Removed eval from CCs arguments, laxer checks

Previous checks were preventing attributes containing underscores from being used

cogs/customcom.py

@@ -2,7 +2,6 @@ import discord
 from discord.ext import commands
 from .utils.dataIO import fileIO
 from .utils import checks
-from string import ascii_letters
 from __main__ import user_allowed, send_cmd_help
 import os
 import re
@@ -143,27 +142,24 @@ class CustomCommands:
 
     def transform_parameter(self, result, message):
         """
-        This should be bomb proof. I eval only the base object, and only
+        For security reasons only specific objects are allowed
-        if it's present in the allowed list. Only one depth level is allowed.
+        Internals are ignored
-        Only letters and dots are allowed.
         """
         raw_result = "{" + result + "}"
-        author = message.author
+        objects = {
-        channel = message.channel
+            "message" : message,
-        server = author.server
+            "author"  : message.author,
-        valid_chars = ascii_letters + "."
+            "channel" : message.channel,
-        allowed = ("message", "author", "server", "channel")
+            "server"  : message.server
-        for char in result:
+        }
-            if char not in valid_chars:
+        if result in objects:
-                return raw_result
+            return str(objects[result])
-        if result in allowed:
-            return str(eval(result))
         try:
             first, second = result.split(".")
         except ValueError:
             return raw_result
-        if first in allowed:
+        if first in objects and not second.startswith("_"):
-            first = eval(first)
+            first = objects[first]
         else:
             return raw_result
         return str(getattr(first, second, raw_result))