From 09849eb8adb566b2f17a7ee533cc4a10ac379fe7 Mon Sep 17 00:00:00 2001 From: Giuseppe Bilotta Date: Wed, 9 Jun 2021 09:33:43 +0200 Subject: fix: webservice dispatch syntax check Early bailout if the command field is not specified in the POST request. (Not doing this actually leads to an exception in the subsequent debug because command is an Array and it can't be added to a String, but ayway the early catch is cleaner error handling.) Also add a TODO about a potential improvement for permission error handling. --- lib/rbot/core/webservice.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/rbot/core/webservice.rb b/lib/rbot/core/webservice.rb index 112ec85e..6f90c574 100644 --- a/lib/rbot/core/webservice.rb +++ b/lib/rbot/core/webservice.rb @@ -531,6 +531,11 @@ class WebServiceModule < CoreBotModule end command = m.post['command'] + if command.empty? + m.send_plaintext('wrong syntax', 400) + return + end + if not m.source botuser = Auth::defaultbotuser else @@ -544,6 +549,8 @@ class WebServiceModule < CoreBotModule message = Irc::PrivMessage.new(@bot, nil, user, @bot.myself, command) res = @bot.plugins.irc_delegate('privmsg', message) + # TODO if delegation failed due to wrong auth, it should be reported + # as an error, not 200 OK if m.req['Accept'] == 'application/json' { :reply => user.response } -- cgit v1.2.3