Merge pull request #970 from noplanman/772-simple_prevent_system_command_calls

noplanman · web-flow · commit 2e57ef04df8d · 2019-06-15T23:59:16.000+02:00
Prevent system commands from being called by the user directly
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,13 +14,15 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
 - `TelegramLog` now adheres to [PSR-3] `LoggerInterface` and allows custom logger implementations.
 ### Deprecated
 - Old logging that uses Monolog still works but will be removed in the near future. Use `TelegramLog::initialize($logger, $update_logger);` from now on.
+- [:exclamation:][unreleased-bc-startcommand-is-now-a-usercommand] `StartCommand` is now a `UserCommand` (not `SystemCommand` any more).
 ### Removed
 - Botan.io integration completely removed.
 ### Fixed
 - `forward_date` is now correctly saved to the DB.
 - Broken `StickerSet::getStickers()` method.
 ### Security
 - Security disclosure managed by Tidelift.
+- Don't allow a user to call system commands directly.
 
 ## [0.57.0] - 2019-06-01
 :exclamation: After updating to this version, you will need to execute the [SQL migration script][0.57.0-sql-migration] on your database.
@@ -273,7 +275,11 @@ Exclamation symbols (:exclamation:) note something of importance e.g. breaking c
 - Move `hideKeyboard` to `removeKeyboard`.
 
 [unreleased-sql-migration]: https://github.com/php-telegram-bot/core/tree/develop/utils/db-schema-update/unreleased.sql
+<<<<<<< HEAD
+[unreleased-bc-startcommand-is-now-a-usercommand]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#startcommand-is-now-a-usercommand
+=======
 [unreleased-bc]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#unreleased
+>>>>>>> upstream/develop
 [0.57.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.56.0-0.57.0.sql
 [0.55.0-sql-migration]: https://github.com/php-telegram-bot/core/tree/master/utils/db-schema-update/0.54.1-0.55.0.sql
 [0.55.0-bc-move-animation-out-of-games-namespace]: https://github.com/php-telegram-bot/core/wiki/Breaking-backwards-compatibility#move-animation-out-of-games-namespace
diff --git a/src/Commands/SystemCommand.php b/src/Commands/SystemCommand.php
@@ -15,6 +15,13 @@
 
 abstract class SystemCommand extends Command
 {
+    /**
+     * @{inheritdoc}
+     *
+     * Set to empty string to disallow users calling system commands.
+     */
+    protected $usage = '';
+
     /**
      * A system command just executes
      *
diff --git a/src/Commands/UserCommands/StartCommand.php b/src/Commands/UserCommands/StartCommand.php
@@ -8,16 +8,16 @@
  * file that was distributed with this source code.
  */
 
-namespace Longman\TelegramBot\Commands\SystemCommands;
+namespace Longman\TelegramBot\Commands\UserCommands;
 
-use Longman\TelegramBot\Commands\SystemCommand;
+use Longman\TelegramBot\Commands\UserCommand;
+use Longman\TelegramBot\Entities\ServerResponse;
+use Longman\TelegramBot\Exception\TelegramException;
 
 /**
  * Start command
- *
- * @todo Remove due to deprecation!
  */
-class StartCommand extends SystemCommand
+class StartCommand extends UserCommand
 {
     /**
      * @var string
@@ -37,21 +37,20 @@ class StartCommand extends SystemCommand
     /**
      * @var string
      */
-    protected $version = '1.0.0';
+    protected $version = '1.1.0';
 
     /**
      * Command execute method
      *
-     * @return mixed
+     * @return ServerResponse
+     * @throws TelegramException
      */
     public function execute()
     {
         //$message = $this->getMessage();
         //$chat_id = $message->getChat()->getId();
         //$user_id = $message->getFrom()->getId();
 
-        trigger_error(__CLASS__ . ' is deprecated and will be removed and handled by ' . GenericmessageCommand::class . ' by default in a future release.', E_USER_DEPRECATED);
-
         return parent::execute();
     }
 }
diff --git a/src/Telegram.php b/src/Telegram.php
@@ -460,15 +460,16 @@ public function processUpdate(Update $update)
         if ($update_type === 'message') {
             $message = $this->update->getMessage();
             $type    = $message->getType();
-            if ($type === 'command') {
-                $command = $message->getCommand();
-            } else {
-                // Let's check if the message object has the type field we're looking for
-                // and if a fitting command class is available.
-                $command_tmp = $this->getCommandFromType($type);
-                if ($this->getCommandObject($command_tmp) !== null) {
-                    $command = $command_tmp;
-                }
+
+            // Let's check if the message object has the type field we're looking for...
+            $command_tmp = $type === 'command' ? $message->getCommand() : $this->getCommandFromType($type);
+            // ...and if a fitting command class is available.
+            $command_obj = $this->getCommandObject($command_tmp);
+
+            // Empty usage string denotes a non-executable command.
+            // @see https://github.com/php-telegram-bot/core/issues/772#issuecomment-388616072
+            if ($command_obj !== null && $command_obj->getUsage() !== '') {
+                $command = $command_tmp;
             }
         } else {
             $command = $this->getCommandFromType($update_type);

Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,13 @@`
`15`	`15`
`16`	`16`	`abstract class SystemCommand extends Command`
`17`	`17`	`{`
	`18`	`+ /**`
	`19`	`+ * @{inheritdoc}`
	`20`	`+ *`
	`21`	`+ * Set to empty string to disallow users calling system commands.`
	`22`	`+ */`
	`23`	`+ protected $usage = '';`
	`24`	`+`
`18`	`25`	`/**`
`19`	`26`	`* A system command just executes`
`20`	`27`	`*`