1
0
mirror of https://github.com/MrDetonia/Maki.git synced 2024-11-22 11:54:16 -05:00

v0.20.2, more characters allowed in .qr - no more shell exec

This commit is contained in:
Zac Herd 2017-04-22 15:27:52 +00:00
parent 763be971f8
commit 22851a0962

28
bot.py
View File

@ -31,7 +31,7 @@ from secret import token, lfmkey, steamkey
# CONFIGURATION # CONFIGURATION
# bot version # bot version
version = "v0.20.1" version = "v0.20.2"
# text shown by .help command # text shown by .help command
helptext = """I am a Discord bot written in Python helptext = """I am a Discord bot written in Python
@ -357,7 +357,6 @@ def on_message(message):
response = steamdata(tmp) response = steamdata(tmp)
elif message.content.startswith('.qr '): elif message.content.startswith('.qr '):
# generate QR code - DANGEROUS, CHECK CAREFULLY HERE
tmp = message.content[4:] tmp = message.content[4:]
# send typing signal to discord # send typing signal to discord
@ -371,26 +370,11 @@ def on_message(message):
else: else:
print('ERROR: Failed to send typing signal to discord after 5 attempts') print('ERROR: Failed to send typing signal to discord after 5 attempts')
# make sure there are no nasty characters # generate qr code
msg = re.sub(r'[^a-zA-Z0-9_ -]', '', tmp, 0) qr = subprocess.Popen('qrencode -t png -o -'.split(), stdin=subprocess.PIPE, stdout=subprocess.PIPE)
qr.stdin.write(tmp.encode('utf-8'))
# echo message qr.stdin.close()
cmd = 'echo "\'' + msg + '\'"' out = subprocess.check_output('curl -F upload=@- https://w1r3.net'.split(), stdin=qr.stdout)
args = shlex.split(cmd)
echo = subprocess.Popen(args, stdout=subprocess.PIPE)
# generate QR code
cmd = 'qrencode -t png -o -'
args = shlex.split(cmd)
qr = subprocess.Popen(args, stdin=echo.stdout, stdout=subprocess.PIPE)
# upload file with curl and get URL
cmd = 'curl -F upload=@- https://w1r3.net'
args = shlex.split(cmd)
out = subprocess.check_output(args, stdin=qr.stdout)
# run piped commands
echo.wait()
# send response # send response
response = out.decode('utf-8').strip() response = out.decode('utf-8').strip()