From f8f1f634eceef99dc1748762bc748bfbe45266d4 Mon Sep 17 00:00:00 2001
From: Paul Larsen <pn1315@ic.ac.uk>
Date: Sat, 24 Feb 2018 13:03:33 +0000
Subject: [PATCH 1/4] Ensure only valid commands are accepted.

Telegram entities show that `/ test` is not a valid command. However,
PTB accepts this as a valid command due to how the message splitting is
done.

This commit makes sure that any commands are indeed in the format of
`/test`, with no space between `/` and `test`.
---
 AUTHORS.rst                    |  1 +
 telegram/ext/commandhandler.py | 27 ++++++++++++++++-----------
 tests/test_commandhandler.py   |  3 +++
 3 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 9282f2b1f78..78d83e76ecc 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -53,6 +53,7 @@ The following wonderful people contributed directly or indirectly to this projec
 - `Oleg Shlyazhko <https://github.com/ollmer>`_
 - `Oleg Sushchenko <https://github.com/feuillemorte>`_
 - `overquota <https://github.com/overquota>`_
+- `Paul Larsen <https://github.com/PaulSonOfLars>`_
 - `Patrick Hofmann <https://github.com/PH89>`_
 - `Pieter Schutz <https://github.com/eldinnie>`_
 - `Rahiel Kasim <https://github.com/rahiel>`_
diff --git a/telegram/ext/commandhandler.py b/telegram/ext/commandhandler.py
index 2f681cf99d7..532eeeeea2c 100644
--- a/telegram/ext/commandhandler.py
+++ b/telegram/ext/commandhandler.py
@@ -134,19 +134,24 @@ def check_update(self, update):
             message = update.message or update.edited_message
 
             if message.text and message.text.startswith('/') and len(message.text) > 1:
-                command = message.text[1:].split(None, 1)[0].split('@')
-                command.append(
-                    message.bot.username)  # in case the command was send without a username
-
-                if self.filters is None:
-                    res = True
-                elif isinstance(self.filters, list):
-                    res = any(func(message) for func in self.filters)
+                fst_word = message.text.split(None, 1)[0]
+                if len(fst_word) > 1 and fst_word.startswith('/'):
+                    command = fst_word[1:].split('@')
+                    command.append(
+                        message.bot.username)  # in case the command was sent without a username
+
+                    if self.filters is None:
+                        res = True
+                    elif isinstance(self.filters, list):
+                        res = any(func(message) for func in self.filters)
+                    else:
+                        res = self.filters(message)
+
+                    return res and (command[0].lower() in self.command
+                                    and command[1].lower() == message.bot.username.lower())
                 else:
-                    res = self.filters(message)
+                    return False
 
-                return res and (command[0].lower() in self.command
-                                and command[1].lower() == message.bot.username.lower())
             else:
                 return False
 
diff --git a/tests/test_commandhandler.py b/tests/test_commandhandler.py
index 8b41acc26f4..a8140cb6b20 100644
--- a/tests/test_commandhandler.py
+++ b/tests/test_commandhandler.py
@@ -190,6 +190,9 @@ def test_single_slash(self, dp, message):
         message.text = '/'
         assert not handler.check_update(Update(0, message))
 
+        message.text = '/ test'
+        assert not handler.check_update(Update(0, message))
+
     def test_pass_user_or_chat_data(self, dp, message):
         handler = CommandHandler('test', self.callback_data_1, pass_user_data=True)
         dp.add_handler(handler)

From 086754f4dc07d1d723fc46cb9f34ff4434ed984a Mon Sep 17 00:00:00 2001
From: Paul Larsen <pn1315@ic.ac.uk>
Date: Sat, 24 Feb 2018 13:29:17 +0000
Subject: [PATCH 2/4] commands wrapped in code should not be considered
 commands

---
 telegram/ext/commandhandler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/telegram/ext/commandhandler.py b/telegram/ext/commandhandler.py
index 532eeeeea2c..76dc83e7275 100644
--- a/telegram/ext/commandhandler.py
+++ b/telegram/ext/commandhandler.py
@@ -134,7 +134,7 @@ def check_update(self, update):
             message = update.message or update.edited_message
 
             if message.text and message.text.startswith('/') and len(message.text) > 1:
-                fst_word = message.text.split(None, 1)[0]
+                fst_word = message.text_markdown.split(None, 1)[0]
                 if len(fst_word) > 1 and fst_word.startswith('/'):
                     command = fst_word[1:].split('@')
                     command.append(

From 5a93ce8e3a3b747b9130147c14f3bc61faa93694 Mon Sep 17 00:00:00 2001
From: Noam Meltzer <tsnoam@gmail.com>
Date: Sun, 25 Feb 2018 18:34:15 +0200
Subject: [PATCH 3/4] small fixes for the PR

---
 AUTHORS.rst                    | 2 +-
 telegram/ext/commandhandler.py | 8 +-------
 2 files changed, 2 insertions(+), 8 deletions(-)

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 78d83e76ecc..2c30ad999b3 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -53,8 +53,8 @@ The following wonderful people contributed directly or indirectly to this projec
 - `Oleg Shlyazhko <https://github.com/ollmer>`_
 - `Oleg Sushchenko <https://github.com/feuillemorte>`_
 - `overquota <https://github.com/overquota>`_
-- `Paul Larsen <https://github.com/PaulSonOfLars>`_
 - `Patrick Hofmann <https://github.com/PH89>`_
+- `Paul Larsen <https://github.com/PaulSonOfLars>`_
 - `Pieter Schutz <https://github.com/eldinnie>`_
 - `Rahiel Kasim <https://github.com/rahiel>`_
 - `Sascha <https://github.com/saschalalala>`_
diff --git a/telegram/ext/commandhandler.py b/telegram/ext/commandhandler.py
index 76dc83e7275..d9f67c77456 100644
--- a/telegram/ext/commandhandler.py
+++ b/telegram/ext/commandhandler.py
@@ -149,14 +149,8 @@ def check_update(self, update):
 
                     return res and (command[0].lower() in self.command
                                     and command[1].lower() == message.bot.username.lower())
-                else:
-                    return False
 
-            else:
-                return False
-
-        else:
-            return False
+        return False
 
     def handle_update(self, update, dispatcher):
         """Send the update to the :attr:`callback`.

From ede82995012cdc5b7e34088ab6b2e383eced86bd Mon Sep 17 00:00:00 2001
From: Unknown <pieter.schutz@gmail.com>
Date: Mon, 26 Feb 2018 00:21:00 +0100
Subject: [PATCH 4/4] Change to text_html

---
 telegram/ext/commandhandler.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/telegram/ext/commandhandler.py b/telegram/ext/commandhandler.py
index d9f67c77456..3fffa557fdf 100644
--- a/telegram/ext/commandhandler.py
+++ b/telegram/ext/commandhandler.py
@@ -134,9 +134,9 @@ def check_update(self, update):
             message = update.message or update.edited_message
 
             if message.text and message.text.startswith('/') and len(message.text) > 1:
-                fst_word = message.text_markdown.split(None, 1)[0]
-                if len(fst_word) > 1 and fst_word.startswith('/'):
-                    command = fst_word[1:].split('@')
+                first_word = message.text_html.split(None, 1)[0]
+                if len(first_word) > 1 and first_word.startswith('/'):
+                    command = first_word[1:].split('@')
                     command.append(
                         message.bot.username)  # in case the command was sent without a username
 

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/python-telegram-bot/python-telegram-bot/pull/1020.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/python-telegram-bot/python-telegram-bot/pull/1020.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/python-telegram-bot/python-telegram-bot/pull/1020.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/python-telegram-bot/python-telegram-bot/pull/1020.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>