From b23f274881ed5337c5bf48da491809b9be2ac11f Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 4 Jun 2013 00:22:14 +0300 Subject: [PATCH 1/4] [SECURITY] Sanitize ddate args --- pentabot.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pentabot.py b/pentabot.py index fc90065..68c0ffd 100755 --- a/pentabot.py +++ b/pentabot.py @@ -198,7 +198,7 @@ def ddate(self, mess, args): if len(args) <= 1 : ddate += os.popen('/usr/bin/ddate').read() elif len(args) == 3: - ddate += os.popen('/usr/bin/ddate '+args[0]+' '+ args[1]+' '+ args[2]).read() + ddate += os.popen('/usr/bin/ddate '+str(int(args[0]))+' '+ str(int(args[1]))+' '+ str(int(args[2]))).read() else: ddate = 'You are not using correctly!\n Just enter ddate or append day month year' return ddate From 4e81fc624c0b1e5699b0afd7a4d3924a44efb39e Mon Sep 17 00:00:00 2001 From: maloi Date: Tue, 4 Jun 2013 20:58:17 +0200 Subject: [PATCH 2/4] allow only integer arguments to ddate botcmd --- pentabot.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pentabot.py b/pentabot.py index 68c0ffd..1e3bba7 100755 --- a/pentabot.py +++ b/pentabot.py @@ -197,8 +197,8 @@ def ddate(self, mess, args): ddate = '' if len(args) <= 1 : ddate += os.popen('/usr/bin/ddate').read() - elif len(args) == 3: - ddate += os.popen('/usr/bin/ddate '+str(int(args[0]))+' '+ str(int(args[1]))+' '+ str(int(args[2]))).read() + elif len(args) == 3 and all(arg.isdigit() for arg in args): + ddate += os.popen('/usr/bin/ddate ' + args[0] + ' ' + args[1] + ' ' + args[2]).read() else: ddate = 'You are not using correctly!\n Just enter ddate or append day month year' return ddate From 2b607c20301dbc9f67edf39461ddc3b2c65fcd50 Mon Sep 17 00:00:00 2001 From: maloi Date: Tue, 4 Jun 2013 21:07:35 +0200 Subject: [PATCH 3/4] using json to parse response data for abfahrt botcmd, and fixed errors for entries like ["360","Dresden, Pirnaischer Platz","9"] where splitting at "," is not sufficient --- pentabot.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/pentabot.py b/pentabot.py index 1e3bba7..7d1aa1a 100755 --- a/pentabot.py +++ b/pentabot.py @@ -299,16 +299,12 @@ def abfahrt( self, mess, args): full_url = config.get("abfahrt", "url") + "?" + url_values data = urllib2.urlopen(full_url) - dare = data.read() - dare = dare.replace("[[", "") - dare = dare.replace("]]", "") abfahrt += "\n" abfahrt += "%6s %-19s %7s\n" % ("Linie", "Richtung", "Abfahrt") - for line in dare.split("],["): - outp = line.replace("\"", "").split(",") - abfahrt += "%6s %-19s %7s\n" % (outp[0], outp[1], outp[2]) + for line in json.loads(dare): + abfahrt += "%6s %-19s %7s\n" % (line[0], line[1], line[2]) return abfahrt From b753c9238d9c78940c120060de74a9f7d3e15ed8 Mon Sep 17 00:00:00 2001 From: maloi Date: Tue, 4 Jun 2013 21:45:46 +0200 Subject: [PATCH 4/4] added previously removed line that was needed --- pentabot.py | 1 + 1 file changed, 1 insertion(+) diff --git a/pentabot.py b/pentabot.py index 7d1aa1a..1a9f754 100755 --- a/pentabot.py +++ b/pentabot.py @@ -299,6 +299,7 @@ def abfahrt( self, mess, args): full_url = config.get("abfahrt", "url") + "?" + url_values data = urllib2.urlopen(full_url) + dare = data.read() abfahrt += "\n" abfahrt += "%6s %-19s %7s\n" % ("Linie", "Richtung", "Abfahrt")