Prerequisites
Game Version
Bug Description
The current game lacks file extension validation during map transfers. An attacker could potentially transfer files with arbitrary extensions, bypassing OS-level security controls or enabling further exploitation.
Issue #272 identified security vulnerabilities in map file transfers. PR #1058 addressed path traversal, but additional security improvements can be made by validating file extensions (.map, .ini, .str, .wak) during the transfer process.
Reproduction Steps
- Initiate a map transfer in multiplayer
- Observe that files with arbitrary extensions could potentially be transferred
- No validation is performed on the file extension before transfer
Additional Context
This is a security enhancement related to the map transfer system. While path traversal was addressed in PR #1058, adding file extension validation would provide an additional layer of security by ensuring only legitimate map-related files (.map, .ini, .str, .wak) can be transferred between clients.
Prerequisites
Game Version
Bug Description
The current game lacks file extension validation during map transfers. An attacker could potentially transfer files with arbitrary extensions, bypassing OS-level security controls or enabling further exploitation.
Issue #272 identified security vulnerabilities in map file transfers. PR #1058 addressed path traversal, but additional security improvements can be made by validating file extensions (.map, .ini, .str, .wak) during the transfer process.
Reproduction Steps
Additional Context
This is a security enhancement related to the map transfer system. While path traversal was addressed in PR #1058, adding file extension validation would provide an additional layer of security by ensuring only legitimate map-related files (.map, .ini, .str, .wak) can be transferred between clients.