From 989b605ca7885e7051a71300686e99da31d96c37 Mon Sep 17 00:00:00 2001 From: Yannik Schmidt Date: Mon, 10 Apr 2023 10:14:55 +0200 Subject: [PATCH] change: require userfile for any request - prevent accidental or malicious sending to users that are not explicitly added --- interface.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/interface.py b/interface.py index ba77db6..a329cc0 100755 --- a/interface.py +++ b/interface.py @@ -29,9 +29,15 @@ def login_required(f): return decorated_function def signalSend(user, msg): + + if user not in dbReadSignalUserFile(): + print("{} not in Userfiler, refusing to send".format(user), file=sys.stderr) + return + signalCliBin = "signal-cli" if app.config["SIGNAL_CLI_BIN"]: signalCliBin = app.config["SIGNAL_CLI_BIN"] + cmd = [signalCliBin, "send", "-m", msg, user] subprocess.Popen(cmd)