From 0a2e502f0aa1dcc4c9c04dea88069da88c4bfd7b Mon Sep 17 00:00:00 2001 From: tianya Date: Sun, 31 Dec 2023 21:52:00 +0800 Subject: [PATCH] =?UTF-8?q?=E5=90=8E=E5=8F=B0=E6=96=87=E4=BB=B6=E4=B8=8A?= =?UTF-8?q?=E4=BC=A0=E6=BC=8F=E6=B4=9E=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/admin/log_list.php | 6 +++--- src/install/index.php | 1 + src/system/common.func.php | 28 -------------------------- src/system/common.inc.php | 1 + src/system/dedealert.func.php | 38 +++++++++++++++++++++++++++++++++++ src/system/uploadsafe.inc.php | 25 +++++++++++++++-------- 6 files changed, 60 insertions(+), 39 deletions(-) create mode 100644 src/system/dedealert.func.php diff --git a/src/admin/log_list.php b/src/admin/log_list.php index bb63e910..28543dc0 100644 --- a/src/admin/log_list.php +++ b/src/admin/log_list.php @@ -17,12 +17,12 @@ $sql = $where = ''; if (empty($adminid)) $adminid = 0; if (empty($cip)) $cip = ''; if (empty($dtime)) $dtime = 0; -if ($adminid > 0) $where .= " AND #@__log.adminid='$adminid' "; -if ($cip != "") $where .= " AND #@__log.cip LIKE '%$cip%' "; +if ($adminid > 0) $where .= " AND `#@__log`.adminid='$adminid' "; +if ($cip != "") $where .= " AND `#@__log`.cip LIKE '%$cip%' "; if ($dtime > 0) { $nowtime = time(); $starttime = $nowtime - ($dtime * 24 * 3600); - $where .= " AND #@__log.dtime>'$starttime' "; + $where .= " AND `#@__log`.dtime>'$starttime' "; } $sql = "SELECT `#@__log`.*,`#@__admin`.userid FROM `#@__log` LEFT JOIN `#@__admin` ON `#@__admin`.id=`#@__log`.adminid WHERE 1=1 $where ORDER BY `#@__log`.lid DESC"; $adminlist = ''; diff --git a/src/install/index.php b/src/install/index.php index 36a6c8fd..2b70d314 100644 --- a/src/install/index.php +++ b/src/install/index.php @@ -25,6 +25,7 @@ foreach(Array('_GET','_POST','_COOKIE') as $_request) { foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v); } +require_once(DEDEINC.'/dedealert.func.php'); require_once(DEDEINC.'/common.func.php'); if (file_exists(INSLOCKFILE)) { die(DedeAlert("完成软件安装,如果您要重新安装,安装目录找到install文件夹,然后删除install_lock.txt文件",ALERT_DANGER)); diff --git a/src/system/common.func.php b/src/system/common.func.php index a5c180a7..f17323c6 100755 --- a/src/system/common.func.php +++ b/src/system/common.func.php @@ -9,34 +9,6 @@ if (!defined('DEDEINC')) exit ('dedebiz'); * @license GNU GPL v2 (https://www.dedebiz.com/license) * @link https://www.dedebiz.com */ -//类似Bootstrap警告框 -define('ALERT_PRIMARY', 1); -define('ALERT_SECONDARY', 2); -define('ALERT_SUCCESS', 3); -define('ALERT_DANGER', 4); -define('ALERT_WARNING', 5); -define('ALERT_INFO', 6); -define('ALERT_LIGHT', 7); -define('ALERT_DARK', 8); -define("ALERT_TPL", '
~content~
'); -//$content:文档,$type:alert类型 -function DedeAlert($content, $type = ALERT_PRIMARY, $isHTML = false) -{ - $colors = array( - ALERT_PRIMARY => array('#cfe2ff','#b6d4fe','#084298'), - ALERT_SECONDARY => array('#e2e3e5','#d3d6d8','#41464b'), - ALERT_SUCCESS => array('#d1e7dd','#badbcc','#0f5132'), - ALERT_DANGER => array('#f8d7da','#f5c2c7','#842029'), - ALERT_WARNING => array('#fff3cd','#ffecb5','#664d03'), - ALERT_INFO => array('#cff4fc','#b6effb','#055160'), - ALERT_LIGHT => array('#fefefe','#fdfdfe','#636464'), - ALERT_DARK => array('#d3d3d4','#bcbebf','#141619'), - ); - $content = $isHTML? RemoveXSS($content) : htmlspecialchars($content); - $colors = isset($colors[$type])? $colors[$type] : $colors[ALERT_PRIMARY]; - list($background, $border, $color) = $colors; - return str_replace(array('~color~','~background~','~border~', '~content~'),array($color,$background,$border,$content),ALERT_TPL); -} if (version_compare(PHP_VERSION, '7.0.0', '>=')) { if (!function_exists('mysql_connect') and function_exists('mysqli_connect')) { function mysql_connect($server, $username, $password) diff --git a/src/system/common.inc.php b/src/system/common.inc.php index 14d15d0f..e2f3c9c4 100755 --- a/src/system/common.inc.php +++ b/src/system/common.inc.php @@ -122,6 +122,7 @@ if (!is_dir($sessSavePath)) mkdir($sessSavePath); if (is_writeable($sessSavePath) && is_readable($sessSavePath)) { @session_save_path($sessSavePath); } +require_once DEDEINC.'/dedealert.func.php'; //转换上传的文件相关的变量及安全处理,并引用前台通用的上传函数 if ($_FILES) { require_once(DEDEINC.'/uploadsafe.inc.php'); diff --git a/src/system/dedealert.func.php b/src/system/dedealert.func.php new file mode 100644 index 00000000..a686cf1f --- /dev/null +++ b/src/system/dedealert.func.php @@ -0,0 +1,38 @@ +~content~'); +//$content:文档,$type:alert类型 +function DedeAlert($content, $type = ALERT_PRIMARY, $isHTML = false) +{ + $colors = array( + ALERT_PRIMARY => array('#cfe2ff','#b6d4fe','#084298'), + ALERT_SECONDARY => array('#e2e3e5','#d3d6d8','#41464b'), + ALERT_SUCCESS => array('#d1e7dd','#badbcc','#0f5132'), + ALERT_DANGER => array('#f8d7da','#f5c2c7','#842029'), + ALERT_WARNING => array('#fff3cd','#ffecb5','#664d03'), + ALERT_INFO => array('#cff4fc','#b6effb','#055160'), + ALERT_LIGHT => array('#fefefe','#fdfdfe','#636464'), + ALERT_DARK => array('#d3d3d4','#bcbebf','#141619'), + ); + $content = $isHTML? RemoveXSS($content) : htmlspecialchars($content); + $colors = isset($colors[$type])? $colors[$type] : $colors[ALERT_PRIMARY]; + list($background, $border, $color) = $colors; + return str_replace(array('~color~','~background~','~border~', '~content~'),array($color,$background,$border,$content),ALERT_TPL); +} \ No newline at end of file diff --git a/src/system/uploadsafe.inc.php b/src/system/uploadsafe.inc.php index 30369930..ad4ff6f9 100755 --- a/src/system/uploadsafe.inc.php +++ b/src/system/uploadsafe.inc.php @@ -28,7 +28,8 @@ foreach ($_FILES as $_key => $_value) { } } if (preg_match('#^(cfg_|GLOBALS)#', $_key)) { - exit('Request var not allow for uploadsafe!'); + echo DedeAlert('危险的请求参数', ALERT_DANGER); + exit; } $$_key = $_FILES[$_key]['tmp_name']; ${$_key.'_name'} = $_FILES[$_key]['name']; @@ -36,16 +37,20 @@ foreach ($_FILES as $_key => $_value) { ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#', '', $_FILES[$_key]['size']); if (is_array(${$_key.'_name'}) && count(${$_key.'_name'}) > 0) { foreach (${$_key.'_name'} as $key => $value) { + $value = trim($value); if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) { if (!defined('DEDEADMIN')) { - exit('Not Admin Upload filetype not allow !'); + echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER); + exit; } } } } else { - if (!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i", ${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'}))) { + $fname = trim(${$_key.'_name'}); + if (!empty($fname) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $fname) || !preg_match("#\.#", $fname))) { if (!defined('DEDEADMIN')) { - exit('Not Admin Upload filetype not allow !'); + echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER); + exit; } } } @@ -61,7 +66,8 @@ foreach ($_FILES as $_key => $_value) { continue; } if (!is_array($image_dd)) { - exit('Upload filetype not allow !'); + echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER); + exit; } } $imtypes = array( @@ -73,7 +79,8 @@ foreach ($_FILES as $_key => $_value) { continue; } if (!is_array($image_dd)) { - exit('Upload filetype not allow !'); + echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER); + exit; } } } @@ -84,7 +91,8 @@ foreach ($_FILES as $_key => $_value) { continue; } if (!is_array($image_dd)) { - exit('Upload filetype not allow !'); + echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER); + exit; } } $imtypes = array( @@ -96,7 +104,8 @@ foreach ($_FILES as $_key => $_value) { continue; } if (!is_array($image_dd)) { - exit('Upload filetype not allow !'); + echo DedeAlert('禁止上传当前格式的文件', ALERT_DANGER); + exit; } } }