From 87b7a15c5a8a08814c670470df737e37e4adfb94 Mon Sep 17 00:00:00 2001
From: pocketjawa <scott@pocketjawa.com>
Date: Sun, 4 Mar 2018 22:09:00 -0500
Subject: [PATCH] Hardened the help command against escaping its directory.

---
 pocketbot.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pocketbot.py b/pocketbot.py
index cefbf04..0831e13 100644
--- a/pocketbot.py
+++ b/pocketbot.py
@@ -83,7 +83,7 @@ def on_message(message):
         if (command is '' ):
             helpfile = open(cwd + "/helpcommand.txt","r")
             yield from client.send_message(message.channel, helpfile.read())
-        elif os.path.isfile(cwd + "/helptext/" + command):
+        elif re.match("^[A-Za-z0-9_-]*$", command) and os.path.isfile(cwd + "/helptext/" + command):
             commandhelp = open(cwd + "/helptext/" + command,"r")
             yield from client.send_message(message.channel, commandhelp.read())
         else: