From a7a495561e9ae83f9b94200f82f14d13c895cadd Mon Sep 17 00:00:00 2001
From: Daniil Gentili <daniil.gentili.dg@gmail.com>
Date: Wed, 23 Mar 2016 15:56:22 +0100
Subject: [PATCH 1/3] Fixed security issues

Added check in send_file function to prevent user from requesting any file on the server and added a third parameter check to send_message.
If send_message is called with text as third param it will send the message given as is, without checking for keyboards, files etc...
One could simply do a myfilelocationstartshere $PWD/bashbot.sh and get the whole bot with the token.
---
 bashbot.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/bashbot.sh b/bashbot.sh
index 51ce1e3..a64ec77 100755
--- a/bashbot.sh
+++ b/bashbot.sh
@@ -37,15 +37,15 @@ declare -A USER MESSAGE URLS CONTACT LOCATION
 send_message() {
 	local chat="$1"
 	local text="$(echo "$2" | sed 's/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
+	[ "$3" = "text" ] && {
+		local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
 
-	local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
+		local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
 
-	local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
-
-	local lat="$(echo "$2" | sed '/mylatstartshere /!d;s/.*mylatstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylongstartshere.*//g')"
-
-	local long="$(echo "$2" | sed '/mylongstartshere /!d;s/.*mylongstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g')"
+		local lat="$(echo "$2" | sed '/mylatstartshere /!d;s/.*mylatstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylongstartshere.*//g')"
 
+		local long="$(echo "$2" | sed '/mylongstartshere /!d;s/.*mylongstartshere //g;s/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g')"
+	}
 	if [ "$keyboard" != "" ]; then
 		send_keyboard "$chat" "$text" "$keyboard"
 		local sent=y
@@ -91,6 +91,7 @@ send_file() {
 	[ "$2" = "" ] && return
 	local chat_id=$1
 	local file=$2
+	echo "$file" | grep -qE '/home/allowed/.*' || return
 	local ext="${file##*.}"
 	case $ext in 
         	"mp3")
@@ -231,7 +232,7 @@ Contribute to the project: https://github.com/topkecleon/telegram-bot-bash
 			'')
 				;;
 			*)
-				send_message "${USER[ID]}" "$MESSAGE"
+				send_message "${USER[ID]}" "$MESSAGE" "text"
 		esac
 	else
 		case $MESSAGE in
@@ -265,4 +266,3 @@ while [ "$1" != "source" ]; do {
 	fi
 
 }; done
-

From 66b36cc62aa062282f4d21ff3e794d351e0c15c4 Mon Sep 17 00:00:00 2001
From: Daniil Gentili <daniil.gentili.dg@gmail.com>
Date: Wed, 23 Mar 2016 16:02:28 +0100
Subject: [PATCH 2/3] Added description of new parameter.

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index eda4012..8649f77 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,11 @@ To send messages use the ```send_message``` function:
 ```
 send_message "${USER[ID]}" "lol" 
 ```   
-To send images, videos, voice files, photos ecc use the ```send_photo``` function:  
+This function also allows a third parameter that disables additional function parsing (for safety use this when reprinting user input):  
+```
+send_message "${USER[ID]}" "lol" "text"
+```   
+To send images, videos, voice files, photos ecc use the ```send_photo``` function (remember to change the safety Regex @ line 94 to allow sending files only from certain directories):    
 ```
 send_file "${USER[ID]}" "/home/user/doge.jpg" "Lool"
 ```

From 86c11e939766fa0e8bdf26ce99936355da740af6 Mon Sep 17 00:00:00 2001
From: Daniil Gentili <daniil.gentili.dg@gmail.com>
Date: Wed, 23 Mar 2016 16:04:28 +0100
Subject: [PATCH 3/3] Fixed typo

---
 bashbot.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bashbot.sh b/bashbot.sh
index a64ec77..ff20a79 100755
--- a/bashbot.sh
+++ b/bashbot.sh
@@ -37,7 +37,7 @@ declare -A USER MESSAGE URLS CONTACT LOCATION
 send_message() {
 	local chat="$1"
 	local text="$(echo "$2" | sed 's/ mykeyboardstartshere.*//g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
-	[ "$3" = "text" ] && {
+	[ "$3" != "text" ] && {
 		local keyboard="$(echo "$2" | sed '/mykeyboardstartshere /!d;s/.*mykeyboardstartshere //g;s/ myfilelocationstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"
 
 		local file="$(echo "$2" | sed '/myfilelocationstartshere /!d;s/.*myfilelocationstartshere //g;s/ mykeyboardstartshere.*//g;s/ mylatstartshere.*//g;s/ mylongstartshere.*//g')"