mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-12-28 04:45:00 +00:00
do not move old logfiles anymore
This commit is contained in:
parent
c6001c200e
commit
91419a2691
@ -340,7 +340,7 @@ It features background tasks and interactive chats, and can serve as an interfac
|
||||
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
|
||||
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
|
||||
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition remove unused scripts and examples from your Bot, e.g. everything in <code>example/</code> and disable/remove all not needed bot commands.</p>
|
||||
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>) One of the powerful features of unix shells are variable and command substitution using <code>${}</code> and<code>$()</code>, this can lead to remove code execution (RCE) or information disclosing bugs if unescaped <code>$</code> is included in untrusted input, e.g. <code>$$</code> or <code>$(rm -rf /*)</code></p>
|
||||
<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>) One of the powerful features of unix shells are variable and command substitution using <code>${}</code> and<code>$()</code>, this can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> is included in untrusted input, e.g. <code>$$</code> or <code>$(rm -rf /*)</code></p>
|
||||
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
||||
<h3>Use printf whenever possible</h3>
|
||||
<p>If you're writing a script and it is taking external input (from the user as arguments or file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
|
||||
@ -390,6 +390,6 @@ It features background tasks and interactive chats, and can serve as an interfac
|
||||
<p>@Gnadelwartz</p>
|
||||
<h2>That's it all guys!</h2>
|
||||
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
||||
<h4>$$VERSION$$ v1.21-dev-33-gd083390</h4>
|
||||
<h4>$$VERSION$$ v1.21-dev-34-ga5307e3</h4>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -185,8 +185,9 @@ It's important to escape or remove `$` in input from user, files or network
|
||||
(_as bashbot does_)
|
||||
One of the powerful features of unix shells are variable and command
|
||||
substitution using `${}` and`$()`,
|
||||
this can lead to remove code execution (RCE) or information disclosing bugs if
|
||||
unescaped `$` is included in untrusted input, e.g. `$$` or `$(rm -rf /*)`
|
||||
this can lead to remote code execution (RCE) or remote information disclosure
|
||||
(RID) bugs if unescaped `$` is included in untrusted input, e.g. `$$` or `$(rm
|
||||
-rf /*)`
|
||||
|
||||
A powerful tool to improve your scripts is `shellcheck`. You can [use it
|
||||
online](https://www.shellcheck.net/) or
|
||||
@ -319,4 +320,4 @@ See `mycommnds.sh.dist` for an example.
|
||||
If you feel that there's something missing or if you found a bug, feel free to
|
||||
submit a pull request!
|
||||
|
||||
#### $$VERSION$$ v1.21-dev-33-gd083390
|
||||
#### $$VERSION$$ v1.21-dev-34-ga5307e3
|
||||
|
11
bashbot.sh
11
bashbot.sh
@ -26,7 +26,7 @@
|
||||
# 8 - curl/wget missing
|
||||
# 10 - not bash!
|
||||
#
|
||||
#### $$VERSION$$ v1.21-dev-27-gd0f8716
|
||||
#### $$VERSION$$ v1.21-dev-36-gc6001c2
|
||||
##################################################################
|
||||
# shellcheck disable=SC2140,SC2031,SC2120,SC1091,SC1117,SC2059
|
||||
|
||||
@ -1120,15 +1120,6 @@ bot_init() {
|
||||
[ -r "${addons}" ] && source "${addons}" "init" "${DEBUG}"
|
||||
done
|
||||
printf "Done.\n"
|
||||
if [[ ! -d "logs" ]]; then
|
||||
printf "Move Logfiles ...\n"
|
||||
mkdir logs 2>/dev/null
|
||||
for MVLOG in DEBUG.log MESSAGE.log ERROR.log BASHBOT.log
|
||||
do
|
||||
[ -f "${MVLOG}" ] && mv "${MVLOG}" logs 2>/dev/null
|
||||
done
|
||||
printf "Done.\n"
|
||||
fi
|
||||
# setup bashbot
|
||||
[[ "${UID}" -eq "0" ]] && RUNUSER="nobody"
|
||||
printf "Enter User to run bashbot [$RUNUSER]: "
|
||||
|
@ -7,7 +7,7 @@
|
||||
#
|
||||
# Options: --notest - skip tests
|
||||
#
|
||||
#### $$VERSION$$ v1.21-dev-35-g7ecb836
|
||||
#### $$VERSION$$ v1.21-dev-36-gc6001c2
|
||||
##############################################################
|
||||
|
||||
# magic to ensure that we're always inside the root of our application,
|
||||
|
Loading…
Reference in New Issue
Block a user