userbot / events : Critical Security Bug Fix (Assigned as DS-SA-35CA)

penn5 · MoveAngel · commit f712fdca7871 · 2020-04-05T17:19:03.000+07:00
There's a vulnerability on evaluation module which can cause a Inline Bot to have a remote privilege elevation to any account that running Paperplane prior to this commit. Issues at: RaphielGang/Telegram-Paperplane#222 Change-Id: Ia0a6c2f5122a9df65919dd25626df3afcb47dd13 Signed-off-by: MoveAngel <moveangel29@gmail.com>
diff --git a/userbot/events.py b/userbot/events.py
@@ -27,6 +27,7 @@ def register(**args):
     groups_only = args.get('groups_only', False)
     trigger_on_fwd = args.get('trigger_on_fwd', False)
     disable_errors = args.get('disable_errors', False)
+    insecure = args.get('insecure', False)
 
     if pattern is not None and not pattern.startswith('(?i)'):
         args['pattern'] = '(?i)' + pattern
@@ -46,6 +47,9 @@ def register(**args):
     if "trigger_on_fwd" in args:
         del args['trigger_on_fwd']
 
+    if "insecure" in args:
+        del args['insecure']
+
     if pattern:
         if not ignore_unsafe:
             args['pattern'] = pattern.replace('^.', unsafe_pattern, 1)
@@ -64,6 +68,10 @@ async def wrapper(check):
                 await check.respond("`I don't think this is a group.`")
                 return
 
+            if check.via_bot_id and not insecure:
+                await check.respond("`Inline bots are disabled for security reasons`")
+                return
+
             try:
                 await func(check)
 
