From 94d30b759dca4b5a4cc5c626746b3ab8fa7289c9 Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Sat, 8 Apr 2023 20:13:06 +0200
Subject: [PATCH] Fix potential security flaws caused by uncontrolled format
 strings

Make sure format strings are string literals to avoid an uncontrolled format string situation.
---
 r5dev/engine/sys_utils.cpp        | 4 ++--
 r5dev/networksystem/bansystem.cpp | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/r5dev/engine/sys_utils.cpp b/r5dev/engine/sys_utils.cpp
index ff03af6e..3da6ccfc 100644
--- a/r5dev/engine/sys_utils.cpp
+++ b/r5dev/engine/sys_utils.cpp
@@ -41,7 +41,7 @@ void _Error(char* fmt, ...)
 	}/////////////////////////////
 
 	Error(eDLL_T::ENGINE, NO_ERROR, "%s", buf);
-	v_Error(buf);
+	v_Error("%s", buf);
 }
 
 //-----------------------------------------------------------------------------
@@ -68,7 +68,7 @@ void _Warning(int level, char* fmt, ...)
 		Warning(eDLL_T::COMMON, "Warning(%d):%s", level, buf);
 	}
 
-	v_Warning(level, buf);
+	v_Warning(level, "%s", buf);
 }
 
 #ifndef DEDICATED
diff --git a/r5dev/networksystem/bansystem.cpp b/r5dev/networksystem/bansystem.cpp
index 3dfb056e..4bc7ee8f 100644
--- a/r5dev/networksystem/bansystem.cpp
+++ b/r5dev/networksystem/bansystem.cpp
@@ -227,7 +227,7 @@ void CBanSystem::BanListCheck(void)
 			string svIpAddress = pNetChan->GetAddress();
 
 			Warning(eDLL_T::SERVER, "Removing client '%s' from slot '%i' ('%llu' is banned from this server!)\n", svIpAddress.c_str(), c, pClient->GetNucleusID());
-			pClient->Disconnect(Reputation_t::REP_MARK_BAD, m_vRefuseList[i].first.c_str());
+			pClient->Disconnect(Reputation_t::REP_MARK_BAD, "%s", m_vRefuseList[i].first.c_str());
 		}
 	}
 }