doc: backticks, new set_chat_xxx functions

2024-11-21 23:25:08 +00:00 · 2021-02-17 12:54:00 +01:00 · 2021-02-17 12:54:00 +01:00 · fdbfcebc7c
commit fdbfcebc7c
parent f7897fd41b
4 changed files with 29 additions and 11 deletions
--- a/README.html
+++ b/README.html
@ -341,7 +341,7 @@ It features background tasks and interactive chats, and can serve as an interfac
 <p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
 <p>Bash scripts in general are not designed to be bulletproof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a>.</p>
 <p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible (e.g. set IFS appropriately, disable globbing with <code>set -f</code> and quote everything). In addition remove unused scripts and examples from your Bot (e.g. everything in <code>example/</code>) and disable/remove all unused bot commands.</p>
-<p>It's important to escape or remove <code>$</code> in input from user, files or network (<em>as bashbot does</em>). One of the powerful features of Unix shells is variable and command substitution using <code>${}</code> and <code>$()</code> can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped <code>$</code> is included in untrusted input (e.g. <code>$$</code> or <code>$(rm -rf /*)</code>).</p>
+<p>It's important to escape or remove <code>$</code> and <code>\`` in input from user, files or network (_as bashbot does_). One of the powerful features of Unix shells is variable and command substitution using </code>${var}<code>, </code>$(cmd)<code>and</code>`cmd`<code>can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped</code>$<code>or</code> `<code>is included in untrusted input (e.g.</code>$$<code>or</code>$(rm -rf /*)`).</p>
 <p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensively in bashbot development to ensure a high code quality (e.g. it's not allowed to push changes without passing all shellcheck tests). In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
 <h3>Use printf whenever possible</h3>
 <p>If you're writing a script that accepts external input (e.g. from the user as arguments or the file system), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a>.</p>
@ -392,6 +392,6 @@ It features background tasks and interactive chats, and can serve as an interfac
 <p>@Gnadelwartz</p>
 <h2>That's it all guys!</h2>
 <p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
-<h4>$$VERSION$$ v1.41-0-gad1b91f</h4>
+<h4>$$VERSION$$ v1.45-dev-36-gf7897fd</h4>
 </body>
 </html>
--- a/README.md
+++ b/README.md
@ -146,8 +146,9 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
 (e.g. set IFS appropriately, disable globbing with `set -f` and quote everything). In addition remove unused scripts and examples
 from your Bot (e.g. everything in `example/`) and disable/remove all unused bot commands.

-It's important to escape or remove `$` in input from user, files or network (_as bashbot does_).
-One of the powerful features of Unix shells is variable and command substitution using `${}` and `$()` can lead to remote code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).
+It's important to escape or remove `$` and `\`` in input from user, files or network (_as bashbot does_).
+One of the powerful features of Unix shells is variable and command substitution using `${var}`, `$(cmd)` and `\`cmd\`` can lead to remote
+code execution (RCE) or remote information disclosure (RID) bugs if unescaped `$` or ` \`` is included in untrusted input (e.g. `$$` or `$(rm -rf /*)`).

 A powerful tool to improve your scripts is `shellcheck`. You can [use it online](https://www.shellcheck.net/) or
 [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensively in bashbot development
@ -241,4 +242,4 @@ See `mycommnds.sh.dist` for an example.

 If you feel that there's something missing or if you found a bug, feel free to submit a pull request!

-#### $$VERSION$$ v1.41-0-gad1b91f
+#### $$VERSION$$ v1.45-dev-36-gf7897fd
--- a/README.txt
+++ b/README.txt
@ -200,10 +200,11 @@ Whenever you are processing input from untrusted sources (messages, files, netwo
 must be as careful as possible (e.g. set IFS appropriately, disable globbing with set -
 f and quote everything). In addition remove unused scripts and examples from your Bot
 (e.g. everything in example/) and disable/remove all unused bot commands.
-It's important to escape or remove $ in input from user, files or network (as bashbot
-does). One of the powerful features of Unix shells is variable and command substitution
-using ${} and $() can lead to remote code execution (RCE) or remote information disclosure
-(RID) bugs if unescaped $ is included in untrusted input (e.g. $$ or $(rm -rf /*)).
+It's important to escape or remove $ and \`` in input from user, files or network (_as
+bashbot does_). One of the powerful features of Unix shells is variable and command
+substitution using${var},$(cmd)and`cmd`can lead to remote code execution (RCE) or remote
+information disclosure (RID) bugs if unescaped$or `is included in untrusted input
+(e.g.$$or$(rm -rf /*)`).
 A powerful tool to improve your scripts is shellcheck. You can use it online [https://
 www.shellcheck.net/] or install shellcheck locally [https://github.com/koalaman/
 shellcheck#installing]. Shellcheck is used extensively in bashbot development to ensure a
@ -318,5 +319,5 @@ That's it all guys!
 If you feel that there's something missing or if you found a bug, feel free to submit a
 pull request!

-$$VERSION$$ v1.41-0-gad1b91f
+$$VERSION$$ v1.45-dev-36-gf7897fd

--- a/doc/6_reference.md
+++ b/doc/6_reference.md
@ -651,6 +651,15 @@ with description "Bad Request: chat description is not modified"
 *usage:* set_chat_description "CHAT[ID]" "new chat description"


+##### set_chat_photo
+`set_chat_photo` sets a new  profile photo for the chat, can't be changed for private chat.
+Photo must be a local image file in a supported format (_.jpg, .jpeg, .png, .gif, .bmp, .tiff_)
+
+Same location and naming restrictions as with `send_file` apply.
+
+*usage:* set_chat_photo "CHAT[ID]" "file"
+
+
 ##### new_chat_invite
 `new_chat_invite` generate a new invite link for a chat; any previously generated link is revoked. 
 Returns the new invite link as String on success.
@ -687,6 +696,13 @@ Returns the new invite link as String on success.
 *usage:* delete_chat_stickers "CHAT[ID]"


+##### set_chatadmin_title
+`set_chatadmin_title` set a custom title for an administrator in a supergroup promoted by the bot.
+ Admin title can be 0-16 characters long, emoji are not allowed.
+
+*usage:* set_chatadmin_title "CHAT[ID]" "USER[ID]" "admin title"
+
+
 ----

 ### User Access Control
@ -1641,5 +1657,5 @@ The name of your bot is available as bash variable "$ME", there is no need to ca
 #### [Prev Best Practice](5_practice.md)
 #### [Next Notes for Developers](7_develop.md)

-#### $$VERSION$$ v1.45-dev-9-g62b6b61
+#### $$VERSION$$ v1.45-dev-36-gf7897fd