- fix
icret
parent
3434282bbb
commit
746412fc10
|
|
@ -1131,7 +1131,7 @@ auto_delete(); //定时删除
|
|||
<li>直接输入账号和密码即可完成修改</li>
|
||||
<li>更改后会立即生效并重新登录,请务必牢记账号和密码! </li>
|
||||
<li>如果忘记账号可以打开-><code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'user'=><strong>admin</strong>'">user</code>对应的键值->填入</li>
|
||||
<li>如果忘记密码请将密码->转换成MD5小写-><a href="<?php echo $config['domain'] . '/application/md5.php'; ?>" target="_blank" class="text-purple">转换网址</a>->打开<code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'password'=>'<strong>e6e0612609</strong>'">password</code>对应的键值->填入</li>
|
||||
<li>如果忘记密码请将密码->转换成MD5小写-><a href="<?php echo $config['domain'] . '/application/reset_password.php'; ?>" target="_blank" class="text-purple">转换网址</a>->打开<code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'password'=>'<strong>e6e0612609</strong>'">password</code>对应的键值->填入</li>
|
||||
</ul>
|
||||
</div>
|
||||
</div>
|
||||
|
|
@ -1381,7 +1381,7 @@ auto_delete(); //定时删除
|
|||
</div>
|
||||
<link rel="stylesheet" href="<?php static_cdn(); ?>/public/static/zui/lib/datagrid/zui.datagrid.min.css">
|
||||
<link rel="stylesheet" href="<?php static_cdn(); ?>/public/static/zui/lib/datetimepicker/datetimepicker.min.css">
|
||||
<script type="application/javascript" src="<?php static_cdn(); ?>/public/static/md5/md5.min.js"></script>
|
||||
<script type="application/javascript" src="<?php static_cdn(); ?>/public/static/crypto/SHA256.js"></script>
|
||||
<script type="application/javascript" src="<?php static_cdn(); ?>/public/static/jscolor/jscolor.min.js"></script>
|
||||
<script type="application/javascript" src="<?php static_cdn(); ?>/public/static/zui/lib/datagrid/zui.datagrid.min.js"></script>
|
||||
<script type="application/javascript" src="<?php static_cdn(); ?>/public/static/zui/lib/datetimepicker/datetimepicker.min.js"></script>
|
||||
|
|
@ -1431,7 +1431,7 @@ auto_delete(); //定时删除
|
|||
function uploader_md5_post() {
|
||||
var password = document.getElementById('uploader_password');
|
||||
var md5pwd = document.getElementById('uploader_md5_password');
|
||||
md5pwd.value = md5(password.value);
|
||||
md5pwd.value = SHA256(password.value);
|
||||
//可以校验判断表单内容,true就是通过提交,false,阻止提交
|
||||
return true;
|
||||
}
|
||||
|
|
@ -1439,7 +1439,7 @@ auto_delete(); //定时删除
|
|||
function md5_post() {
|
||||
var password = document.getElementById('password');
|
||||
var md5pwd = document.getElementById('md5_password');
|
||||
md5pwd.value = md5(password.value);
|
||||
md5pwd.value = SHA256(password.value);
|
||||
//可以校验判断表单内容,true就是通过提交,false,阻止提交
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ if (isset($_POST['password']) and isset($_POST['user'])) {
|
|||
</div>
|
||||
<div class="modal-body">
|
||||
<p class="text-primary">忘记账号可以打开<code>/config/config.php</code>文件找到<code data-toggle="tooltip" title="'user'=><strong>admin</strong>'">user</code>对应的键值->填入</p>
|
||||
<p class="text-success">忘记密码请将密码转换成MD5小写(<a href="<?php echo $config['domain'] . '/application/md5.php'; ?>" target="_blank" class="text-purple">转换网址</a>)->打开<code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'password'=>'<strong>e6e0612609</strong>'">password</code>对应的键值->填入</p>
|
||||
<p class="text-success">忘记密码请将密码转换成SHA256(<a href="<?php echo $config['domain'] . '/application/reset_password.php'; ?>" target="_blank" class="text-purple">转换网址</a>)->打开<code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'password'=>'<strong>e6e0612609</strong>'">password</code>对应的键值->填入</p>
|
||||
<h4 class="text-danger">更改后会立即生效并重新登录,请务必牢记账号和密码! </h4>
|
||||
</div>
|
||||
<div class="modal-footer">
|
||||
|
|
@ -152,12 +152,14 @@ if (isset($_POST['password']) and isset($_POST['user'])) {
|
|||
</div>
|
||||
</section>
|
||||
</form>
|
||||
<script src="<?php static_cdn(); ?>/public/static/md5/md5.min.js"></script>
|
||||
<script src="<?php static_cdn(); ?>/public/static/crypto/SHA256.js"></script>
|
||||
<script>
|
||||
console.log(SHA256('admin@123'));
|
||||
|
||||
function md5_post() {
|
||||
var password = document.getElementById('password');
|
||||
var md5pwd = document.getElementById('md5_password');
|
||||
md5pwd.value = md5(password.value);
|
||||
md5pwd.value = SHA256(password.value);
|
||||
//可以校验判断表单内容,true就是通过提交,false,阻止提交
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,10 +57,11 @@ if ($handle->uploaded) {
|
|||
if ($config['allowed'] === 1) {
|
||||
$handle->allowed = array('image/*');
|
||||
}
|
||||
// svg格式过滤
|
||||
|
||||
// 检查svg是否存在script和a标签代码
|
||||
if ($handle->file_src_name_ext === 'svg') {
|
||||
$svg = file_get_contents($handle->file_src_pathname);
|
||||
if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
|
||||
if (preg_match('/<script[\s\S]*?<\/script>/', $svg) || stripos($svg, 'href=')) {
|
||||
exit(json_encode(
|
||||
array(
|
||||
"result" => "failed",
|
||||
|
|
|
|||
|
|
@ -162,7 +162,7 @@ function _login($user = null, $password = null)
|
|||
// 上传者账号过期
|
||||
if ($guestConfig[$user]['expired'] < time()) return json_encode(array('code' => 400, 'level' => 0, 'messege' => $user . '账号已过期'));
|
||||
// 未过期设置cookie
|
||||
$browser_cookie === serialize(array($user, $password));
|
||||
$browser_cookie = serialize(array($user, $password));
|
||||
setcookie('auth', $browser_cookie, time() + 3600 * 24 * 14, '/');
|
||||
return json_encode(array('code' => 200, 'level' => 2, 'messege' => $user . '用户登录成功'));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,17 +1,16 @@
|
|||
<?php
|
||||
include_once __DIR__ . "/header.php";
|
||||
|
||||
$value = '';
|
||||
if (isset($_POST['md5'])) {
|
||||
$value = md5($_POST['md5']);
|
||||
} else {
|
||||
$value = null;
|
||||
$value = hash('sha256', $_POST['md5']);
|
||||
}
|
||||
|
||||
?>
|
||||
<div class="row">
|
||||
<div class="col-md-12">
|
||||
<p class="text-primary">忘记账号可以打开<code>/config/config.php</code>文件找到<code data-toggle="tooltip" title="'user'=><strong>admin</strong>'">user</code>对应的键值->填入</p>
|
||||
<p class="text-success">忘记密码请将密码转换成MD5小写(<a href="<?php echo $config['domain'] . '/application/md5.php'; ?>" target="_blank" class="text-purple">转换网址</a>)->打开<code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'password'=>'<strong>e6e0612609</strong>'">password</code>对应的键值->填入</p>
|
||||
<p class="text-success">忘记密码请将密码转换成SHA256(<a href="<?php echo $config['domain'] . '/application/reset_password.php'; ?>" target="_blank" class="text-purple">转换网址</a>)->打开<code>/config/config.php</code>文件->找到<code data-toggle="tooltip" title="'password'=>'<strong>e6e0612609</strong>'">password</code>对应的键值->填入</p>
|
||||
<h4 class="text-danger">更改后会立即生效并重新登录,请务必牢记账号和密码! </h4>
|
||||
</div>
|
||||
<div class="col-md-12">
|
||||
|
|
@ -24,7 +23,7 @@ if (isset($_POST['md5'])) {
|
|||
</div>
|
||||
<div class="form-group">
|
||||
<div class="col-sm-offset-2 col-sm-10">
|
||||
<button type="submit" class="btn btn-primary">获取MD5</button>
|
||||
<button type="submit" class="btn btn-primary">获取新的密码</button>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
|
|
@ -32,7 +31,7 @@ if (isset($_POST['md5'])) {
|
|||
</div>
|
||||
<script>
|
||||
// 更改网页标题
|
||||
document.title = "更改密码 密码MD5加密- <?php echo $config['title']; ?>"
|
||||
document.title = "获取新的密码 - <?php echo $config['title']; ?>"
|
||||
</script>
|
||||
<?php
|
||||
|
||||
|
|
@ -59,10 +59,11 @@ if ($handle->uploaded) {
|
|||
if ($config['allowed'] === 1) {
|
||||
$handle->allowed = array('image/*');
|
||||
}
|
||||
// svg格式过滤
|
||||
|
||||
// 检查svg是否存在script和a标签代码
|
||||
if ($handle->file_src_name_ext === 'svg') {
|
||||
$svg = file_get_contents($handle->file_src_pathname);
|
||||
if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
|
||||
if (preg_match('/<script[\s\S]*?<\/script>/', $svg) || stripos($svg, 'href=')) {
|
||||
exit(json_encode(
|
||||
array(
|
||||
"result" => "failed",
|
||||
|
|
|
|||
|
|
@ -3,8 +3,8 @@ $guestConfig=Array
|
|||
(
|
||||
'guest'=>Array
|
||||
(
|
||||
'password'=>'084e0343a0486ff05530df6c705c8bb4',
|
||||
'expired'=>2536886016,
|
||||
'add_time'=>1672972416
|
||||
'password'=>'84983c60f7daadc1cb8698621f802c0d9f9a3c3c295c810748fb048115c186ec',
|
||||
'expired'=>1680497325,
|
||||
'add_time'=>1677905325
|
||||
)
|
||||
);
|
||||
File diff suppressed because one or more lines are too long
|
|
@ -1,8 +1,10 @@
|
|||
* 2023-03-04 v2.7.6 dev
|
||||
- 增加删除文件时限定目录
|
||||
- 增强对SVG格式过滤以避免产生xss 致谢:[xulei1112](https://github.com/xulei1112)
|
||||
- 增加对SVG文件格式过滤 致谢:[xulei1112](https://github.com/xulei1112)
|
||||
- 修复弱类型验证导致的异常登录 致谢:[xulei1112](https://github.com/xulei1112)
|
||||
- 更换加密删除链接算法 - 链接更短
|
||||
- 更换存储密码算法为SHA256
|
||||
- 默认不支持SVG文件上传
|
||||
- 完全兼容 PHP5.6-8.0
|
||||
|
||||
* 2023-02-24 v2.7.5
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ if (file_exists(APP_ROOT . '/config/install.lock')) {
|
|||
if (isset($_POST['password'])) {
|
||||
if ($_POST['password'] == $_POST['repassword']) {
|
||||
|
||||
$config['password'] = md5($_POST['password']);
|
||||
$config['password'] = hash('sha256', $_POST['password']);
|
||||
$config['user'] = $_POST['user'];
|
||||
} else {
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,125 @@
|
|||
/**
|
||||
*
|
||||
* Secure Hash Algorithm (SHA256)
|
||||
* http://www.webtoolkit.info/
|
||||
*
|
||||
**/
|
||||
|
||||
function SHA256(s) {
|
||||
|
||||
var chrsz = 8;
|
||||
var hexcase = 0;
|
||||
|
||||
function safe_add(x, y) {
|
||||
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
|
||||
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
|
||||
return (msw << 16) | (lsw & 0xFFFF);
|
||||
}
|
||||
|
||||
function S(X, n) { return (X >>> n) | (X << (32 - n)); }
|
||||
function R(X, n) { return (X >>> n); }
|
||||
function Ch(x, y, z) { return ((x & y) ^ ((~x) & z)); }
|
||||
function Maj(x, y, z) { return ((x & y) ^ (x & z) ^ (y & z)); }
|
||||
function Sigma0256(x) { return (S(x, 2) ^ S(x, 13) ^ S(x, 22)); }
|
||||
function Sigma1256(x) { return (S(x, 6) ^ S(x, 11) ^ S(x, 25)); }
|
||||
function Gamma0256(x) { return (S(x, 7) ^ S(x, 18) ^ R(x, 3)); }
|
||||
function Gamma1256(x) { return (S(x, 17) ^ S(x, 19) ^ R(x, 10)); }
|
||||
|
||||
function core_sha256(m, l) {
|
||||
var K = new Array(0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, 0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3, 0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174, 0xE49B69C1, 0xEFBE4786, 0xFC19DC6, 0x240CA1CC, 0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA, 0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7, 0xC6E00BF3, 0xD5A79147, 0x6CA6351, 0x14292967, 0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13, 0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85, 0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3, 0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070, 0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5, 0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3, 0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208, 0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2);
|
||||
var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19);
|
||||
var W = new Array(64);
|
||||
var a, b, c, d, e, f, g, h, i, j;
|
||||
var T1, T2;
|
||||
|
||||
m[l >> 5] |= 0x80 << (24 - l % 32);
|
||||
m[((l + 64 >> 9) << 4) + 15] = l;
|
||||
|
||||
for (var i = 0; i < m.length; i += 16) {
|
||||
a = HASH[0];
|
||||
b = HASH[1];
|
||||
c = HASH[2];
|
||||
d = HASH[3];
|
||||
e = HASH[4];
|
||||
f = HASH[5];
|
||||
g = HASH[6];
|
||||
h = HASH[7];
|
||||
|
||||
for (var j = 0; j < 64; j++) {
|
||||
if (j < 16) W[j] = m[j + i];
|
||||
else W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
|
||||
|
||||
T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
|
||||
T2 = safe_add(Sigma0256(a), Maj(a, b, c));
|
||||
|
||||
h = g;
|
||||
g = f;
|
||||
f = e;
|
||||
e = safe_add(d, T1);
|
||||
d = c;
|
||||
c = b;
|
||||
b = a;
|
||||
a = safe_add(T1, T2);
|
||||
}
|
||||
|
||||
HASH[0] = safe_add(a, HASH[0]);
|
||||
HASH[1] = safe_add(b, HASH[1]);
|
||||
HASH[2] = safe_add(c, HASH[2]);
|
||||
HASH[3] = safe_add(d, HASH[3]);
|
||||
HASH[4] = safe_add(e, HASH[4]);
|
||||
HASH[5] = safe_add(f, HASH[5]);
|
||||
HASH[6] = safe_add(g, HASH[6]);
|
||||
HASH[7] = safe_add(h, HASH[7]);
|
||||
}
|
||||
return HASH;
|
||||
}
|
||||
|
||||
function str2binb(str) {
|
||||
var bin = Array();
|
||||
var mask = (1 << chrsz) - 1;
|
||||
for (var i = 0; i < str.length * chrsz; i += chrsz) {
|
||||
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i % 32);
|
||||
}
|
||||
return bin;
|
||||
}
|
||||
|
||||
function Utf8Encode(string) {
|
||||
|
||||
var utftext = "";
|
||||
|
||||
for (var n = 0; n < string.length; n++) {
|
||||
|
||||
var c = string.charCodeAt(n);
|
||||
|
||||
if (c < 128) {
|
||||
utftext += String.fromCharCode(c);
|
||||
}
|
||||
else if ((c > 127) && (c < 2048)) {
|
||||
utftext += String.fromCharCode((c >> 6) | 192);
|
||||
utftext += String.fromCharCode((c & 63) | 128);
|
||||
}
|
||||
else {
|
||||
utftext += String.fromCharCode((c >> 12) | 224);
|
||||
utftext += String.fromCharCode(((c >> 6) & 63) | 128);
|
||||
utftext += String.fromCharCode((c & 63) | 128);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
return utftext;
|
||||
}
|
||||
|
||||
function binb2hex(binarray) {
|
||||
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
|
||||
var str = "";
|
||||
for (var i = 0; i < binarray.length * 4; i++) {
|
||||
str += hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8 + 4)) & 0xF) +
|
||||
hex_tab.charAt((binarray[i >> 2] >> ((3 - i % 4) * 8)) & 0xF);
|
||||
}
|
||||
return str;
|
||||
}
|
||||
|
||||
s = Utf8Encode(s);
|
||||
return binb2hex(core_sha256(str2binb(s), s.length * chrsz));
|
||||
|
||||
}
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue