Closed JasonKhew96 closed 3 months ago
based on the Telegram Bot API docs https://core.telegram.org/bots/api#answerinlinequery
By default, results may be returned to any user who sends the same query.
unauthorized user may able to see the result after an authorized user search because of cache.
這bug會導致非本群成員查看到本群的聊天記錄從而造成信息泄露
原理:本群成員觸發了bot的默認list,這時候如果is_personal=False那麽這個list會公開的緩存300s,此時非本群成員如果觸發inline,會查看到默認的聊天記錄list,導致記錄泄露。
based on the Telegram Bot API docs https://core.telegram.org/bots/api#answerinlinequery
unauthorized user may able to see the result after an authorized user search because of cache.