Unverified Commit 2e57ef04 authored by Armando Lüscher's avatar Armando Lüscher Committed by GitHub

Merge pull request #970 from noplanman/772-simple_prevent_system_command_calls

Prevent system commands from being called by the user directly
parents 0e5821b2 c1b3a82f
......@@ -14,6 +14,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
- `TelegramLog` now adheres to [PSR-3] `LoggerInterface` and allows custom logger implementations.
### Deprecated
- Old logging that uses Monolog still works but will be removed in the near future. Use `TelegramLog::initialize($logger, $update_logger);` from now on.
- [:exclamation:][unreleased-bc-startcommand-is-now-a-usercommand] `StartCommand` is now a `UserCommand` (not `SystemCommand` any more).
### Removed
- Botan.io integration completely removed.
### Fixed
......@@ -21,6 +22,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
- Broken `StickerSet::getStickers()` method.
### Security
- Security disclosure managed by Tidelift.
- Don't allow a user to call system commands directly.
## [0.57.0] - 2019-06-01
:exclamation: After updating to this version, you will need to execute the [SQL migration script][0.57.0-sql-migration] on your database.
......@@ -273,7 +275,11 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
- Move `hideKeyboard` to `removeKeyboard`.
[unreleased-sql-migration]: https://github.com/php-telegram-bot/core/tree/develop/utils/db-schema-update/unreleased.sql
<<<<<<< HEAD
[unreleased-bc-startcommand-is-now-a-usercommand]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#startcommand-is-now-a-usercommand
=======
[unreleased-bc]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#unreleased
>>>>>>> upstream/develop
[0.57.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.56.0-0.57.0.sql
[0.55.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.54.1-0.55.0.sql
[0.55.0-bc-move-animation-out-of-games-namespace]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#move-animation-out-of-games-namespace
......
......@@ -15,6 +15,13 @@ use Longman\TelegramBot\Request;
abstract class SystemCommand extends Command
{
/**
* @{inheritdoc}
*
* Set to empty string to disallow users calling system commands.
*/
protected $usage = '';
/**
* A system command just executes
*
......
......@@ -8,16 +8,16 @@
* file that was distributed with this source code.
*/
namespace Longman\TelegramBot\Commands\SystemCommands;
namespace Longman\TelegramBot\Commands\UserCommands;
use Longman\TelegramBot\Commands\SystemCommand;
use Longman\TelegramBot\Commands\UserCommand;
use Longman\TelegramBot\Entities\ServerResponse;
use Longman\TelegramBot\Exception\TelegramException;
/**
* Start command
*
* @todo Remove due to deprecation!
*/
class StartCommand extends SystemCommand
class StartCommand extends UserCommand
{
/**
* @var string
......@@ -37,12 +37,13 @@ class StartCommand extends SystemCommand
/**
* @var string
*/
protected $version = '1.0.0';
protected $version = '1.1.0';
/**
* Command execute method
*
* @return mixed
* @return ServerResponse
* @throws TelegramException
*/
public function execute()
{
......@@ -50,8 +51,6 @@ class StartCommand extends SystemCommand
//$chat_id = $message->getChat()->getId();
//$user_id = $message->getFrom()->getId();
trigger_error(__CLASS__ . ' is deprecated and will be removed and handled by ' . GenericmessageCommand::class . ' by default in a future release.', E_USER_DEPRECATED);
return parent::execute();
}
}
......@@ -460,16 +460,17 @@ class Telegram
if ($update_type === 'message') {
$message = $this->update->getMessage();
$type = $message->getType();
if ($type === 'command') {
$command = $message->getCommand();
} else {
// Let's check if the message object has the type field we're looking for
// and if a fitting command class is available.
$command_tmp = $this->getCommandFromType($type);
if ($this->getCommandObject($command_tmp) !== null) {
// Let's check if the message object has the type field we're looking for...
$command_tmp = $type === 'command' ? $message->getCommand() : $this->getCommandFromType($type);
// ...and if a fitting command class is available.
$command_obj = $this->getCommandObject($command_tmp);
// Empty usage string denotes a non-executable command.
// @see https://github.com/php-telegram-bot/core/issues/772#issuecomment-388616072
if ($command_obj !== null && $command_obj->getUsage() !== '') {
$command = $command_tmp;
}
}
} else {
$command = $this->getCommandFromType($update_type);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment