From 8ee430eda298f8ab3729f96e27cea5daedb19545 Mon Sep 17 00:00:00 2001
From: Alibek Omarov <a1ba.omarov@gmail.com>
Date: Fri, 31 May 2024 00:42:32 +0300
Subject: [PATCH] engine: common: double check that resource starting with !MD5
 doesn't have any extension

---
 engine/common/common.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/engine/common/common.c b/engine/common/common.c
index b97f4369..bf1441ab 100644
--- a/engine/common/common.c
+++ b/engine/common/common.c
@@ -900,7 +900,10 @@ qboolean COM_IsSafeFileToDownload( const char *filename )
 	if( !COM_CheckString( filename ))
 		return false;
 
-	if( !Q_strncmp( filename, "!MD5", 4 ))
+	ext = COM_FileExtension( lwrfilename );
+
+	// only allow extensionless files that start with !MD5
+	if( !Q_strncmp( filename, "!MD5", 4 ) && ext[0] == 0 )
 		return true;
 
 	Q_strnlwr( filename, lwrfilename, sizeof( lwrfilename ));
@@ -923,8 +926,6 @@ qboolean COM_IsSafeFileToDownload( const char *filename )
 	if( Q_strlen( first ) != 4 )
 		return false;
 
-	ext = COM_FileExtension( lwrfilename );
-
 	for( i = 0; i < ARRAYSIZE( file_exts ); i++ )
 	{
 		if( !Q_stricmp( ext, file_exts[i] ))