增加前端上传签名

admin/admin.inc.php

@@ -572,14 +572,14 @@ auto_delete(); //定时删除
                         <div class="form-group">
                             <label for="logDate" class="text-primary">月份: </label>
                             <input type="text" class="form-control logDate" id="logDate" name="logDate" value="<?php echo date('Y-m'); ?>" required="required" readonly>
-                            <input type="hidden" class="form-control" name="pass" value="<?php echo md5($config['password'] . date('ymdh')); ?>" placeholder="日志访问秘钥">
+                            <input type="hidden" class="form-control" name="sign" value="<?php echo md5($config['password'] . date('ymdh')); ?>" placeholder="日志访问秘钥">
                         </div>
                         <button type="submit" class="btn btn-primary">查看</button>
                     </form>
                 </div>
                 <div class="col-md-2">
                     <h5 class="header-dividing">登录日志 <small>仅显示当月</small></h5>
-                    <button type="button" class="btn btn-primary" data-toggle="modal" data-title="登录日志 - 仅显示当月" data-icon="book" data-moveable="true" data-width="60%" data-type="ajax" data-url="../application/viewlog.php?login_log&pass=<?php echo md5($config['password'] . date('ymdh')); ?>">查看</button>
+                    <button type="button" class="btn btn-primary" data-toggle="modal" data-title="登录日志 - 仅显示当月" data-icon="book" data-moveable="true" data-width="60%" data-type="ajax" data-url="../application/viewlog.php?login_log&sign=<?php echo md5($config['password'] . date('ymdh')); ?>">查看</button>
                 </div>
                 <div class="col-md-3">
                     <h5 class="header-dividing" data-toggle="tooltip" title="仅限存储分类路径为 Y/m/d/ 格式<br/>且每天需要访问一次后台才执行<br/>先重命名要删除文件夹作为备份<br/>超过定时日期的2倍后再彻底删除重命名的文件夹<br/>超过定时日期前和开启分离的文件夹不删除">定时删除 <small>数值为<code>0</code>时关闭</small></h5>

application/upload.php

@@ -27,6 +27,15 @@ if (empty($_FILES['file'])) {
     ));
 }
 
+// sign
+if (empty($_POST['sign']) || $_POST['sign'] !== md5($config['password'] . date('YmdH'))) {
+    exit(json_encode(array(
+        "result"  => "failed",
+        "code"    => 403,
+        "message" => "签名错误,请刷新重试",
+    )));
+}
+
 // 黑/白IP名单上传
 if ($config['check_ip']) {
     if (checkIP(null, $config['check_ip_list'], $config['check_ip_model'])) {

application/viewlog.php

@@ -9,7 +9,7 @@ require_once __DIR__ . '/function.php';
 // 非管理员不可访问!
 if (!is_who_login('admin')) exit('Permission denied');
 // 禁止直接访问
-if (empty($_REQUEST['pass']) || $_REQUEST['pass'] !== md5($config['password'] . date('ymdh'))) exit('Authentication error!');
+if (empty($_REQUEST['sign']) || $_REQUEST['sign'] !== md5($config['password'] . date('ymdh'))) exit('Authentication error!');
 
 // 登录日志
 if (isset($_GET['login_log'])) {

docs/update.md

@@ -1,4 +1,7 @@
-* 2023-03-05 v2.7.7 dev
+* 2023-03-06 v2.7.8
+- 增加前端上传签名
+
+* 2023-03-05 v2.7.7
 - 增加登录日志
 - 修复备用文件管理登录失效
 

index.php

@@ -128,6 +128,10 @@ mustLogin();
     flash_swf_url: '<?php static_cdn(); ?>/public/static/zui/lib/uploader/Moxie.swf',
     // silverlight 上传组件地址
     flash_swf_url: '<?php static_cdn(); ?>/public/static/zui/lib/uploader/Moxie.xap',
+    // sign
+    multipart_params: {
+      'sign': '<?php echo md5($config['password'] . date('YmdH')); ?>', // new Date().format("YYYYMMddhh")
+    },
     // 预览图尺寸
     previewImageSize: {
       'width': 80,