fix: answer_inline_query cached response to unauthorized user

Taosky / telegram-search-bot

A telegram group record search bot that solves the problem of direct search inability in languages such as CJK / Telegram 群聊天记录搜索Bot，解决CJK等语言无法直接搜索问题

MIT License

375 stars 49 forks source link

Closed JasonKhew96 closed 3 months ago

JasonKhew96 commented 3 months ago

By default, results may be returned to any user who sends the same query.

unauthorized user may able to see the result after an authorized user search because of cache.

BraveSail commented 3 months ago

這bug會導致非本群成員查看到本群的聊天記錄從而造成信息泄露

原理：本群成員觸發了bot的默認list，這時候如果is_personal=False那麽這個list會公開的緩存300s，此時非本群成員如果觸發inline，會查看到默認的聊天記錄list，導致記錄泄露。