3 years ago · 950466434a
--- a/README.md
+++ b/README.md
@@ -24,13 +24,13 @@ DedeBIZ.x是一个LTS版本，支持将到2022年10月截止，目前DedeBIZ已

 1.Windows 平台

 IIS/Apache/Nginx + PHP5/PHP7/PHP8 + MySQL5/8/10
 IIS/Apache/Nginx + PHP5.3+/PHP7/PHP8 + MySQL5/8/10

 如果在windows环境中使用，建议用DedeCMS提供的DedeAMPZ套件以达到最佳使用性能

 2.Linux/Unix 平台

 Apache/Nginx + PHP5/PHP7 + MySQL5/8/10 (PHP必须在非安全模式下运行)
 Apache/Nginx + PHP5.3+/PHP7 + MySQL5/8/10 (PHP必须在非安全模式下运行)

 建议使用平台：Linux + Apache2.2 + PHP7.4 + MySQL5.0

@@ -38,6 +38,8 @@ Apache/Nginx + PHP5/PHP7 + MySQL5/8/10 (PHP必须在非安全模式下运行)

 CURL：数据采集

 Fileinfo：文件上传安全校验

 GD扩展库：图像验证码、水印、二维码生成

 MySQL扩展库：数据存储
--- a/src/admin/album_edit.php
+++ b/src/admin/album_edit.php
@@ -188,6 +188,15 @@ else if ($dopost == 'save') {
                $imgurls .= "{dede:img ddimg='$ddurl' text='$iinfo' width='".$imginfos[0]."' height='".$imginfos[1]."'} $iurl {/dede:img}\r\n";
                continue;
            }
            $mime = get_mime_type($tmpFile);
            if (preg_match("#^unknow#", $mime)) {
                ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
                exit;
            }
            if (!preg_match("#^image#i", $mime)) {
                ShowMsg("非图片格式文件，无法正常上传", -1);
                exit;
            }
            move_uploaded_file($tmpFile, $imgfile);
            $imginfos = @GetImageSize($imgfile, $info);
            if ($ddurl == $iurl) {
--- a/src/admin/dialog/select_images_post.php
+++ b/src/admin/dialog/select_images_post.php
@@ -50,6 +50,15 @@ $fs = explode('.', $imgfile_name);
 $filename = $filename.'.'.$fs[count($fs) - 1];
 $filename_name = $filename_name.'.'.$fs[count($fs) - 1];
 $fullfilename = $cfg_basedir.$activepath."/".$filename;
 $mime = get_mime_type($imgfile);
 if (preg_match("#^unknow#", $mime)) {
    ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
    exit;
 }
 if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
    ShowMsg("仅支持媒体文件及应用程序上传", -1);
    exit;
 }
 move_uploaded_file($imgfile, $fullfilename) or die("上传文件到 $fullfilename 失败");
@unlink($imgfile);
 if (empty($resize)) {
--- a/src/admin/dialog/select_soft_post.php
+++ b/src/admin/dialog/select_soft_post.php
@@ -60,6 +60,15 @@ if (!empty($newname)) {
 }
 $fullfilename = $cfg_basedir.$activepath.'/'.$filename;
 $fullfileurl = $activepath.'/'.$filename;
 $mime = get_mime_type($uploadfile);
 if (preg_match("#^unknow#", $mime)) {
    ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
    exit;
 }
 if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
    ShowMsg("仅支持媒体文件及应用程序上传", -1);
    exit;
 }
 move_uploaded_file($uploadfile, $fullfilename) or die("上传文件到 $fullfilename 失败");
@unlink($uploadfile);
 if ($uploadfile_type == 'application/x-shockwave-flash') {
--- a/src/admin/file_manage_control.php
+++ b/src/admin/file_manage_control.php
@@ -102,6 +102,16 @@ else if ($fmdo == "upload") {
        $upfile = ${$upfile};
        $upfile_name = ${$upfile_name};
        if (is_uploaded_file($upfile)) {
            // 检查文件类型
            $mime = get_mime_type($upfile);
            if (preg_match("#^unknow#", $mime)) {
                ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
                exit;
            }
            if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
                ShowMsg("仅支持媒体文件及应用程序上传", -1);
                exit;
            }
            if (!file_exists($cfg_basedir.$activepath."/".$upfile_name)) {
                move_uploaded_file($upfile, $cfg_basedir.$activepath."/".$upfile_name);
            }
--- a/src/admin/friendlink_add.php
+++ b/src/admin/friendlink_add.php
@@ -27,6 +27,15 @@ if ($dopost == "add") {
            CloseFtp();
        }
        $imgurl = $imgurl."/".$filename;
        $mime = get_mime_type($logoimg);
        if (preg_match("#^unknow#", $mime)) {
            ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
            exit;
        }
        if (!preg_match("#^image#i", $mime)) {
            ShowMsg("非图片格式文件，无法正常上传", -1);
            exit;
        }
        move_uploaded_file($logoimg, $cfg_basedir.$imgurl) or die("复制文件到:".$cfg_basedir.$imgurl."失败");
        @unlink($logoimg);
    } else {
--- a/src/admin/inc/inc_archives_functions.php
+++ b/src/admin/inc/inc_archives_functions.php
@@ -393,6 +393,15 @@ function GetDDImage($litpic, $picname, $isremote)
        } else {
            $fullUrl = $fullUrl.".jpg";
        }
        $mime = get_mime_type($_FILES[$litpic]['tmp_name']);
        if (preg_match("#^unknow#", $mime)) {
            ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
            exit;
        }
        if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
            ShowMsg("仅支持媒体文件及应用程序上传", -1);
            exit;
        }
        @move_uploaded_file($_FILES[$litpic]['tmp_name'], $cfg_basedir.$fullUrl);
        $litpic = $fullUrl;
        if ($GLOBALS['cfg_ddimg_full'] == 'Y') @ImageResizeNew($cfg_basedir.$fullUrl, $cfg_ddimg_width, $cfg_ddimg_height);
@@ -716,6 +725,15 @@ function UploadOneImage($upname, $handurl = '', $isremote = 1, $ntitle = '')
        } else {
            $fullUrl = $fullUrl.".jpg";
        }
        $mime = get_mime_type($_FILES[$upname]['tmp_name']);
        if (preg_match("#^unknow#", $mime)) {
            ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
            exit;
        }
        if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
            ShowMsg("仅支持媒体文件及应用程序上传", -1);
            exit;
        }
        //保存
        @move_uploaded_file($_FILES[$upname]['tmp_name'], $cfg_basedir.$fullUrl);
        $filename = $fullUrl;
--- a/src/admin/media_add.php
+++ b/src/admin/media_add.php
@@ -65,6 +65,16 @@ if ($dopost == "upload") {
                exit();
            }
            $fullfilename = $cfg_basedir.$filename;
            $mime = get_mime_type(${"upfile".$i});
            if (preg_match("#^unknow#", $mime)) {
                ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
                exit;
            }
            if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
                ShowMsg("仅支持媒体文件及应用程序上传", -1);
                exit;
            }
            
            if ($mediatype == 1) {
                @move_uploaded_file(${"upfile".$i}, $fullfilename);
                $info = '';
--- a/src/admin/media_edit.php
+++ b/src/admin/media_edit.php
@@ -120,6 +120,16 @@ else if ($dopost == 'save') {
            MkdirAll($cfg_basedir.$oldfile_path, 777);
            CloseFtp();
        }
        $mime = get_mime_type($upfile);
        if (preg_match("#^unknow#", $mime)) {
            ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
            exit;
        }
        if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
            ShowMsg("仅支持媒体文件及应用程序上传", -1);
            exit;
        }

        @move_uploaded_file($upfile, $fullfilename);
        if ($mediatype == 1) {
            require_once(DEDEINC."/image.func.php");
--- a/src/admin/swfupload.php
+++ b/src/admin/swfupload.php
@@ -34,6 +34,16 @@ if (empty($dopost)) {

    $FiledataNew = str_replace("\\", '/', $Filedata);
    $FiledataNew = $tmpdir.'/'.preg_replace("/(.*)[\/]/isU", "", $FiledataNew);

    $mime = get_mime_type($Filedata);
    if (preg_match("#^unknow#", $mime)) {
        echo "ERROR: Create {$tmpdir} dir Error! ";
        exit;
    }
    if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
        echo "ERROR: Create {$tmpdir} dir Error! ";
        exit;
    }
    move_uploaded_file($Filedata, $FiledataNew);

    $info = $ftype = $sname = '';
--- a/src/admin/sys_info_mark.php
+++ b/src/admin/sys_info_mark.php
@@ -45,6 +45,15 @@ if ($action == "save") {
            exit;
        }
        $photo_markimg = 'mark'.$shortname;
        $mime = get_mime_type($newimg);
        if (preg_match("#^unknow#", $mime)) {
            ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
            exit;
        }
        if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
            ShowMsg("仅支持媒体文件及应用程序上传", -1);
            exit;
        }
        @move_uploaded_file($newimg, DEDEDATA."/mark/".$photo_markimg);
    }
    $configstr .= "\$photo_markimg = '{$photo_markimg}';\r\n";
--- a/src/system/common.func.php
+++ b/src/system/common.func.php
@@ -47,6 +47,19 @@ if (version_compare(PHP_VERSION, '7.0.0', '>=')) {
    }
 }

 function get_mime_type($filename)
 {
    if (! function_exists('finfo_open'))
    {
        return 'unknow/octet-stream';
    }

    $finfo    = finfo_open(FILEINFO_MIME_TYPE);
    $mimeType = finfo_file($finfo, $filename);
    finfo_close($finfo);
    return $mimeType;
 }

 function is_all_numeric(array $array){
    foreach($array as $item){
        if(!is_numeric($item)) return false;
--- a/src/system/helpers/upload.helper.php
+++ b/src/system/helpers/upload.helper.php
@@ -79,6 +79,12 @@ if (!function_exists('AdminUpload')) {
            }
        }
        $fileurl = $filedir.'/'.$filename.'.'.$file_sname;


        $mime = get_mime_type($file_tmp);
        if (!preg_match("#^image#i", $mime)) {
            return -1;
        }
        $rs = move_uploaded_file($file_tmp, $cfg_basedir.$fileurl);
        if (!$rs) return -2;
        if ($ftype == 'image' && $watermark) {
@@ -157,6 +163,17 @@ if (!function_exists('MemberUploads')) {
            } else {
                $filename = $cfg_user_dir."/{$userid}/{$exname}.".$sname;
            }

            $mime = get_mime_type($GLOBALS[$upname]);
            if (preg_match("#^unknow#", $mime)) {
                ShowMsg("系统不支持fileinfo组件，建议php.ini中开启", -1);
                exit;
            }
            if (!preg_match("#^(image|video|audio|application)#i", $mime)) {
                ShowMsg("仅支持媒体文件及应用程序上传", -1);
                exit;
            }

            move_uploaded_file($GLOBALS[$upname], $cfg_basedir.$filename) or die("上传文件到 {$filename} 失败");
            @unlink($GLOBALS[$upname]);