From 3495ab5b0ff3bc9150f0592dd7b27f813d8b921b Mon Sep 17 00:00:00 2001
From: anten-ka <antenkamax@gmail.com>
Date: Fri, 10 Apr 2026 11:41:23 +0300
Subject: [PATCH] =?UTF-8?q?v2.4.0=20=E2=80=94=20internationalization=20(EN?=
 =?UTF-8?q?/RU)=20+=20custom=20git=20templates?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- i18n engine (lib/i18n.sh, lib/lang/en.sh, lib/lang/ru.sh)
- first-run language picker, persisted to .language + config.json
- install.sh, common.sh, backup.sh, templates_catalog.sh wired through t()/tf()
- backup.sh preserves .language marker and records language in metadata.json
- custom git template feature (first item in pro template picker)
  * validates HTTPS URLs, rejects shell metachars
  * 100MB size guard, 90s clone timeout
  * auto-detects index.html in dist/public/build/_site/site/docs/out/www
- bot v2.4.0: i18n.py + lang/{en,ru}.json, /lang command, language toggle button
- bot: custom git template via text input with waiter gating
---
 gotelegram-bot/bot.py | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/gotelegram-bot/bot.py b/gotelegram-bot/bot.py
index f22eb9c..89f0683 100644
--- a/gotelegram-bot/bot.py
+++ b/gotelegram-bot/bot.py
@@ -886,11 +886,21 @@ def _validate_custom_git_url(url: str) -> bool:
     if not url or len(url) > 512:
         return False
     # Block shell metacharacters explicitly
-    for bad in (" ", "`", "$", "(", ")", "<", ">", "|", "\\", "\t", "\n", "\r", ";", "&"):
+    for bad in (" ", "`", "$", "(", ")", "<", ">", "|", "\\", "\t", "\n", "\r", ";", "&", "'", '"'):
         if bad in url:
             return False
     if not url.lower().startswith("https://"):
         return False
+    # Reject embedded userinfo (https://user:pass@host/...) to prevent credential leakage.
+    # We look at the netloc — anything between https:// and the first '/'.
+    rest = url[len("https://"):]
+    netloc_end = rest.find("/")
+    netloc = rest if netloc_end == -1 else rest[:netloc_end]
+    if "@" in netloc:
+        return False
+    # Hostname sanity: no empty host, no whitespace already blocked above
+    if not netloc or netloc.startswith(":") or netloc.endswith(":"):
+        return False
     return True