修复漏洞

2025-12-13 11:43:58 +08:00 · 2023-03-04 01:57:30 +08:00
parent 8da26ca463
commit 3434282bbb
6 changed files with 54 additions and 24 deletions
--- a/api/index.php
+++ b/api/index.php
@@ -54,7 +54,23 @@ $handle = new Upload($_FILES['image'], 'zh_CN');

 if ($handle->uploaded) {
    // 允许上传的mime类型
-    $handle->allowed = array('image/*');
+    if ($config['allowed'] === 1) {
+        $handle->allowed = array('image/*');
+    }
+    // svg格式过滤
+    if ($handle->file_src_name_ext === 'svg') {
+        $svg = file_get_contents($handle->file_src_pathname);
+        if (preg_match('/<script[\s\S]*?<\/script>/', $svg)) {
+            exit(json_encode(
+                array(
+                    "result"  => "failed",
+                    "code"    => 205,
+                    "message" => "请勿上传非法文件",
+                )
+            ));
+        }
+    }
+    
    // 文件命名
    $handle->file_new_name_body = imgName($handle->file_src_name_body);
    // 添加Token ID