From 3c30d959dd5350bbbe3a255a17a59539c6562ccc Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Sun, 9 Feb 2025 02:07:19 +0100
Subject: [PATCH] Engine: fix uncontrolled format string vulnerability

This code is only ever used by the master server, but we should still avoid uncontrolled format strings from anything providing it remotely.
---
 src/engine/server/sv_main.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/engine/server/sv_main.cpp b/src/engine/server/sv_main.cpp
index a2ef8a60..1c158f7e 100644
--- a/src/engine/server/sv_main.cpp
+++ b/src/engine/server/sv_main.cpp
@@ -39,7 +39,7 @@ void SV_CheckForBanAndDisconnect(CClient* const pClient, const string& svIPAddr,
 				{
 					const int nUserID = pClient->GetUserID();
 
-					pClient->Disconnect(Reputation_t::REP_MARK_BAD, svError.c_str());
+					pClient->Disconnect(Reputation_t::REP_MARK_BAD, "%s", svError.c_str());
 					Warning(eDLL_T::SERVER, "Removed client '[%s]:%i' from slot #%i ('%llu' is banned globally!)\n",
 						svIPAddr.c_str(), nPort, nUserID, nNucleusID);
 				}