diff --git a/.gitignore b/.gitignore index a19302f..8e2043a 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ src/index.html src/data/admin/ src/data/module/ src/uploads/*.php +src/data/time.lock.inc +src/m/index.html diff --git a/src/dede/article_keywords_select.php b/src/dede/article_keywords_select.php index 6725e8f..2124c50 100755 --- a/src/dede/article_keywords_select.php +++ b/src/dede/article_keywords_select.php @@ -12,6 +12,8 @@ require_once(dirname(__FILE__)."/config.php"); require_once(DEDEINC."/datalistcp.class.php"); setcookie("ENV_GOBACK_URL",$dedeNowurl,time()+3600,"/"); +$f = RemoveXSS($f); + if(empty($keywords)) $keywords = ""; $sql = "SELECT * FROM #@__keywords ORDER BY rank DESC"; diff --git a/src/dede/content_list.php b/src/dede/content_list.php index 74cc5f3..f5bf652 100755 --- a/src/dede/content_list.php +++ b/src/dede/content_list.php @@ -24,6 +24,8 @@ if(!isset($flag)) $flag = ''; if(!isset($arcrank)) $arcrank = ''; if(!isset($dopost)) $dopost = ''; +$arcrank = RemoveXSS($arcrank); + //检查权限许可,总权限 CheckPurview('a_List,a_AccList,a_MyList'); diff --git a/src/dede/file_pic_view.php b/src/dede/file_pic_view.php index 4a315f4..03e6bb1 100755 --- a/src/dede/file_pic_view.php +++ b/src/dede/file_pic_view.php @@ -13,6 +13,7 @@ CheckPurview('pic_view'); if(empty($activepath)) $activepath=$cfg_medias_dir; $activepath = preg_replace("#\/{1,}#", "/", $activepath); +$activepath = RemoveXSS($activepath); $truePath = $cfg_basedir.$activepath; $listSize=5; include DedeInclude('templets/file_pic_view.htm'); diff --git a/src/dede/login.php b/src/dede/login.php index 240d1d9..a554274 100755 --- a/src/dede/login.php +++ b/src/dede/login.php @@ -12,6 +12,8 @@ require_once(dirname(__FILE__).'/../include/common.inc.php'); require_once(DEDEINC.'/userlogin.class.php'); if(empty($dopost)) $dopost = ''; +$gotopage = RemoveXSS($gotopage); + //检测安装目录安全性 if( is_dir(dirname(__FILE__).'/../install') ) { diff --git a/src/dede/pic_view.php b/src/dede/pic_view.php index 6efdbff..1d00514 100755 --- a/src/dede/pic_view.php +++ b/src/dede/pic_view.php @@ -13,6 +13,7 @@ CheckPurview('pic_view'); if(empty($activepath)) $activepath = $cfg_medias_dir; $activepath = preg_replace("#\/{1,}#", "/", $activepath); +$activepath = RemoveXSS($activepath); $truePath = $cfg_basedir.$activepath; $listSize=5; include DedeInclude('templets/pic_view.htm'); diff --git a/src/dede/templets/index_body.htm b/src/dede/templets/index_body.htm index 7ed275e..c41bd41 100755 --- a/src/dede/templets/index_body.htm +++ b/src/dede/templets/index_body.htm @@ -188,11 +188,11 @@ $(function() - + - +
主程序研发: 织梦团队织梦团队
鸣谢:热心用户赞助商热心用户赞助商
diff --git a/src/include/dialog/select_images.php b/src/include/dialog/select_images.php index 07d18dd..956d89e 100755 --- a/src/include/dialog/select_images.php +++ b/src/include/dialog/select_images.php @@ -33,6 +33,7 @@ if(empty($f)) { $f = 'form1.picname'; } +$f = RemoveXSS($f); if(empty($v)) { $v = 'picview'; diff --git a/src/include/taglib/qrcode.lib.php b/src/include/taglib/qrcode.lib.php index 5a1222f..14379d0 100755 --- a/src/include/taglib/qrcode.lib.php +++ b/src/include/taglib/qrcode.lib.php @@ -37,7 +37,7 @@ function lib_qrcode(&$ctag,&$refObj) var __dedeqrcode_id={$GLOBALS['qrcode_id']}; var __dedeqrcode_aid={$id}; var __dedeqrcode_type='{$type}'; - var __dedeqrcode_dir='{$GLOBALS['cfg_images_dir']}'; + var __dedeqrcode_dir='{$GLOBALS['cfg_plus_dir']}'; EOT; diff --git a/src/member/login.php b/src/member/login.php index f135723..9d568f9 100755 --- a/src/member/login.php +++ b/src/member/login.php @@ -7,6 +7,7 @@ * @link http://www.dedecms.com */ require_once(dirname(__FILE__)."/config.php"); +$gourl = RemoveXSS($gourl); if($cfg_ml->IsLogin()) { ShowMsg('你已经登陆系统,无需重新注册!', 'index.php'); diff --git a/src/member/templets/index-notlogin.htm b/src/member/templets/index-notlogin.htm index c1eba81..8e193b1 100755 --- a/src/member/templets/index-notlogin.htm +++ b/src/member/templets/index-notlogin.htm @@ -98,7 +98,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/login.htm b/src/member/templets/login.htm index 691c0d5..aecc92c 100755 --- a/src/member/templets/login.htm +++ b/src/member/templets/login.htm @@ -105,7 +105,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS 织梦科技 版权所有
diff --git a/src/member/templets/reg-new.htm b/src/member/templets/reg-new.htm index 3594054..81883d5 100755 --- a/src/member/templets/reg-new.htm +++ b/src/member/templets/reg-new.htm @@ -201,7 +201,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/reg-new2.htm b/src/member/templets/reg-new2.htm index 5209f38..97efd1b 100755 --- a/src/member/templets/reg-new2.htm +++ b/src/member/templets/reg-new2.htm @@ -116,7 +116,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/reg-new3.htm b/src/member/templets/reg-new3.htm index 20bc987..abb42dc 100755 --- a/src/member/templets/reg-new3.htm +++ b/src/member/templets/reg-new3.htm @@ -54,7 +54,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/resetpassword.htm b/src/member/templets/resetpassword.htm index 4dc4d6b..7698896 100755 --- a/src/member/templets/resetpassword.htm +++ b/src/member/templets/resetpassword.htm @@ -129,7 +129,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/resetpassword2.htm b/src/member/templets/resetpassword2.htm index d69c9bf..dc31a4d 100755 --- a/src/member/templets/resetpassword2.htm +++ b/src/member/templets/resetpassword2.htm @@ -130,7 +130,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/resetpassword3.htm b/src/member/templets/resetpassword3.htm index e7ee038..5b3c7f1 100755 --- a/src/member/templets/resetpassword3.htm +++ b/src/member/templets/resetpassword3.htm @@ -127,7 +127,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/plus/download.php b/src/plus/download.php index 754bdf0..c4a6b2c 100755 --- a/src/plus/download.php +++ b/src/plus/download.php @@ -57,6 +57,7 @@ else if($open==1) //更新下载次数 $id = isset($id) && is_numeric($id) ? $id : 0; $link = base64_decode(urldecode($link)); + $linkinfo = parse_url($link); if ( !$link ) { ShowMsg('无效地址','javascript:;'); @@ -77,9 +78,11 @@ else if($open==1) { $site = explode('|', $site); $domain = parse_url(trim($site[0])); - $allowed[] = $domain['host']; + if ($domain['host'] ) { + $allowed[] = $domain['host']; + } } - + if ( !in_array($linkinfo['host'], $allowed) ) { ShowMsg('非下载地址,禁止访问','javascript:;'); diff --git a/src/plus/recommend.php b/src/plus/recommend.php index 6db98f1..9d585b1 100755 --- a/src/plus/recommend.php +++ b/src/plus/recommend.php @@ -12,7 +12,7 @@ require_once(dirname(__FILE__)."/../include/common.inc.php"); require_once(DEDEINC."/channelunit.class.php"); if(!isset($action)) $action = ''; - +unset($_FILES); if(isset($arcID)) $aid = $arcID; $arcID = $aid = (isset($aid) && is_numeric($aid) ? $aid : 0); $type = (!isset($type) ? "" : $type); diff --git a/src/plus/search.php b/src/plus/search.php index 7d29462..8f8205b 100755 --- a/src/plus/search.php +++ b/src/plus/search.php @@ -17,6 +17,7 @@ $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; $channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0; $kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 0; $mid = (isset($mid) && is_numeric($mid)) ? $mid : 0; +unset($typeArr); if(!isset($orderby)) $orderby=''; else $orderby = preg_replace("#[^a-z]#i", '', $orderby);