gnadelwartz
commented
3 years ago change get_file()
Closed gnadelwartz closed 3 years ago
gnadelwartz
commented
3 years ago change get_file()
gnadelwartz
commented
3 years ago done
Bot token may exposed in BASHBOT.log
Issue: Due to a design descion taken in pre 0.8 times
get_file()doesn't download a file anymore but returns a download URL containg the full API call incl. bot token. This is not a problem as long the URL is only used to download the file and not exposed.Unfortunatly logging was extended in V1.2x release to log also file URLs, therefore bot token is visible
logs/BASHBOT.logif the bot receives a file, e.g. in a private chat.Solution:
Logging is changed in Version 1.40 to obfuscate the token. In addtion the internal API will be changed in the next release to no more return full API call from
get_file().Keep your old logfiles in a save place or delete them.