Well put, neph. On Mon, Dec 7, 2009 at 6:29 PM, Nephyrin Zey <[email protected]> wrote:
> > > Engine: > > - Added checks to prevent transferring .smx, .gcf, and .sys files between > client/server > > - Fixed upload/download exploits with spaces in the file extension or a > path separator at the beginning of the requested file (as reported on the > HLDS mailing lists) > > > This is sad. You can still upload/download random files as long as their > extension isn't blacklisted? There's so many ways to cause problems with > this... even if you switch to an extension WHITELIST there'd still be > problems. Whose to say addons dont use other extensions to store > settings? Or bash/apache/other services dont read certain files? Is > .bashrc blocked? What if someone uses their home directory as the server > root? What if someone doesn't want script kiddies uploading > special_note_from_valve.readme to their server? > > Why not replace this interface with something that doesn't allow > arbitrary file uploads/downloads with something as laughable as a > extension blacklist making 'safe'. When someone finds yet another way to > abuse this (I can think of two separate ways to continue to use this > exploit for remote code execution) its going to come up again, years > after the issues with it was first noted... > > - Neph > > > On 12/07/2009 06:20 PM, Jason Ruymen wrote: > > Required updates for Team Fortress 2 and Day of Defeat: Source are now > available. Please run hldsupdatetool to receive the updates. The specific > changes include: > > > > Engine: > > - Added checks to prevent transferring .smx, .gcf, and .sys files between > client/server > > - Fixed upload/download exploits with spaces in the file extension or a > path separator at the beginning of the requested file (as reported on the > HLDS mailing lists) > > > > Team Fortress 2: > > - Fixed custom particle systems inside maps causing particles to break in > successive maps > > - Fixed a rare vphysics crash > > - Fixed background highlight for KOTH timers not being aligned properly > in minmode > > - Fixed the Heavy's fists being hidden while taunting > > - Fixed cloaked Spies having the critboost effect on their weapon > > - Fixed banned clients being able to spamming a server with the "joined" > chat text > > - Fixed seeing the wrong class counts if the game swapped teams while the > class menu was open > > - Fixed Spies being able to disguise while performing a taunt > > - Fixed having to press the voice menu key twice if the menu timed out > and closed itself last time it was open > > - Fixed the "Confirm Delete" dialog in the Items menu not handling the > key correctly > > - Fixed dispenser not healing players at the correct rate if it's > upgraded while the players are already touching the dispenser > > - Fixed exec'ing the .cfg file for a class change before the player has > actually changed class > > > > Jason > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
