BUG: Server specific commands registered when in client mode

Question

BUG: Server specific commands registered when in client mode

Closed this issue 4 months ago · 2 comments

SV_InitOperatorCommands registers all sorts of fun stuff that a random server may invoke via stufftext. This set of commands should likely only be registered when starting a local ezquake server, and some of them should perhaps be completely removed.

Answer 1 · 2024-03-02T15:50:04.000Z

Make sure you aren't using the -enablelocalcommand command, otherwise a malicious server can execute anything on the client computer:

https://github.com/QW-Group/ezquake-source/blob/master/src/sv_ccmds.c#L1856-L1857
https://github.com/QW-Group/ezquake-source/blob/master/src/sv_ccmds.c#L752

Answer 2 · 2024-03-05T07:01:22.000Z

Fixed with #903