From 87b7a15c5a8a08814c670470df737e37e4adfb94 Mon Sep 17 00:00:00 2001 From: pocketjawa Date: Sun, 4 Mar 2018 22:09:00 -0500 Subject: [PATCH] Hardened the help command against escaping its directory. --- pocketbot.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pocketbot.py b/pocketbot.py index cefbf04..0831e13 100644 --- a/pocketbot.py +++ b/pocketbot.py @@ -83,7 +83,7 @@ def on_message(message): if (command is '' ): helpfile = open(cwd + "/helpcommand.txt","r") yield from client.send_message(message.channel, helpfile.read()) - elif os.path.isfile(cwd + "/helptext/" + command): + elif re.match("^[A-Za-z0-9_-]*$", command) and os.path.isfile(cwd + "/helptext/" + command): commandhelp = open(cwd + "/helptext/" + command,"r") yield from client.send_message(message.channel, commandhelp.read()) else: