modules: factor out checkUploadFile
This commit is contained in:
parent
785e769460
commit
b1f6a0b230
32
bashbot.sh
32
bashbot.sh
|
@ -30,7 +30,7 @@ BOTCOMMANDS="-h help init start stop status suspendback resumeback killb
|
||||||
# 8 - curl/wget missing
|
# 8 - curl/wget missing
|
||||||
# 10 - not bash!
|
# 10 - not bash!
|
||||||
#
|
#
|
||||||
#### $$VERSION$$ v1.45-dev-15-gd3a1cec
|
#### $$VERSION$$ v1.45-dev-24-g785e769
|
||||||
##################################################################
|
##################################################################
|
||||||
|
|
||||||
# are we running in a terminal?
|
# are we running in a terminal?
|
||||||
|
@ -509,6 +509,36 @@ sendJson(){
|
||||||
[ -n "${BASHBOT_EVENT_SEND[*]}" ] && event_send "send" "${@}" &
|
[ -n "${BASHBOT_EVENT_SEND[*]}" ] && event_send "send" "${@}" &
|
||||||
}
|
}
|
||||||
|
|
||||||
|
UPLOADDIR="${BASHBOT_UPLOAD:-${DATADIR}/upload}"
|
||||||
|
|
||||||
|
# $1 chat $2 file, $3 calling function
|
||||||
|
# return final file name or empty string on error
|
||||||
|
checkUploadFile() {
|
||||||
|
local err file="$2"
|
||||||
|
[[ "${file}" = *'..'* || "${file}" = '.'* ]] && err=1 # no directory traversal
|
||||||
|
if [[ "${file}" = '/'* ]] ; then
|
||||||
|
[[ ! "${file}" =~ ${FILE_REGEX} ]] && err=2 # absolute must match REGEX
|
||||||
|
else
|
||||||
|
file="${UPLOADDIR:-NOUPLOADDIR}/${file}" # others must be in UPLOADDIR
|
||||||
|
fi
|
||||||
|
[ ! -r "${file}" ] && err=3 # and file must exits of course
|
||||||
|
# file path error, generate error response
|
||||||
|
if [ -n "${err}" ]; then
|
||||||
|
BOTSENT=(); BOTSENT[OK]="false"
|
||||||
|
case "${err}" in
|
||||||
|
1) BOTSENT[ERROR]="Path to file $2 contains to much '../' or starts with '.'";;
|
||||||
|
2) BOTSENT[ERROR]="Path to file $2 does not match regex: ${FILE_REGEX} ";;
|
||||||
|
3) if [[ "$2" == "/"* ]];then
|
||||||
|
BOTSENT[ERROR]="File not found: $2"
|
||||||
|
else
|
||||||
|
BOTSENT[ERROR]="File not found: ${UPLOADDIR}/$2"
|
||||||
|
fi;;
|
||||||
|
esac
|
||||||
|
[ -n "${BASHBOTDEBUG}" ] && log_debug "$3: CHAT=$1 FILE=$2 MSG=${BOTSENT[DESCRIPTION]}"
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# curl / wget specific functions
|
# curl / wget specific functions
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
# This file is public domain in the USA and all free countries.
|
# This file is public domain in the USA and all free countries.
|
||||||
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
|
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
|
||||||
#
|
#
|
||||||
#### $$VERSION$$ v1.45-dev-23-g805a74e
|
#### $$VERSION$$ v1.45-dev-24-g785e769
|
||||||
|
|
||||||
# will be automatically sourced from bashbot
|
# will be automatically sourced from bashbot
|
||||||
|
|
||||||
|
@ -32,30 +32,8 @@ set_chat_description() {
|
||||||
|
|
||||||
# $1 chat $2 file
|
# $1 chat $2 file
|
||||||
set_chat_photo() {
|
set_chat_photo() {
|
||||||
local file=$2
|
local file; file="$(checkUploadFile "$1" "$2" "set_chat_photo")"
|
||||||
#XXX factor out to checkFileLocation ??
|
[ -z "${file}" ] && return 1
|
||||||
[[ "${file}" = *'..'* || "${file}" = '.'* ]] && err=1 # no directory traversal
|
|
||||||
if [[ "${file}" = '/'* ]] ; then
|
|
||||||
[[ ! "${file}" =~ ${FILE_REGEX} ]] && err=2 # absolute must match REGEX
|
|
||||||
else
|
|
||||||
file="${UPLOADDIR:-NOUPLOADDIR}/${file}" # others must be in UPLOADDIR
|
|
||||||
fi
|
|
||||||
[ ! -r "${file}" ] && err=3 # and file must exits of course
|
|
||||||
# file path error, generate error response
|
|
||||||
if [ -n "${err}" ]; then
|
|
||||||
BOTSENT=(); BOTSENT[OK]="false"
|
|
||||||
case "${err}" in
|
|
||||||
1) BOTSENT[ERROR]="Path to file $2 contains to much '../' or starts with '.'";;
|
|
||||||
2) BOTSENT[ERROR]="Path to file $2 does not match regex: ${FILE_REGEX} ";;
|
|
||||||
3) if [[ "$2" == "/"* ]];then
|
|
||||||
BOTSENT[ERROR]="File not found: $2"
|
|
||||||
else
|
|
||||||
BOTSENT[ERROR]="File not found: ${UPLOADDIR}/$2"
|
|
||||||
fi;;
|
|
||||||
esac
|
|
||||||
[ -n "${BASHBOTDEBUG}" ] && log_debug "set_chat_photo: CHAT=$1 FILE=$2 MSG=${BOTSENT[DESCRIPTION]}"
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
sendUpload "$1" "photo" "${file}" "${URL}/setChatPhoto"
|
sendUpload "$1" "photo" "${file}" "${URL}/setChatPhoto"
|
||||||
}
|
}
|
||||||
# $1 chat
|
# $1 chat
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
|
# Elsewhere, consider it to be WTFPLv2. (wtfpl.net/txt/copying)
|
||||||
#
|
#
|
||||||
# shellcheck disable=SC1117
|
# shellcheck disable=SC1117
|
||||||
#### $$VERSION$$ v1.45-dev-23-g805a74e
|
#### $$VERSION$$ v1.45-dev-24-g785e769
|
||||||
|
|
||||||
# will be automatically sourced from bashbot
|
# will be automatically sourced from bashbot
|
||||||
|
|
||||||
|
@ -262,12 +262,10 @@ else
|
||||||
}
|
}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
UPLOADDIR="${BASHBOT_UPLOAD:-${DATADIR}/upload}"
|
|
||||||
|
|
||||||
# supports local file, URL and file_id
|
# supports local file, URL and file_id
|
||||||
# $1 chat, $2 file https::// file_id:// , $3 caption, $4 extension (optional)
|
# $1 chat, $2 file https::// file_id:// , $3 caption, $4 extension (optional)
|
||||||
send_file(){
|
send_file(){
|
||||||
local url what num stat err media capt file="$2" ext="$4"
|
local url what num stat media capt file="$2" ext="$4"
|
||||||
capt="$(JsonEscape "$3")"
|
capt="$(JsonEscape "$3")"
|
||||||
if [[ "${file}" =~ ^https*:// ]]; then
|
if [[ "${file}" =~ ^https*:// ]]; then
|
||||||
media="URL"
|
media="URL"
|
||||||
|
@ -277,29 +275,8 @@ send_file(){
|
||||||
else
|
else
|
||||||
# we have a file, check file location ...
|
# we have a file, check file location ...
|
||||||
media="FILE"
|
media="FILE"
|
||||||
#XXX factor out to checkFileLocation ??
|
file="$(checkUploadFile "$1" "$2" "send_file")"
|
||||||
[[ "${file}" = *'..'* || "${file}" = '.'* ]] && err=1 # no directory traversal
|
[ -z "${file}" ] && return 1
|
||||||
if [[ "${file}" = '/'* ]] ; then
|
|
||||||
[[ ! "${file}" =~ ${FILE_REGEX} ]] && err=2 # absolute must match REGEX
|
|
||||||
else
|
|
||||||
file="${UPLOADDIR:-NOUPLOADDIR}/${file}" # others must be in UPLOADDIR
|
|
||||||
fi
|
|
||||||
[ ! -r "${file}" ] && err=3 # and file must exits of course
|
|
||||||
# file path error, generate error response
|
|
||||||
if [ -n "${err}" ]; then
|
|
||||||
BOTSENT=(); BOTSENT[OK]="false"
|
|
||||||
case "${err}" in
|
|
||||||
1) BOTSENT[ERROR]="Path to file $2 contains to much '../' or starts with '.'";;
|
|
||||||
2) BOTSENT[ERROR]="Path to file $2 does not match regex: ${FILE_REGEX} ";;
|
|
||||||
3) if [[ "$2" == "/"* ]];then
|
|
||||||
BOTSENT[ERROR]="File not found: $2"
|
|
||||||
else
|
|
||||||
BOTSENT[ERROR]="File not found: ${UPLOADDIR}/$2"
|
|
||||||
fi;;
|
|
||||||
esac
|
|
||||||
[ -n "${BASHBOTDEBUG}" ] && log_debug "upload_file: CHAT=$1 FILE=$2 MSG=${BOTSENT[DESCRIPTION]}"
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
# file OK, let's continue
|
# file OK, let's continue
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue