From 78f404d63112abc53eac617c3b7ace1dec050ab2 Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Thu, 9 Apr 2009 07:59:14 +0000
Subject: [PATCH] clear the rcon password on "connect" command or QW-style
 reconnect, to prevent stuffcmd based vulnerabilities that could expose the
 rcon password

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@8888 d7cf8633-e32d-0410-b094-e92efae38249
---
 host_cmd.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/host_cmd.c b/host_cmd.c
index 76807ce6..6c051d9f 100644
--- a/host_cmd.c
+++ b/host_cmd.c
@@ -473,7 +473,11 @@ void Host_Reconnect_f (void)
 		// will still contain its IP address, so get the address...
 		InfoString_GetValue(cls.userinfo, "*ip", temp, sizeof(temp));
 		if (temp[0])
+		{
+			// clear the rcon password, to prevent vulnerability by stuffcmd-ing a setinfo command to change *ip, then reconnect
+			Cvar_SetQuick(&rcon_password, "");
 			CL_EstablishConnection(temp);
+		}
 		else
 			Con_Printf("Reconnect to what server?  (you have not connected to a server yet)\n");
 		return;
@@ -525,6 +529,8 @@ void Host_Connect_f (void)
 		Con_Print("connect <serveraddress> : connect to a multiplayer game\n");
 		return;
 	}
+	// clear the rcon password, to prevent vulnerability by stuffcmd-ing a connect command
+	Cvar_SetQuick(&rcon_password, "");
 	CL_EstablishConnection(Cmd_Argv(1));
 }
 
-- 
2.39.2