修复漏洞
icret
parent
8da26ca463
commit
3434282bbb
|
|
@ -8,7 +8,6 @@ require_once APP_ROOT . '/config/config.guest.php';
|
|||
// 验证登录
|
||||
header("Content-Type: text/html;charset=utf-8");
|
||||
|
||||
|
||||
// 退出
|
||||
if (isset($_GET['login'])) {
|
||||
if ($_GET['login'] = 'logout') {
|
||||
|
|
|
|||
|
|
@ -54,7 +54,23 @@ $handle = new Upload($_FILES['image'], 'zh_CN');
|
|||
|
||||
if ($handle->uploaded) {
|
||||
// 允许上传的mime类型
|
||||
$handle->allowed = array('image/*');
|
||||
if ($config['allowed'] === 1) {
|
||||
$handle->allowed = array('image/*');
|
||||
}
|
||||
// svg格式过滤
|
||||
if ($handle->file_src_name_ext === 'svg') {
|
||||
$svg = file_get_contents($handle->file_src_pathname);
|
||||
if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
|
||||
exit(json_encode(
|
||||
array(
|
||||
"result" => "failed",
|
||||
"code" => 205,
|
||||
"message" => "请勿上传非法文件",
|
||||
)
|
||||
));
|
||||
}
|
||||
}
|
||||
|
||||
// 文件命名
|
||||
$handle->file_new_name_body = imgName($handle->file_src_name_body);
|
||||
// 添加Token ID
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ function _login($user = null, $password = null)
|
|||
global $guestConfig;
|
||||
|
||||
// cookie验证
|
||||
if ($user == null and $password == null) {
|
||||
if ($user === null and $password === null) {
|
||||
// 无cookie
|
||||
if (empty($_COOKIE['auth'])) {
|
||||
return json_encode(array('code' => 400, 'level' => 0, 'messege' => '请登录'));
|
||||
|
|
@ -132,9 +132,9 @@ function _login($user = null, $password = null)
|
|||
// 判断账号是否存在
|
||||
if ($browser_cookie[0] !== $config['user'] && !array_key_exists($browser_cookie[0], $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '账号不存在'));
|
||||
// 判断是否管理员
|
||||
if ($browser_cookie[0] == $config['user'] && $browser_cookie[1] == $config['password']) return json_encode(array('code' => 200, 'level' => 1, 'messege' => '尊敬的管理员'));
|
||||
if ($browser_cookie[0] === $config['user'] && $browser_cookie[1] === $config['password']) return json_encode(array('code' => 200, 'level' => 1, 'messege' => '尊敬的管理员'));
|
||||
// 判断是否上传者
|
||||
if (array_key_exists($browser_cookie[0], $guestConfig) && $browser_cookie[1] == $guestConfig[$browser_cookie[0]]['password']) {
|
||||
if (array_key_exists($browser_cookie[0], $guestConfig) && $browser_cookie[1] === $guestConfig[$browser_cookie[0]]['password']) {
|
||||
// 判断上车者是否过期
|
||||
if ($guestConfig[$browser_cookie[0]]['expired'] < time()) {
|
||||
// 上传者账户密码正确,但是账户过期
|
||||
|
|
@ -143,7 +143,7 @@ function _login($user = null, $password = null)
|
|||
return json_encode(array('code' => 200, 'level' => 2, 'messege' => $browser_cookie[0] . '用户已登录'));
|
||||
}
|
||||
// 账号存在,密码错误
|
||||
if ($browser_cookie[0] == $config['user'] || array_key_exists($browser_cookie[0], $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
|
||||
if ($browser_cookie[0] === $config['user'] || array_key_exists($browser_cookie[0], $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -151,25 +151,25 @@ function _login($user = null, $password = null)
|
|||
$user = strip_tags($user);
|
||||
$password = strip_tags($password);
|
||||
// 是否管理员
|
||||
if ($user == $config['user'] && $password == $config['password']) {
|
||||
if ($user === $config['user'] && $password === $config['password']) {
|
||||
// 将账号密码序列化后存储
|
||||
$browser_cookie = serialize(array($user, $password));
|
||||
setcookie('auth', $browser_cookie, time() + 3600 * 24 * 14, '/');
|
||||
return json_encode(array('code' => 200, 'level' => 1, 'messege' => '管理员登录成功'));
|
||||
}
|
||||
// 是否上传者
|
||||
if (array_key_exists($user, $guestConfig) && $password == $guestConfig[$user]['password']) {
|
||||
if (array_key_exists($user, $guestConfig) && $password === $guestConfig[$user]['password']) {
|
||||
// 上传者账号过期
|
||||
if ($guestConfig[$user]['expired'] < time()) return json_encode(array('code' => 400, 'level' => 0, 'messege' => $user . '账号已过期'));
|
||||
// 未过期设置cookie
|
||||
$browser_cookie = serialize(array($user, $password));
|
||||
$browser_cookie === serialize(array($user, $password));
|
||||
setcookie('auth', $browser_cookie, time() + 3600 * 24 * 14, '/');
|
||||
return json_encode(array('code' => 200, 'level' => 2, 'messege' => $user . '用户登录成功'));
|
||||
}
|
||||
// 检查账号是否存在
|
||||
if (array_key_exists($user, $guestConfig) || $user == $config['user']) {
|
||||
if (array_key_exists($user, $guestConfig) || $user === $config['user']) {
|
||||
// 账号存在,密码错误
|
||||
if ($user == $config['user'] || array_key_exists($user, $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
|
||||
if ($user === $config['user'] || array_key_exists($user, $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
|
||||
} else {
|
||||
return json_encode(array('code' => 400, 'level' => 0, 'messege' => '账号不存在'));
|
||||
}
|
||||
|
|
@ -207,12 +207,12 @@ function checkLogin()
|
|||
}
|
||||
|
||||
// 管理员登陆
|
||||
if ($getCOK[0] == $config['user'] && $getCOK[1] == $config['password']) {
|
||||
if ($getCOK[0] === $config['user'] && $getCOK[1] === $config['password']) {
|
||||
return 204;
|
||||
}
|
||||
|
||||
// 上传者账号登陆
|
||||
if ($getCOK[1] == $guestConfig[$getCOK[0]]['password']) {
|
||||
if ($getCOK[1] === $guestConfig[$getCOK[0]]['password']) {
|
||||
if ($guestConfig[$getCOK[0]]['expired'] < time()) {
|
||||
// 上传者账号过期
|
||||
return 206;
|
||||
|
|
@ -232,7 +232,7 @@ function mustLogin()
|
|||
$status = _login();
|
||||
$status = json_decode($status, true);
|
||||
|
||||
if ($status['code'] == 200) {
|
||||
if ($status['code'] === 200) {
|
||||
echo '
|
||||
<script>
|
||||
new $.zui.Messager("' . $status["messege"] . '", {
|
||||
|
|
@ -243,7 +243,7 @@ function mustLogin()
|
|||
</script>';
|
||||
}
|
||||
|
||||
if ($status['code'] == 400) {
|
||||
if ($status['code'] === 400) {
|
||||
echo '
|
||||
<script>
|
||||
new $.zui.Messager("' . $status["messege"] . '", {
|
||||
|
|
@ -625,8 +625,8 @@ function getDel($url, $type)
|
|||
$url = APP_ROOT . $url;
|
||||
}
|
||||
|
||||
// 文件是否存在
|
||||
if (is_file($url)) {
|
||||
// 文件是否存在 限制删除目录
|
||||
if (is_file($url) && strrpos($url, $config['path'])) {
|
||||
// 执行删除
|
||||
if (@unlink($url)) {
|
||||
echo '
|
||||
|
|
@ -673,11 +673,11 @@ function is_who_login($user)
|
|||
// 将状态转码
|
||||
$status = json_decode(_login(), true);
|
||||
// 查询是否登录
|
||||
if ($user == 'status') if ($status['level'] > 0) return true;
|
||||
if ($user === 'status') if ($status['level'] > 0) return true;
|
||||
// 是否管理员登录
|
||||
if ($user == 'admin') if ($status['level'] == 1) return true;
|
||||
if ($user === 'admin') if ($status['level'] == 1) return true;
|
||||
// 是否上传者登录
|
||||
if ($user == 'guest') if ($status['level'] == 2) return true;
|
||||
if ($user === 'guest') if ($status['level'] == 2) return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -59,6 +59,19 @@ if ($handle->uploaded) {
|
|||
if ($config['allowed'] === 1) {
|
||||
$handle->allowed = array('image/*');
|
||||
}
|
||||
// svg格式过滤
|
||||
if ($handle->file_src_name_ext === 'svg') {
|
||||
$svg = file_get_contents($handle->file_src_pathname);
|
||||
if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
|
||||
exit(json_encode(
|
||||
array(
|
||||
"result" => "failed",
|
||||
"code" => 205,
|
||||
"message" => "请勿上传非法文件",
|
||||
)
|
||||
));
|
||||
}
|
||||
}
|
||||
|
||||
// 文件命名
|
||||
$handle->file_new_name_body = imgName($handle->file_src_name_body);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,7 @@
|
|||
* 2023-02-25 v2.7.6
|
||||
* 2023-03-04 v2.7.6 dev
|
||||
- 增加删除文件时限定目录
|
||||
- 增强对SVG格式过滤以避免产生xss 致谢:[xulei1112](https://github.com/xulei1112)
|
||||
- 修复弱类型验证导致的异常登录 致谢:[xulei1112](https://github.com/xulei1112)
|
||||
- 更换加密删除链接算法 - 链接更短
|
||||
- 完全兼容 PHP5.6-8.0
|
||||
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
> 推荐环境:Nginx + PHP≥7.0 + linux
|
||||
> 推荐环境:Nginx + PHP≥7.0 + Linux
|
||||
|
||||
#### windows:
|
||||
- 下载简单图床 [最新版](https://github.com/icret/EasyImages2.0/archive/refs/heads/master.zip)|[稳定版](https://github.com/icret/EasyImages2.0/releases) 上传至web根目录
|
||||
|
|
@ -14,6 +14,5 @@ chown -R www:www /安装目录
|
|||
```
|
||||
|
||||
#### BT宝塔面板
|
||||
- 1. 软件商店 $\Rightarrow$ 一键部署 $\Rightarrow$ 搜索`简单图床`一键部署稳定版
|
||||
- 1. 软件商店 → 一键部署 → 搜索`简单图床`一键部署稳定版
|
||||
- 2. 使用上边的`Linux`方法搭建
|
||||
- 安装环境: Ngixn(推荐) / Apache + PHP(推荐≥7.0)
|
||||
|
|
|
|||
Loading…
Reference in New Issue