mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-05-30 00:40:51 +00:00
Fixed security issues
Added check in send_file function to prevent user from requesting any file on the server and added a third parameter check to send_message. If send_message is called with text as third param it will send the message given as is, without checking for keyboards, files etc... One could simply do a myfilelocationstartshere $PWD/bashbot.sh and get the whole bot with the token.
This commit is contained in:
parent
652be0893f
commit
a7a495561e
16
bashbot.sh
16
bashbot.sh
|
@ -37,15 +37,15 @@ declare -A USER MESSAGE URLS CONTACT LOCATION
|
||||||
send_message() {
|
send_message() {
|
||||||
local chat="$1"
|
local chat="$1"
|
||||||
local text="$(echo "$2" | sed 's/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
local text="$(echo "$2" | sed 's/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||||
|
[ "$3" = "text" ] && {
|
||||||
|
local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||||
|
|
||||||
local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||||
|
|
||||||
local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
|
local lat="$(echo "$2" | sed '/mylatstartshere /!d;s/.*mylatstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylongstartshere.*//g')"
|
||||||
|
|
||||||
local lat="$(echo "$2" | sed '/mylatstartshere /!d;s/.*mylatstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylongstartshere.*//g')"
|
|
||||||
|
|
||||||
local long="$(echo "$2" | sed '/mylongstartshere /!d;s/.*mylongstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g')"
|
|
||||||
|
|
||||||
|
local long="$(echo "$2" | sed '/mylongstartshere /!d;s/.*mylongstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g')"
|
||||||
|
}
|
||||||
if [ "$keyboard" != "" ]; then
|
if [ "$keyboard" != "" ]; then
|
||||||
send_keyboard "$chat" "$text" "$keyboard"
|
send_keyboard "$chat" "$text" "$keyboard"
|
||||||
local sent=y
|
local sent=y
|
||||||
|
@ -91,6 +91,7 @@ send_file() {
|
||||||
[ "$2" = "" ] && return
|
[ "$2" = "" ] && return
|
||||||
local chat_id=$1
|
local chat_id=$1
|
||||||
local file=$2
|
local file=$2
|
||||||
|
echo "$file" | grep -qE '/home/allowed/.*' || return
|
||||||
local ext="${file##*.}"
|
local ext="${file##*.}"
|
||||||
case $ext in
|
case $ext in
|
||||||
"mp3")
|
"mp3")
|
||||||
|
@ -231,7 +232,7 @@ Contribute to the project: https://github.com/topkecleon/telegram-bot-bash
|
||||||
'')
|
'')
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
send_message "${USER[ID]}" "$MESSAGE"
|
send_message "${USER[ID]}" "$MESSAGE" "text"
|
||||||
esac
|
esac
|
||||||
else
|
else
|
||||||
case $MESSAGE in
|
case $MESSAGE in
|
||||||
|
@ -265,4 +266,3 @@ while [ "$1" != "source" ]; do {
|
||||||
fi
|
fi
|
||||||
|
|
||||||
}; done
|
}; done
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user