Invalid file extensions are now prevented in several commands.All custom resources downloaded from a server now have their file name's checked for safety before being allowed to download.Fixed client incorrectly blocking download of custom sprays.'cl_filterstuffcmd 1') will set a number of commands that are potentially abusable, such as 'say', 'fps_max', and 'setinfo', to also be only executable by privileged sources. Setting 'cl_filterstuffcmd' to a value greater than zero (e.g.Commands such as 'connect', 'bind', 'quit' and certain cvars such as 'cl_filterstuffcmd' are now only executable by trusted sources. Commands originating outside of the client are now only able to execute commands that are considered to be safe. Added privilege checking to command execution.This list covers the releases between March 20 and April 11 that are each part of a series of security updates.