diff --git a/README.html b/README.html index aeaad79..f5cd18f 100644 --- a/README.html +++ b/README.html @@ -341,7 +341,7 @@ It features background tasks and interactive chats, and can serve as an interfac

Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.

Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see Implications of wrong quoting.

Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with set -f and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in example/) and disable/remove all unused bot commands.

-

It's important to escape or remove $ and \`` in input from user, files or network (_as bashbot does_). One of the powerful features of Unix shells is variable and command substitution using ${var}, $(cmd)and`cmd`can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped$or `is included in untrusted input (e.g.$$or$(rm -rf /*)`).

+

It's important to escape or remove $ and ` in input from user, files or network (as bashbot does). One of the powerful features of Unix shells is variable and command substitution using ${var}, $(cmd) and `cmd` can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped $ or ` is included in untrusted input (e.g. $$ or $(rm -rf /*)).

A powerful tool to improve your scripts is shellcheck. You can use it online or install shellcheck locally. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a test suite to check if important functionality is working as expected.

Use printf whenever possible

If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. Use printf whenever possible.

@@ -392,6 +392,6 @@ It features background tasks and interactive chats, and can serve as an interfac

@Gnadelwartz

That's it all guys!

If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

-

$$VERSION$$ v1.45-dev-36-gf7897fd

+

$$VERSION$$ v1.45-dev-37-gfdbfceb

diff --git a/README.md b/README.md index 0201811..fc7cb94 100644 --- a/README.md +++ b/README.md @@ -146,9 +146,9 @@ Whenever you are processing input from untrusted sources (messages, files, netwo (e.g. set IFS appropriately, disable globbing with `set -f` and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in `example/`) and disable/remove all unused bot commands. -It's important to escape or remove `$` and `\`` in input from user, files or network (_as bashbot does_). -One of the powerful features of Unix shells is variable and command substitution using `${var}`, `$(cmd)` and `\`cmd\`` can lead to remote -code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` or ` \`` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`). +It's important to escape or remove `$` and \` in input from user, files or network (_as bashbot does_). +One of the powerful features of Unix shells is variable and command substitution using `${var}`, `$(cmd)` and \`cmd\` can lead to remote +code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` or \` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`). A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development @@ -242,4 +242,4 @@ See `mycommnds.sh.dist` for an example. If you feel that there's something missing or if you found a bug, feel free to submit a pull request! -#### $$VERSION$$ v1.45-dev-36-gf7897fd +#### $$VERSION$$ v1.45-dev-37-gfdbfceb diff --git a/README.txt b/README.txt index f5744f2..54784c4 100644 --- a/README.txt +++ b/README.txt @@ -200,11 +200,11 @@ Whenever you are processing input from untrusted sources (messages, files, netwo must be as careful as possible (e.g. set IFS appropriately, disable globbing with set - f and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in example/) and disable/remove all unused bot commands. -It's important to escape or remove $ and \`` in input from user, files or network (_as -bashbot does_). One of the powerful features of Unix shells is variable and command -substitution using${var},$(cmd)and`cmd`can lead to remote code execution (RCE) or remote -information disclosure (RID) bugs if unescaped$or `is included in untrusted input -(e.g.$$or$(rm -rf /*)`). +It's important to escape or remove $ and ` in input from user, files or network (as +bashbot does). One of the powerful features of Unix shells is variable and command +substitution using ${var}, $(cmd) and `cmd` can lead to remote code execution (RCE) or +remote information disclosure (RID) bugs if unescaped $ or ` is included in untrusted +input (e.g. $$ or $(rm -rf /*)). A powerful tool to improve your scripts is shellcheck. You can use it online [https:// www.shellcheck.net/] or install shellcheck locally [https://github.com/koalaman/ shellcheck#installing]. Shellcheck is used extensively in bashbot development to ensure a @@ -319,5 +319,5 @@ That's it all guys! If you feel that there's something missing or if you found a bug, feel free to submit a pull request! -$$VERSION$$ v1.45-dev-36-gf7897fd +$$VERSION$$ v1.45-dev-37-gfdbfceb