6
commit bb0c8a8bd6
parent 27af3dce92
1 changed files with 3 additions and 0 deletions
--- a/lua/ulib/server/player.lua
+++ b/lua/ulib/server/player.lua
@ -188,6 +188,9 @@ function ULib.addBan( steamid, time, reason, name, admin )
 		end
 	end

+	-- Remove all semicolons from the reason to prevent command injection
+	showReason = string.gsub(showReason, ";", "")
+
 	-- This redundant kick code is to ensure they're kicked -- even if they're joining
 	game.ConsoleCommand( string.format( "kickid %s %s\n", steamid, showReason or "" ) )
 	game.ConsoleCommand( string.format( "banid %f %s kick\n", time, steamid ) )