Impact
The botcore.utils.regex.DISCORD_INVITE
function was designed to capture all alphanumeric characters after the slash in a Discord invite, but on some platforms, Discord renders or links different communities based on the content after a second slash. For instance, https://discord.gg/python/new_community
could link to new_community
on some platforms. The utility would only see the python
portion.
This advisory only affects users of the function above.
Patches
This has been fixed by 47936d5 in v7.0.0. Upgrading to the latest version is the recommended fix.
When upgrading, please pay attention to the following change:
Breaking: Discord invite regex no longer returns a URL safe result, refer to documentation for safely handling it.
Workarounds
To avoid this bug without upgrading the library version, you can use the following patched version directly in your code:
import re
DISCORD_INVITE = re.compile(
r"(discord([.,]|dot)gg|" # Could be discord.gg/
r"discord([.,]|dot)com(/|slash)invite|" # or discord.com/invite/
r"discordapp([.,]|dot)com(/|slash)invite|" # or discordapp.com/invite/
r"discord([.,]|dot)me|" # or discord.me
r"discord([.,]|dot)li|" # or discord.li
r"discord([.,]|dot)io|" # or discord.io.
r"((?<!\w)([.,]|dot))gg" # or .gg/
r")([/]|slash)" # / or 'slash'
r"(?P<invite>\S+)", # the invite code itself
flags=re.IGNORECASE
)
For more information
If you have any questions or comments about this advisory:
Credits
Thanks to @onerandomusername for reporting this vulnerability.
And thanks to @GDWR for providing a fix.
Impact
The
botcore.utils.regex.DISCORD_INVITE
function was designed to capture all alphanumeric characters after the slash in a Discord invite, but on some platforms, Discord renders or links different communities based on the content after a second slash. For instance,https://discord.gg/python/new_community
could link tonew_community
on some platforms. The utility would only see thepython
portion.This advisory only affects users of the function above.
Patches
This has been fixed by 47936d5 in v7.0.0. Upgrading to the latest version is the recommended fix.
When upgrading, please pay attention to the following change:
Workarounds
To avoid this bug without upgrading the library version, you can use the following patched version directly in your code:
For more information
If you have any questions or comments about this advisory:
Credits
Thanks to @onerandomusername for reporting this vulnerability.
And thanks to @GDWR for providing a fix.