From c76752cc5f92bacdc19b09353f74f659f147d19e Mon Sep 17 00:00:00 2001
From: Alibek Omarov <a1ba.omarov@gmail.com>
Date: Sat, 1 Mar 2025 22:45:01 +0300
Subject: [PATCH] engine: server: validate uuid in protinfo, it's an md5 string

---
 engine/server/sv_client.c |  6 ------
 engine/server/sv_main.c   | 36 +++++++++++++++++++++++++-----------
 2 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/engine/server/sv_client.c b/engine/server/sv_client.c
index d8bfc9b4d..81d7775ac 100644
--- a/engine/server/sv_client.c
+++ b/engine/server/sv_client.c
@@ -355,12 +355,6 @@ static void SV_ConnectClient( netadr_t from )
 	if( !SV_ProcessUserAgent( from, protinfo ))
 		return;
 
-	if( Q_strlen( Info_ValueForKey( protinfo, "uuid" )) != 32 )
-	{
-		SV_RejectConnection( from, "invalid authentication certificate length\n" );
-		return;
-	}
-
 	// extract qport from protocol info
 	qport = Q_atoi( Info_ValueForKey( protinfo, "qport" ));
 	extensions = Q_atoi( Info_ValueForKey( protinfo, "ext" ));
diff --git a/engine/server/sv_main.c b/engine/server/sv_main.c
index 7bcf10d91..fd090d3ff 100644
--- a/engine/server/sv_main.c
+++ b/engine/server/sv_main.c
@@ -763,6 +763,31 @@ qboolean SV_ProcessUserAgent( netadr_t from, const char *useragent )
 {
 	const char *input_devices_str = Info_ValueForKey( useragent, "d" );
 	const char *id = Info_ValueForKey( useragent, "uuid" );
+	size_t len, i;
+
+	len = Q_strlen( id );
+	if( len != 32 )
+	{
+		SV_RejectConnection( from, "invalid authentication certificate\n" );
+		return false;
+	}
+
+	for( i = 0; i < len; i++ )
+	{
+		char c = id[i];
+
+		if( !isdigit( id[i] ) && !( c >= 'a' && c <= 'f' ))
+		{
+			SV_RejectConnection( from, "invalid authentication certificate\n" );
+			return false;
+		}
+	}
+
+	if( SV_CheckID( id ))
+	{
+		SV_RejectConnection( from, "You are banned!\n" );
+		return false;
+	}
 
 	if( !sv_allow_noinputdevices.value && ( !input_devices_str || !input_devices_str[0] ) )
 	{
@@ -796,17 +821,6 @@ qboolean SV_ProcessUserAgent( netadr_t from, const char *useragent )
 		}
 	}
 
-	if( id )
-	{
-		qboolean banned = SV_CheckID( id );
-
-		if( banned )
-		{
-			SV_RejectConnection( from, "You are banned!\n" );
-			return false;
-		}
-	}
-
 	return true;
 }