Summary

A test handler which i created to test Ollama (asd_temp) was accidentally committed in wbb/modules/userbot.py (introduced in c795cc1).

The handler is bound to app2 (the userbot client), not app (the bot client), and was never intended for production use.

A deployment was affected only if it:

• ran vulnerable code (c795cc1 up to, but not including, 14a188d)
• had app2 enabled and this module loaded
• received messages matching the exact handler filters below

What messages were processed

This handler was hard-scoped to a very narrow, private chat context, not global traffic.

It executed only when all of these conditions matched:

• Message type was text (filters.text).
• Chat matched filters.chat([-1002139890459, "thehamkercat"]), i.e.:
• the specific numeric chat ID -1002139890459, or
• the chat target @TheHamkerCat (my long-standing Telegram username, used for years before this code existed).
• Sender username was not thehamkercat and not jojiiofficial (explicit early-return exclusion in code).

So:

• It only ran for text messages in the specified chat targets.
• It could only run where app2 could actually receive messages in those exact chat targets.
• In this case, those targets were my own private/account-specific chat context, so only my deployment could realistically trigger this path, other deployments were not in that private chat context, so they couldn't have possibly crossed this code path.

Data flow (exact behavior)

the handler:

• took message.text
• appended it to a shared in-memory HISTORY list
• sent HISTORY to http://localhost:1234/v1/chat/completions (ollama endpoint)
• read the response text, appended it back into HISTORY
• replied in chat with that response (after a delay)

This endpoint is a host-local Ollama/OpenAI-compatible API endpoint (localhost), a service running on that same self-hosted machine/container namespace.

Fix

This issue was Introduced in c795cc1 and Fixed in 14a188d by:

• removing the accidental asd_temp handler from wbb/modules/userbot.py