[Rseding91] [1.0.0] game.server_save can write to paths outside the save directory
Posted: Mon Aug 31, 2020 11:20 am
`game.server_save` will happily accept full paths to write to, not simply filenames. It works with both absolute (e.g. /tmp/save, C:\save) and relative paths that lead outside the save directory (e.g. ../save). The save process automatically appends .zip to the final path, limiting its potential impact, but maliciously-crafted mods could still abuse it to nuke arbitrary .zip files on computers hosting multiplayer games.