4.49 release

app/controller/explorer.class.php

@@ -1139,6 +1139,7 @@ class explorer extends Controller{
 			show_json(LNG('no_permission_write'),false);
 		}
 		$url = rawurldecode($this->in['url']);
+		if(!request_url_safe($url)){show_json('url error!',false);}
 		if(isset($this->in['name'])){
 			$filename = rawurldecode($this->in['name']);
 		}else{

app/function/web.function.php

@@ -540,16 +540,16 @@ function get_headers_curl($url,$timeout=30,$depth=0,&$headers=array()){
 
 // 防止SSRF 攻击;curl,file_get_contents前检测url;
 function request_url_safe($url){
-	$link = trim(strtolower($url));
-	$link = str_replace('\\','/',$link);
-	while (strstr($link,'../')) {
-		$link = str_replace('../', '/', $link);
-	}
-	if( substr($link,0,6) != "ftp://" &&
-		substr($link,0,7) != "http://" &&
-		substr($link,0,8) != "https://" ){
-		return false;
+	$url   = str_replace('\\','/',$url);
+	$allow = array('http','https','ftp');
+	$info  = parse_url($url);$hasAllow = false;
+	foreach($allow as $scheme){
+		$schemeNow = substr($url,0,strlen($scheme) + 3);
+		if($schemeNow === $scheme."://"){$hasAllow = true;}
 	}
+	if(!$hasAllow) return false;
+	if(!$info['scheme'] || !$info['host'] || !in_array($info['scheme'],$allow)) return false;
+	if(@file_exists($url) ) return false;
 	return true;
 }
 

config/version.php

@@ -1,3 +1,3 @@
 <?php
-define('KOD_VERSION','4.48');
-define('KOD_VERSION_BUILD','02');//time(),20220516
+define('KOD_VERSION','4.49');
+define('KOD_VERSION_BUILD','01');//time(),20220825

static/style/skin/base/app_editor.css

@@ -1,5 +1,5 @@
-/* power by kodexplorer ver 4.48(2022-05-17) [build 1652768018.1359] */
+/* power by kodexplorer ver 4.49(2022-08-25) [build 1661416804.4836] */
 @import url('./fileIcon.css');
 @import url('./common.css');
 .frame-main{position:absolute;top:40px;width:100%;bottom:0px;}.frame-main .tools-left{background:#f8f8f8 url("../../../images/common/bg.gif") 0 0px;position:fixed;line-height:30px;padding-left:20px;height:28px;border-bottom:1px solid #ddd;left:0;width:100%;}.frame-main .tools-left a{font-size:1.25em;font-weight:800;text-decoration:none;color:#999;text-shadow:0 0 3px;display:inline-block;padding:2px 6px;margin-top:0;height:20px;line-height:20px;}.frame-main .tools-left a:hover{background:url("../../../images/common/buttons_40.png") 0 0px repeat-x;-webkit-box-shadow:0 2px 8px rgba(0,0,0,0.8);-moz-box-shadow:0 2px 8px rgba(0,0,0,0.8);box-shadow:0 2px 8px rgba(0,0,0,0.8);-webkit-border-radius:3px;-moz-border-radius:3px;border-radius:3px;}.frame-main .frame-left{position:absolute;left:0;top:30px;bottom:0;width:200px;background:#fff;background-attachment:fixed;overflow:auto;}.frame-main .frame-left .ztree{margin-top:0;}.frame-main .frame-left .ztree li.level0{margin-bottom:5px;}.frame-main .frame-resize{width:10px;cursor:col-resize;z-index:100;position:absolute;left:195px;top:0;bottom:0;overflow:hidden;background:url("../../../images/common/resize.png") 0px 50% no-repeat;}.frame-main .frame-resize.active{background:#000;opacity:0.2;filter:alpha(opacity=20);}.frame-main .frame-right{left:200px;right:0;position:absolute;top:0;bottom:0;overflow:auto;}.frame-main .frame-right .frame-right-main .resize-mask{z-index:999;position:absolute;left:0;top:0;bottom:0;right:0;display:none;}.frame-main .frame-right .frame-right-main .frame{height:100%;border-left:1px solid #ddd;overflow:hidden;}
-/* ver 4.48(2022-05-17) [build 1652768018.1359] */
+/* ver 4.49(2022-08-25) [build 1661416804.4836] */