mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-11-25 00:37:34 +00:00
doc: fix backticks
This commit is contained in:
parent
fdbfcebc7c
commit
882efa8f1a
@ -341,7 +341,7 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||||||
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
|
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
|
||||||
<p>Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a>.</p>
|
<p>Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a>.</p>
|
||||||
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with <code>set -f</code> and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in <code>example/</code>) and disable/remove all unused bot commands.</p>
|
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with <code>set -f</code> and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in <code>example/</code>) and disable/remove all unused bot commands.</p>
|
||||||
<p>It's important to escape or remove <code>$</code> and <code>\`` in input from user, files or network (_as bashbot does_). One of the powerful features of Unix shells is variable and command substitution using </code>${var}<code>, </code>$(cmd)<code>and</code>`cmd`<code>can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped</code>$<code>or</code> `<code>is included in untrusted input (e.g.</code>$$<code>or</code>$(rm -rf /*)`).</p>
|
<p>It's important to escape or remove <code>$</code> and ` in input from user, files or network (<em>as bashbot does</em>). One of the powerful features of Unix shells is variable and command substitution using <code>${var}</code>, <code>$(cmd)</code> and `cmd` can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> or ` is included in untrusted input (e.g. <code>$$</code> or <code>$(rm -rf /*)</code>).</p>
|
||||||
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
||||||
<h3>Use printf whenever possible</h3>
|
<h3>Use printf whenever possible</h3>
|
||||||
<p>If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a>.</p>
|
<p>If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a>.</p>
|
||||||
@ -392,6 +392,6 @@ It features background tasks and interactive chats, and can serve as an interfac
|
|||||||
<p>@Gnadelwartz</p>
|
<p>@Gnadelwartz</p>
|
||||||
<h2>That's it all guys!</h2>
|
<h2>That's it all guys!</h2>
|
||||||
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
||||||
<h4>$$VERSION$$ v1.45-dev-36-gf7897fd</h4>
|
<h4>$$VERSION$$ v1.45-dev-37-gfdbfceb</h4>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
@ -146,9 +146,9 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
|
|||||||
(e.g. set IFS appropriately, disable globbing with `set -f` and quote everything). In addition remove unused scripts and examples
|
(e.g. set IFS appropriately, disable globbing with `set -f` and quote everything). In addition remove unused scripts and examples
|
||||||
from your Bot (e.g. everything in `example/`) and disable/remove all unused bot commands.
|
from your Bot (e.g. everything in `example/`) and disable/remove all unused bot commands.
|
||||||
|
|
||||||
It's important to escape or remove `$` and `\`` in input from user, files or network (_as bashbot does_).
|
It's important to escape or remove `$` and \` in input from user, files or network (_as bashbot does_).
|
||||||
One of the powerful features of Unix shells is variable and command substitution using `${var}`, `$(cmd)` and `\`cmd\`` can lead to remote
|
One of the powerful features of Unix shells is variable and command substitution using `${var}`, `$(cmd)` and \`cmd\` can lead to remote
|
||||||
code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` or ` \`` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
|
code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` or \` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
|
||||||
|
|
||||||
A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
|
A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
|
||||||
[install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
|
[install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
|
||||||
@ -242,4 +242,4 @@ See `mycommnds.sh.dist` for an example.
|
|||||||
|
|
||||||
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
|
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
|
||||||
|
|
||||||
#### $$VERSION$$ v1.45-dev-36-gf7897fd
|
#### $$VERSION$$ v1.45-dev-37-gfdbfceb
|
||||||
|
12
README.txt
12
README.txt
@ -200,11 +200,11 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
|
|||||||
must be as careful as possible (e.g. set IFS appropriately, disable globbing with set -
|
must be as careful as possible (e.g. set IFS appropriately, disable globbing with set -
|
||||||
f and quote everything). In addition remove unused scripts and examples from your Bot
|
f and quote everything). In addition remove unused scripts and examples from your Bot
|
||||||
(e.g. everything in example/) and disable/remove all unused bot commands.
|
(e.g. everything in example/) and disable/remove all unused bot commands.
|
||||||
It's important to escape or remove $ and \`` in input from user, files or network (_as
|
It's important to escape or remove $ and ` in input from user, files or network (as
|
||||||
bashbot does_). One of the powerful features of Unix shells is variable and command
|
bashbot does). One of the powerful features of Unix shells is variable and command
|
||||||
substitution using${var},$(cmd)and`cmd`can lead to remote code execution (RCE) or remote
|
substitution using ${var}, $(cmd) and `cmd` can lead to remote code execution (RCE) or
|
||||||
information disclosure (RID) bugs if unescaped$or `is included in untrusted input
|
remote information disclosure (RID) bugs if unescaped $ or ` is included in untrusted
|
||||||
(e.g.$$or$(rm -rf /*)`).
|
input (e.g. $$ or $(rm -rf /*)).
|
||||||
A powerful tool to improve your scripts is shellcheck. You can use it online [https://
|
A powerful tool to improve your scripts is shellcheck. You can use it online [https://
|
||||||
www.shellcheck.net/] or install shellcheck locally [https://github.com/koalaman/
|
www.shellcheck.net/] or install shellcheck locally [https://github.com/koalaman/
|
||||||
shellcheck#installing]. Shellcheck is used extensively in bashbot development to ensure a
|
shellcheck#installing]. Shellcheck is used extensively in bashbot development to ensure a
|
||||||
@ -319,5 +319,5 @@ That's it all guys!
|
|||||||
If you feel that there's something missing or if you found a bug, feel free to submit a
|
If you feel that there's something missing or if you found a bug, feel free to submit a
|
||||||
pull request!
|
pull request!
|
||||||
|
|
||||||
$$VERSION$$ v1.45-dev-36-gf7897fd
|
$$VERSION$$ v1.45-dev-37-gfdbfceb
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user