From 3434282bbb342966d9dfe256108f9f1d0eb97d34 Mon Sep 17 00:00:00 2001
From: icret <thetopuser@gmail.com>
Date: Sat, 4 Mar 2023 01:57:30 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 admin/index.php          |  1 -
 api/index.php            | 18 +++++++++++++++++-
 application/function.php | 36 ++++++++++++++++++------------------
 application/upload.php   | 13 +++++++++++++
 docs/update.md           |  5 ++++-
 docs/安装图床.md         |  5 ++---
 6 files changed, 54 insertions(+), 24 deletions(-)

diff --git a/admin/index.php b/admin/index.php
index 74a577a..97e4a94 100755
--- a/admin/index.php
+++ b/admin/index.php
@@ -8,7 +8,6 @@ require_once APP_ROOT . '/config/config.guest.php';
 // 验证登录
 header("Content-Type: text/html;charset=utf-8");
 
-
 // 退出
 if (isset($_GET['login'])) {
     if ($_GET['login'] = 'logout') {
diff --git a/api/index.php b/api/index.php
index 0130c68..414d4f2 100755
--- a/api/index.php
+++ b/api/index.php
@@ -54,7 +54,23 @@ $handle = new Upload($_FILES['image'], 'zh_CN');
 
 if ($handle->uploaded) {
     // 允许上传的mime类型
-    $handle->allowed = array('image/*');
+    if ($config['allowed'] === 1) {
+        $handle->allowed = array('image/*');
+    }
+    // svg格式过滤
+    if ($handle->file_src_name_ext === 'svg') {
+        $svg = file_get_contents($handle->file_src_pathname);
+        if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
+            exit(json_encode(
+                array(
+                    "result"  => "failed",
+                    "code"    => 205,
+                    "message" => "请勿上传非法文件",
+                )
+            ));
+        }
+    }
+    
     // 文件命名
     $handle->file_new_name_body = imgName($handle->file_src_name_body);
     // 添加Token ID
diff --git a/application/function.php b/application/function.php
index bdf72ee..f320922 100755
--- a/application/function.php
+++ b/application/function.php
@@ -119,7 +119,7 @@ function _login($user = null, $password = null)
     global $guestConfig;
 
     // cookie验证
-    if ($user == null and $password == null) {
+    if ($user === null and $password === null) {
         // 无cookie
         if (empty($_COOKIE['auth'])) {
             return json_encode(array('code' => 400, 'level' => 0, 'messege' => '请登录'));
@@ -132,9 +132,9 @@ function _login($user = null, $password = null)
             // 判断账号是否存在
             if ($browser_cookie[0] !== $config['user'] && !array_key_exists($browser_cookie[0], $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '账号不存在'));
             // 判断是否管理员
-            if ($browser_cookie[0] == $config['user'] && $browser_cookie[1] == $config['password']) return json_encode(array('code' => 200, 'level' => 1, 'messege' => '尊敬的管理员'));
+            if ($browser_cookie[0] === $config['user'] && $browser_cookie[1] === $config['password']) return json_encode(array('code' => 200, 'level' => 1, 'messege' => '尊敬的管理员'));
             // 判断是否上传者
-            if (array_key_exists($browser_cookie[0], $guestConfig) && $browser_cookie[1] == $guestConfig[$browser_cookie[0]]['password']) {
+            if (array_key_exists($browser_cookie[0], $guestConfig) && $browser_cookie[1] === $guestConfig[$browser_cookie[0]]['password']) {
                 // 判断上车者是否过期
                 if ($guestConfig[$browser_cookie[0]]['expired'] < time()) {
                     // 上传者账户密码正确,但是账户过期
@@ -143,7 +143,7 @@ function _login($user = null, $password = null)
                 return json_encode(array('code' => 200, 'level' => 2, 'messege' => $browser_cookie[0] . '用户已登录'));
             }
             // 账号存在,密码错误
-            if ($browser_cookie[0] == $config['user'] || array_key_exists($browser_cookie[0], $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
+            if ($browser_cookie[0] === $config['user'] || array_key_exists($browser_cookie[0], $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
         }
     }
 
@@ -151,25 +151,25 @@ function _login($user = null, $password = null)
     $user = strip_tags($user);
     $password = strip_tags($password);
     // 是否管理员
-    if ($user == $config['user'] && $password == $config['password']) {
+    if ($user === $config['user'] && $password === $config['password']) {
         // 将账号密码序列化后存储
         $browser_cookie = serialize(array($user, $password));
         setcookie('auth', $browser_cookie, time() + 3600 * 24 * 14, '/');
         return json_encode(array('code' => 200, 'level' => 1, 'messege' => '管理员登录成功'));
     }
     // 是否上传者
-    if (array_key_exists($user, $guestConfig) && $password == $guestConfig[$user]['password']) {
+    if (array_key_exists($user, $guestConfig) && $password === $guestConfig[$user]['password']) {
         // 上传者账号过期
         if ($guestConfig[$user]['expired'] < time()) return json_encode(array('code' => 400, 'level' => 0, 'messege' => $user . '账号已过期'));
         // 未过期设置cookie
-        $browser_cookie = serialize(array($user, $password));
+        $browser_cookie === serialize(array($user, $password));
         setcookie('auth', $browser_cookie, time() + 3600 * 24 * 14, '/');
         return json_encode(array('code' => 200, 'level' => 2, 'messege' => $user . '用户登录成功'));
     }
     // 检查账号是否存在
-    if (array_key_exists($user, $guestConfig) || $user == $config['user']) {
+    if (array_key_exists($user, $guestConfig) || $user === $config['user']) {
         // 账号存在,密码错误
-        if ($user == $config['user'] || array_key_exists($user, $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
+        if ($user === $config['user'] || array_key_exists($user, $guestConfig)) return json_encode(array('code' => 400, 'level' => 0, 'messege' => '密码错误'));
     } else {
         return json_encode(array('code' => 400, 'level' => 0, 'messege' => '账号不存在'));
     }
@@ -207,12 +207,12 @@ function checkLogin()
         }
 
         // 管理员登陆
-        if ($getCOK[0] == $config['user'] && $getCOK[1] == $config['password']) {
+        if ($getCOK[0] === $config['user'] && $getCOK[1] === $config['password']) {
             return 204;
         }
 
         // 上传者账号登陆
-        if ($getCOK[1] == $guestConfig[$getCOK[0]]['password']) {
+        if ($getCOK[1] === $guestConfig[$getCOK[0]]['password']) {
             if ($guestConfig[$getCOK[0]]['expired'] < time()) {
                 // 上传者账号过期
                 return 206;
@@ -232,7 +232,7 @@ function mustLogin()
         $status = _login();
         $status = json_decode($status, true);
 
-        if ($status['code'] == 200) {
+        if ($status['code'] === 200) {
             echo '
             <script> 
                 new $.zui.Messager("' . $status["messege"] . '", {
@@ -243,7 +243,7 @@ function mustLogin()
             </script>';
         }
 
-        if ($status['code'] == 400) {
+        if ($status['code'] === 400) {
             echo '
             <script>
                 new $.zui.Messager("' . $status["messege"] . '", {
@@ -625,8 +625,8 @@ function getDel($url, $type)
         $url = APP_ROOT . $url;
     }
 
-    // 文件是否存在
-    if (is_file($url)) {
+    // 文件是否存在 限制删除目录
+    if (is_file($url) && strrpos($url, $config['path'])) {
         // 执行删除
         if (@unlink($url)) {
             echo '
@@ -673,11 +673,11 @@ function is_who_login($user)
     // 将状态转码
     $status = json_decode(_login(), true);
     // 查询是否登录
-    if ($user == 'status') if ($status['level'] > 0) return true;
+    if ($user === 'status') if ($status['level'] > 0) return true;
     // 是否管理员登录
-    if ($user == 'admin') if ($status['level'] == 1) return true;
+    if ($user === 'admin') if ($status['level'] == 1) return true;
     // 是否上传者登录
-    if ($user == 'guest') if ($status['level'] == 2) return true;
+    if ($user === 'guest') if ($status['level'] == 2) return true;
 
     return false;
 }
diff --git a/application/upload.php b/application/upload.php
index c95f750..a3bcf42 100755
--- a/application/upload.php
+++ b/application/upload.php
@@ -59,6 +59,19 @@ if ($handle->uploaded) {
     if ($config['allowed'] === 1) {
         $handle->allowed = array('image/*');
     }
+    // svg格式过滤
+    if ($handle->file_src_name_ext === 'svg') {
+        $svg = file_get_contents($handle->file_src_pathname);
+        if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
+            exit(json_encode(
+                array(
+                    "result"  => "failed",
+                    "code"    => 205,
+                    "message" => "请勿上传非法文件",
+                )
+            ));
+        }
+    }
 
     // 文件命名
     $handle->file_new_name_body = imgName($handle->file_src_name_body);
diff --git a/docs/update.md b/docs/update.md
index 78b3747..2c4204a 100644
--- a/docs/update.md
+++ b/docs/update.md
@@ -1,4 +1,7 @@
-* 2023-02-25 v2.7.6
+* 2023-03-04 v2.7.6 dev
+- 增加删除文件时限定目录
+- 增强对SVG格式过滤以避免产生xss 致谢：[xulei1112](https://github.com/xulei1112)
+- 修复弱类型验证导致的异常登录 致谢：[xulei1112](https://github.com/xulei1112)
 - 更换加密删除链接算法 - 链接更短
 - 完全兼容 PHP5.6-8.0
 
diff --git a/docs/安装图床.md b/docs/安装图床.md
index 7335de1..772d2c3 100644
--- a/docs/安装图床.md
+++ b/docs/安装图床.md
@@ -1,4 +1,4 @@
-> 推荐环境：Nginx + PHP≥7.0 + linux
+> 推荐环境：Nginx + PHP≥7.0 + Linux
 
 #### windows:
 - 下载简单图床 [最新版](https://github.com/icret/EasyImages2.0/archive/refs/heads/master.zip)|[稳定版](https://github.com/icret/EasyImages2.0/releases) 上传至web根目录
@@ -14,6 +14,5 @@ chown -R www:www /安装目录
 ```
 
 #### BT宝塔面板
-- 1. 软件商店 $\Rightarrow$ 一键部署 $\Rightarrow$ 搜索`简单图床`一键部署稳定版
+- 1. 软件商店 → 一键部署 → 搜索`简单图床`一键部署稳定版
 - 2. 使用上边的`Linux`方法搭建
-- 安装环境: Ngixn(推荐) / Apache + PHP(推荐≥7.0)