From c23fe31b01226dd380a1273216ff42eb3f875e45 Mon Sep 17 00:00:00 2001
From: havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Sun, 11 Jun 2006 15:35:41 +0000
Subject: [PATCH] don't allow $ expansion or sendcvar on rcon_password (added
 CVAR_PRIVATE flag for this purpose)

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@6468 d7cf8633-e32d-0410-b094-e92efae38249
---
 cmd.c      | 3 ++-
 cvar.h     | 4 +++-
 host_cmd.c | 4 ++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/cmd.c b/cmd.c
index af439a66..f6741f36 100644
--- a/cmd.c
+++ b/cmd.c
@@ -552,7 +552,8 @@ static void Cmd_PreprocessString( const char *intext, char *outtext, unsigned ma
 				const char *tempin = in;
 
 				COM_ParseTokenConsole( &tempin );
-				if ((cvar = Cvar_FindVar(&com_token[0]))) {
+				// don't expand rcon_password or similar cvars (CVAR_PRIVATE flag)
+				if ((cvar = Cvar_FindVar(&com_token[0])) && !(cvar->flags & CVAR_PRIVATE)) {
 					const char *cvarcontent = cvar->string;
 					while( *cvarcontent && outlen < maxoutlen ) {
 						outtext[outlen++] = *cvarcontent++;
diff --git a/cvar.h b/cvar.h
index 49470bd9..86662092 100644
--- a/cvar.h
+++ b/cvar.h
@@ -63,8 +63,10 @@ interface from being ambiguous.
 #define CVAR_READONLY 4
 #define CVAR_SERVERINFO 8
 #define CVAR_USERINFO 16
+// CVAR_PRIVATE means do not $ expand or sendcvar this cvar under any circumstances (rcon_password uses this)
+#define CVAR_PRIVATE 32
 // used to determine if flags is valid
-#define CVAR_MAXFLAGSVAL 31
+#define CVAR_MAXFLAGSVAL 63
 // for internal use only!
 #define CVAR_DEFAULTSET (1<<30)
 #define CVAR_ALLOCATED (1<<31)
diff --git a/host_cmd.c b/host_cmd.c
index 24acdd6a..5f1569aa 100644
--- a/host_cmd.c
+++ b/host_cmd.c
@@ -23,7 +23,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 
 int current_skill;
 cvar_t sv_cheats = {0, "sv_cheats", "0", "enables cheat commands in any game, and cheat impulses in dpmod"};
-cvar_t rcon_password = {0, "rcon_password", "", "password to authenticate rcon commands"};
+cvar_t rcon_password = {CVAR_PRIVATE, "rcon_password", "", "password to authenticate rcon commands"};
 cvar_t rcon_address = {0, "rcon_address", "", "server address to send rcon commands to (when not connected to a server)"};
 cvar_t team = {CVAR_USERINFO | CVAR_SAVE, "team", "none", "QW team (4 character limit, example: blue)"};
 cvar_t skin = {CVAR_USERINFO | CVAR_SAVE, "skin", "", "QW player skin name (example: base)"};
@@ -1992,7 +1992,7 @@ void Host_SendCvar_f (void)
 
 	if(Cmd_Argc() != 2)
 		return;
-	if(!(c = Cvar_FindVar(Cmd_Argv(1))))
+	if(!(c = Cvar_FindVar(Cmd_Argv(1))) || (c->flags & CVAR_PRIVATE))
 		return;
 	if (cls.state != ca_dedicated)
 		Cmd_ForwardStringToServer(va("sentcvar %s %s\n", c->name, c->string));
-- 
2.39.2