Unverified Commit 2e57ef04 authored by Armando Lüscher's avatar Armando Lüscher Committed by GitHub

Merge pull request #970 from noplanman/772-simple_prevent_system_command_calls

Prevent system commands from being called by the user directly
parents 0e5821b2 c1b3a82f
...@@ -14,6 +14,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c ...@@ -14,6 +14,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
- `TelegramLog` now adheres to [PSR-3] `LoggerInterface` and allows custom logger implementations. - `TelegramLog` now adheres to [PSR-3] `LoggerInterface` and allows custom logger implementations.
### Deprecated ### Deprecated
- Old logging that uses Monolog still works but will be removed in the near future. Use `TelegramLog::initialize($logger, $update_logger);` from now on. - Old logging that uses Monolog still works but will be removed in the near future. Use `TelegramLog::initialize($logger, $update_logger);` from now on.
- [:exclamation:][unreleased-bc-startcommand-is-now-a-usercommand] `StartCommand` is now a `UserCommand` (not `SystemCommand` any more).
### Removed ### Removed
- Botan.io integration completely removed. - Botan.io integration completely removed.
### Fixed ### Fixed
...@@ -21,6 +22,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c ...@@ -21,6 +22,7 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
- Broken `StickerSet::getStickers()` method. - Broken `StickerSet::getStickers()` method.
### Security ### Security
- Security disclosure managed by Tidelift. - Security disclosure managed by Tidelift.
- Don't allow a user to call system commands directly.
## [0.57.0] - 2019-06-01 ## [0.57.0] - 2019-06-01
:exclamation: After updating to this version, you will need to execute the [SQL migration script][0.57.0-sql-migration] on your database. :exclamation: After updating to this version, you will need to execute the [SQL migration script][0.57.0-sql-migration] on your database.
...@@ -273,7 +275,11 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c ...@@ -273,7 +275,11 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
- Move `hideKeyboard` to `removeKeyboard`. - Move `hideKeyboard` to `removeKeyboard`.
[unreleased-sql-migration]: https://github.com/php-telegram-bot/core/tree/develop/utils/db-schema-update/unreleased.sql [unreleased-sql-migration]: https://github.com/php-telegram-bot/core/tree/develop/utils/db-schema-update/unreleased.sql
<<<<<<< HEAD
[unreleased-bc-startcommand-is-now-a-usercommand]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#startcommand-is-now-a-usercommand
=======
[unreleased-bc]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#unreleased [unreleased-bc]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#unreleased
>>>>>>> upstream/develop
[0.57.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.56.0-0.57.0.sql [0.57.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.56.0-0.57.0.sql
[0.55.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.54.1-0.55.0.sql [0.55.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.54.1-0.55.0.sql
[0.55.0-bc-move-animation-out-of-games-namespace]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#move-animation-out-of-games-namespace [0.55.0-bc-move-animation-out-of-games-namespace]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#move-animation-out-of-games-namespace
......
...@@ -15,6 +15,13 @@ use Longman\TelegramBot\Request; ...@@ -15,6 +15,13 @@ use Longman\TelegramBot\Request;
abstract class SystemCommand extends Command abstract class SystemCommand extends Command
{ {
/**
* @{inheritdoc}
*
* Set to empty string to disallow users calling system commands.
*/
protected $usage = '';
/** /**
* A system command just executes * A system command just executes
* *
......
...@@ -8,16 +8,16 @@ ...@@ -8,16 +8,16 @@
* file that was distributed with this source code. * file that was distributed with this source code.
*/ */
namespace Longman\TelegramBot\Commands\SystemCommands; namespace Longman\TelegramBot\Commands\UserCommands;
use Longman\TelegramBot\Commands\SystemCommand; use Longman\TelegramBot\Commands\UserCommand;
use Longman\TelegramBot\Entities\ServerResponse;
use Longman\TelegramBot\Exception\TelegramException;
/** /**
* Start command * Start command
*
* @todo Remove due to deprecation!
*/ */
class StartCommand extends SystemCommand class StartCommand extends UserCommand
{ {
/** /**
* @var string * @var string
...@@ -37,12 +37,13 @@ class StartCommand extends SystemCommand ...@@ -37,12 +37,13 @@ class StartCommand extends SystemCommand
/** /**
* @var string * @var string
*/ */
protected $version = '1.0.0'; protected $version = '1.1.0';
/** /**
* Command execute method * Command execute method
* *
* @return mixed * @return ServerResponse
* @throws TelegramException
*/ */
public function execute() public function execute()
{ {
...@@ -50,8 +51,6 @@ class StartCommand extends SystemCommand ...@@ -50,8 +51,6 @@ class StartCommand extends SystemCommand
//$chat_id = $message->getChat()->getId(); //$chat_id = $message->getChat()->getId();
//$user_id = $message->getFrom()->getId(); //$user_id = $message->getFrom()->getId();
trigger_error(__CLASS__ . ' is deprecated and will be removed and handled by ' . GenericmessageCommand::class . ' by default in a future release.', E_USER_DEPRECATED);
return parent::execute(); return parent::execute();
} }
} }
...@@ -460,15 +460,16 @@ class Telegram ...@@ -460,15 +460,16 @@ class Telegram
if ($update_type === 'message') { if ($update_type === 'message') {
$message = $this->update->getMessage(); $message = $this->update->getMessage();
$type = $message->getType(); $type = $message->getType();
if ($type === 'command') {
$command = $message->getCommand(); // Let's check if the message object has the type field we're looking for...
} else { $command_tmp = $type === 'command' ? $message->getCommand() : $this->getCommandFromType($type);
// Let's check if the message object has the type field we're looking for // ...and if a fitting command class is available.
// and if a fitting command class is available. $command_obj = $this->getCommandObject($command_tmp);
$command_tmp = $this->getCommandFromType($type);
if ($this->getCommandObject($command_tmp) !== null) { // Empty usage string denotes a non-executable command.
$command = $command_tmp; // @see https://github.com/php-telegram-bot/core/issues/772#issuecomment-388616072
} if ($command_obj !== null && $command_obj->getUsage() !== '') {
$command = $command_tmp;
} }
} else { } else {
$command = $this->getCommandFromType($update_type); $command = $this->getCommandFromType($update_type);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment