Hardened the help command against escaping its directory.

2018-03-04 22:09:00 -05:00 · 2018-03-04 22:09:00 -05:00 · 87b7a15c5a
parent 5095a254aa
commit 87b7a15c5a
1 changed files with 1 additions and 1 deletions
--- a/pocketbot.py
+++ b/pocketbot.py
@ -83,7 +83,7 @@ def on_message(message):
        if (command is '' ):
            helpfile = open(cwd + "/helpcommand.txt","r")
            yield from client.send_message(message.channel, helpfile.read())
-        elif os.path.isfile(cwd + "/helptext/" + command):
+        elif re.match("^[A-Za-z0-9_-]*$", command) and os.path.isfile(cwd + "/helptext/" + command):
            commandhelp = open(cwd + "/helptext/" + command,"r")
            yield from client.send_message(message.channel, commandhelp.read())
        else: