zimk/SubMind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

hardening: validate ownership on entry points and failed updates

Browse Source
This commit is contained in:
Xiaolan Bot
2026-02-22 01:41:46 +08:00
parent 530d81b565
commit 8601e78e17
1 changed files with 45 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
SubMind.py
View File

@@ -965,7 +965,21 @@ async def fallback_view_button(update: Update, context: CallbackContext):
async def edit_start(update: Update, context: CallbackContext):
query = update.callback_query
await query.answer()
sub_id = query.data.split('_')[1]
sub_id_str = query.data.split('_')[1]
user_id = query.from_user.id
if not sub_id_str.isdigit():
await query.edit_message_text("错误无效的订阅ID。")
return ConversationHandler.END
sub_id = int(sub_id_str)
with get_db_connection() as conn:
cursor = conn.cursor()
cursor.execute("SELECT 1 FROM subscriptions WHERE id = ? AND user_id = ?", (sub_id, user_id))
if not cursor.fetchone():
await query.edit_message_text("错误:找不到该订阅或无权限。")
return ConversationHandler.END
logger.debug(f"Starting edit for sub_id: {sub_id}")
context.user_data['sub_id_for_action'] = sub_id
keyboard = [
@@ -1033,12 +1047,21 @@ async def edit_freq_value_received(update: Update, context: CallbackContext):
await update.message.reply_text("请输入一个有效的正整数。")
return EDIT_FREQ_VALUE
unit = context.user_data.get('new_freq_unit')
sub_id = int(context.user_data.get('sub_id_for_action'))
try:
sub_id = int(context.user_data.get('sub_id_for_action'))
except (ValueError, TypeError):
await update.message.reply_text("错误:会话已过期,请重试。")
return ConversationHandler.END
with get_db_connection() as conn:
cursor = conn.cursor()
cursor.execute("UPDATE subscriptions SET frequency_unit = ?, frequency_value = ? WHERE id = ? AND user_id = ?",
(unit, value, sub_id, user_id))
if cursor.rowcount == 0:
await update.message.reply_text("错误:找不到该订阅或无权限。")
return ConversationHandler.END
conn.commit()
await update.message.reply_text("✅ 周期已更新!")
context.user_data.clear()
await show_subscription_view(update, context, sub_id)
@@ -1122,6 +1145,10 @@ async def edit_new_value_received(update: Update, context: CallbackContext):
cursor = conn.cursor()
cursor.execute(f"UPDATE subscriptions SET {db_field} = ? WHERE id = ? AND user_id = ?",
(new_value, sub_id, user_id))
if cursor.rowcount == 0:
if message_to_reply:
await message_to_reply.reply_text("错误:找不到该订阅或无权限。")
return ConversationHandler.END
conn.commit()
if query:
@@ -1167,10 +1194,20 @@ async def remind_settings_start(update: Update, context: CallbackContext):
query = update.callback_query
await query.answer()
sub_id_str = query.data.partition('_')[2]
user_id = query.from_user.id
if not sub_id_str.isdigit():
await query.edit_message_text("错误无效的订阅ID。")
return ConversationHandler.END
sub_id = int(sub_id_str)
with get_db_connection() as conn:
cursor = conn.cursor()
cursor.execute("SELECT 1 FROM subscriptions WHERE id = ? AND user_id = ?", (sub_id, user_id))
if not cursor.fetchone():
await query.edit_message_text("错误:找不到该订阅或无权限。")
return ConversationHandler.END
logger.debug(f"Starting reminder settings for sub_id: {sub_id}")
context.user_data['sub_id_for_action'] = sub_id
await _display_reminder_settings(query, context, sub_id)
@@ -1214,6 +1251,9 @@ async def remind_action_handler(update: Update, context: CallbackContext):
"WHERE id = ? AND user_id = ?",
(sub_id, user_id)
)
if cursor.rowcount == 0:
await query.edit_message_text("错误:找不到该订阅或无权限。")
return ConversationHandler.END
conn.commit()
await _display_reminder_settings(query, context, sub_id)
return REMIND_SELECT_ACTION
@@ -1232,6 +1272,9 @@ async def remind_days_received(update: Update, context: CallbackContext):
with get_db_connection() as conn:
cursor = conn.cursor()
cursor.execute("UPDATE subscriptions SET reminder_days = ? WHERE id = ? AND user_id = ?", (days, sub_id, user_id))
if cursor.rowcount == 0:
await update.message.reply_text("错误:找不到该订阅或无权限。")
return ConversationHandler.END
conn.commit()
await update.message.reply_text(f"✅ 提前提醒天数已设置为: {days}天。")
context.user_data.clear()