From a402b3ccebbd85fe523774dad4864c71b3e87c6f Mon Sep 17 00:00:00 2001
From: Boink <40929320+b0ink@users.noreply.github.com>
Date: Thu, 28 Sep 2023 00:51:07 +1000
Subject: [PATCH] Prevent commands from being run on the client with sm_play
 (#1832)

* Prevent command injection

* Empty to commit to try to kick CI.

* Improve filename sanitisation

---------

Co-authored-by: Fyren <fyrenmoo@gmail.com>
---
 plugins/sounds.sp | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/plugins/sounds.sp b/plugins/sounds.sp
index a815eed22..557dcfd35 100644
--- a/plugins/sounds.sp
+++ b/plugins/sounds.sp
@@ -67,23 +67,27 @@ public Action Command_Play(int client, int args)
  	char Arg[65];
 	int len = BreakString(Arguments, Arg, sizeof(Arg));
 
-	/* Make sure it does not go out of bound by doing "sm_play user  "*/
+	/* Make sure it does not go out of bound by doing "sm_play user  " */
 	if (len == -1)
 	{
 		ReplyToCommand(client, "[SM] Usage: sm_play <#userid|name> <filename>");
 		return Plugin_Handled;
 	}
 
-	/* Incase they put quotes and white spaces after the quotes */
-	if (Arguments[len] == '"')
-	{
-		len++;
-		int FileLen = TrimString(Arguments[len]) + len;
+	char SoundPath[PLATFORM_MAX_PATH];
+	BreakString(Arguments[len], SoundPath, sizeof(SoundPath));
+	
+	/* Remove all double and single quotes out of the path */
+	ReplaceString(SoundPath, sizeof(SoundPath), "\"", "");
+	ReplaceString(SoundPath, sizeof(SoundPath), "'", "");
 
-		if (Arguments[FileLen - 1] == '"')
-		{
-			Arguments[FileLen - 1] = '\0';
-		}
+	TrimString(SoundPath);
+
+	/* Block any attempts of chaining console commands on */
+	if(StrContains(SoundPath, ";") != -1)
+	{
+		ReplyToCommand(client, "[SM] Invalid filename");
+		return Plugin_Handled;
 	}
 	
 	char target_name[MAX_TARGET_LENGTH];
@@ -106,8 +110,8 @@ public Action Command_Play(int client, int args)
 	
 	for (int i = 0; i < target_count; i++)
 	{
-		ClientCommand(target_list[i], "playgamesound \"%s\"", Arguments[len]);
-		LogAction(client, target_list[i], "\"%L\" played sound on \"%L\" (file \"%s\")", client, target_list[i], Arguments[len]);
+		ClientCommand(target_list[i], "playgamesound \"%s\"", SoundPath);
+		LogAction(client, target_list[i], "\"%L\" played sound on \"%L\" (file \"%s\")", client, target_list[i], SoundPath);
 	}
 	
 	if (tn_is_ml)
@@ -120,4 +124,4 @@ public Action Command_Play(int client, int args)
 	}
 
 	return Plugin_Handled;
-}
+}
\ No newline at end of file