mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-12-28 04:45:00 +00:00
Fixed security issues
Added check in send_file function to prevent user from requesting any file on the server and added a third parameter check to send_message. If send_message is called with text as third param it will send the message given as is, without checking for keyboards, files etc... One could simply do a myfilelocationstartshere $PWD/bashbot.sh and get the whole bot with the token.
This commit is contained in:
parent
652be0893f
commit
a7a495561e
16
bashbot.sh
16
bashbot.sh
@ -37,15 +37,15 @@ declare -A USER MESSAGE URLS CONTACT LOCATION
|
||||
send_message() {
|
||||
local chat="$1"
|
||||
local text="$(echo "$2" | sed 's/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
[ "$3" = "text" ] && {
|
||||
local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
|
||||
local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
|
||||
local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
|
||||
local lat="$(echo "$2" | sed '/mylatstartshere /!d;s/.*mylatstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
|
||||
local long="$(echo "$2" | sed '/mylongstartshere /!d;s/.*mylongstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g')"
|
||||
local lat="$(echo "$2" | sed '/mylatstartshere /!d;s/.*mylatstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||
|
||||
local long="$(echo "$2" | sed '/mylongstartshere /!d;s/.*mylongstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g')"
|
||||
}
|
||||
if [ "$keyboard" != "" ]; then
|
||||
send_keyboard "$chat" "$text" "$keyboard"
|
||||
local sent=y
|
||||
@ -91,6 +91,7 @@ send_file() {
|
||||
[ "$2" = "" ] && return
|
||||
local chat_id=$1
|
||||
local file=$2
|
||||
echo "$file" | grep -qE '/home/allowed/.*' || return
|
||||
local ext="${file##*.}"
|
||||
case $ext in
|
||||
"mp3")
|
||||
@ -231,7 +232,7 @@ Contribute to the project: https://github.com/topkecleon/telegram-bot-bash
|
||||
'')
|
||||
;;
|
||||
*)
|
||||
send_message "${USER[ID]}" "$MESSAGE"
|
||||
send_message "${USER[ID]}" "$MESSAGE" "text"
|
||||
esac
|
||||
else
|
||||
case $MESSAGE in
|
||||
@ -265,4 +266,3 @@ while [ "$1" != "source" ]; do {
|
||||
fi
|
||||
|
||||
}; done
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user