Some engine commands allow writing to arbitrary files in the data directory
MrBougo created issue xonotic-data.pk3dir#1270 (closed) on 2012-07-31T16:27:36Z:
Some commands can write to arbitrary filenames, making it straightforward to “break” the game clientside by writing anything in the right place.
Here are the commands that do not enforce an extension in the files they write to: * condump * record * save * saveconfig
As for cvars: * log_file * cl_iplog_name
Related issue: even if it enforced a .cfg extension, saveconfig could overwrite autoexec.cfg, which makes it abusable by malicious server admins or QC modders (or mappers?)