From 65b58d613c50af3fb8cfeee6866f4571b5e38209 Mon Sep 17 00:00:00 2001 From: eric Date: Tue, 31 Mar 2026 13:05:02 -0500 Subject: [PATCH] 's' --- app/routers/chatbot.py | 37 ++++++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/app/routers/chatbot.py b/app/routers/chatbot.py index b0d4e20..0e8a57c 100644 --- a/app/routers/chatbot.py +++ b/app/routers/chatbot.py @@ -75,9 +75,15 @@ def aes_decrypt_base64(cipher_b64: str, encoding_aes_key: str) -> str: cipher = AES.new(aes_key, AES.MODE_CBC, iv) decrypted = pkcs5_unpadding(cipher.decrypt(cipher_bytes)) try: + if len(decrypted) < 20: + raise ValueError("payload too short") content = decrypted[16:] msg_len = struct.unpack("!I", content[:4])[0] - msg = content[4 : 4 + msg_len] + msg_start = 4 + msg_end = msg_start + msg_len + if msg_end > len(content): + raise ValueError("msg length out of range") + msg = content[msg_start:msg_end] text = msg.decode("utf-8") if text: return text @@ -434,8 +440,8 @@ async def _handle_wechat_request(request: Request, app_id: Optional[str], backgr response_app_id = str(data.get("ChannelId", "") or data.get("appid", "")).strip() or APP_ID else: resp_plain = json.dumps({"answer_type": "text", "text_info": {"short_answer": answer_text}}, ensure_ascii=False) - # thirdapi 场景也要携带 app_id 参与加密,否则平台可能判定回包无效 - response_app_id = (app_id or APP_ID).strip() if isinstance(app_id, str) else APP_ID + # 与原始 chatbot 服务保持一致:thirdapi(URL 带 app_id)回包使用纯 AES,不拼 app_id + response_app_id = None if app_id else APP_ID return aes_encrypt_base64(resp_plain, ENCODING_AES_KEY, response_app_id) @@ -555,6 +561,11 @@ def chatbot_private_message_page():

Chatbot 私信调试台

准备就绪
+ + @@ -588,6 +599,16 @@ def chatbot_private_message_page():