From adf744f9ed14b4ec46a35291efde85e23aa5407e Mon Sep 17 00:00:00 2001 From: llgoer Date: Sat, 25 Apr 2020 19:10:09 +0800 Subject: [PATCH 1/5] =?UTF-8?q?=E4=BF=AE=E6=AD=A3=E9=83=A8=E5=88=86?= =?UTF-8?q?=E5=AD=98=E5=9C=A8=E7=9A=84=E5=AE=89=E5=85=A8=E9=9A=90=E6=82=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 1 + src/dede/article_keywords_select.php | 2 ++ src/dede/content_list.php | 2 ++ src/dede/file_pic_view.php | 1 + src/dede/login.php | 2 ++ src/dede/pic_view.php | 1 + src/include/dialog/select_images.php | 1 + src/member/login.php | 1 + src/plus/download.php | 7 +++++-- src/plus/recommend.php | 2 +- src/plus/search.php | 1 + 11 files changed, 18 insertions(+), 3 deletions(-) diff --git a/.gitignore b/.gitignore index a19302f..4badc84 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ src/index.html src/data/admin/ src/data/module/ src/uploads/*.php +src/data/time.lock.inc diff --git a/src/dede/article_keywords_select.php b/src/dede/article_keywords_select.php index 6725e8f..2124c50 100755 --- a/src/dede/article_keywords_select.php +++ b/src/dede/article_keywords_select.php @@ -12,6 +12,8 @@ require_once(dirname(__FILE__)."/config.php"); require_once(DEDEINC."/datalistcp.class.php"); setcookie("ENV_GOBACK_URL",$dedeNowurl,time()+3600,"/"); +$f = RemoveXSS($f); + if(empty($keywords)) $keywords = ""; $sql = "SELECT * FROM #@__keywords ORDER BY rank DESC"; diff --git a/src/dede/content_list.php b/src/dede/content_list.php index 74cc5f3..f5bf652 100755 --- a/src/dede/content_list.php +++ b/src/dede/content_list.php @@ -24,6 +24,8 @@ if(!isset($flag)) $flag = ''; if(!isset($arcrank)) $arcrank = ''; if(!isset($dopost)) $dopost = ''; +$arcrank = RemoveXSS($arcrank); + //检查权限许可,总权限 CheckPurview('a_List,a_AccList,a_MyList'); diff --git a/src/dede/file_pic_view.php b/src/dede/file_pic_view.php index 4a315f4..03e6bb1 100755 --- a/src/dede/file_pic_view.php +++ b/src/dede/file_pic_view.php @@ -13,6 +13,7 @@ CheckPurview('pic_view'); if(empty($activepath)) $activepath=$cfg_medias_dir; $activepath = preg_replace("#\/{1,}#", "/", $activepath); +$activepath = RemoveXSS($activepath); $truePath = $cfg_basedir.$activepath; $listSize=5; include DedeInclude('templets/file_pic_view.htm'); diff --git a/src/dede/login.php b/src/dede/login.php index 240d1d9..a554274 100755 --- a/src/dede/login.php +++ b/src/dede/login.php @@ -12,6 +12,8 @@ require_once(dirname(__FILE__).'/../include/common.inc.php'); require_once(DEDEINC.'/userlogin.class.php'); if(empty($dopost)) $dopost = ''; +$gotopage = RemoveXSS($gotopage); + //检测安装目录安全性 if( is_dir(dirname(__FILE__).'/../install') ) { diff --git a/src/dede/pic_view.php b/src/dede/pic_view.php index 6efdbff..1d00514 100755 --- a/src/dede/pic_view.php +++ b/src/dede/pic_view.php @@ -13,6 +13,7 @@ CheckPurview('pic_view'); if(empty($activepath)) $activepath = $cfg_medias_dir; $activepath = preg_replace("#\/{1,}#", "/", $activepath); +$activepath = RemoveXSS($activepath); $truePath = $cfg_basedir.$activepath; $listSize=5; include DedeInclude('templets/pic_view.htm'); diff --git a/src/include/dialog/select_images.php b/src/include/dialog/select_images.php index 07d18dd..956d89e 100755 --- a/src/include/dialog/select_images.php +++ b/src/include/dialog/select_images.php @@ -33,6 +33,7 @@ if(empty($f)) { $f = 'form1.picname'; } +$f = RemoveXSS($f); if(empty($v)) { $v = 'picview'; diff --git a/src/member/login.php b/src/member/login.php index f135723..9d568f9 100755 --- a/src/member/login.php +++ b/src/member/login.php @@ -7,6 +7,7 @@ * @link http://www.dedecms.com */ require_once(dirname(__FILE__)."/config.php"); +$gourl = RemoveXSS($gourl); if($cfg_ml->IsLogin()) { ShowMsg('你已经登陆系统,无需重新注册!', 'index.php'); diff --git a/src/plus/download.php b/src/plus/download.php index 754bdf0..c4a6b2c 100755 --- a/src/plus/download.php +++ b/src/plus/download.php @@ -57,6 +57,7 @@ else if($open==1) //更新下载次数 $id = isset($id) && is_numeric($id) ? $id : 0; $link = base64_decode(urldecode($link)); + $linkinfo = parse_url($link); if ( !$link ) { ShowMsg('无效地址','javascript:;'); @@ -77,9 +78,11 @@ else if($open==1) { $site = explode('|', $site); $domain = parse_url(trim($site[0])); - $allowed[] = $domain['host']; + if ($domain['host'] ) { + $allowed[] = $domain['host']; + } } - + if ( !in_array($linkinfo['host'], $allowed) ) { ShowMsg('非下载地址,禁止访问','javascript:;'); diff --git a/src/plus/recommend.php b/src/plus/recommend.php index 6db98f1..9d585b1 100755 --- a/src/plus/recommend.php +++ b/src/plus/recommend.php @@ -12,7 +12,7 @@ require_once(dirname(__FILE__)."/../include/common.inc.php"); require_once(DEDEINC."/channelunit.class.php"); if(!isset($action)) $action = ''; - +unset($_FILES); if(isset($arcID)) $aid = $arcID; $arcID = $aid = (isset($aid) && is_numeric($aid) ? $aid : 0); $type = (!isset($type) ? "" : $type); diff --git a/src/plus/search.php b/src/plus/search.php index 7d29462..8f8205b 100755 --- a/src/plus/search.php +++ b/src/plus/search.php @@ -17,6 +17,7 @@ $typeid = (isset($typeid) && is_numeric($typeid)) ? $typeid : 0; $channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0; $kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 0; $mid = (isset($mid) && is_numeric($mid)) ? $mid : 0; +unset($typeArr); if(!isset($orderby)) $orderby=''; else $orderby = preg_replace("#[^a-z]#i", '', $orderby); From 41e1fd92e43eb0bdf54edfb91f9c530230f7025a Mon Sep 17 00:00:00 2001 From: llgoer Date: Sat, 25 Apr 2020 19:11:41 +0800 Subject: [PATCH 2/5] =?UTF-8?q?=E5=BA=95=E9=83=A8=E4=BF=A1=E6=81=AF?= =?UTF-8?q?=E4=BB=8E2019=E6=9B=B4=E6=96=B0=E5=88=B02020=E5=B9=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/member/templets/index-notlogin.htm | 2 +- src/member/templets/login.htm | 2 +- src/member/templets/reg-new.htm | 2 +- src/member/templets/reg-new2.htm | 2 +- src/member/templets/reg-new3.htm | 2 +- src/member/templets/resetpassword.htm | 2 +- src/member/templets/resetpassword2.htm | 2 +- src/member/templets/resetpassword3.htm | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/src/member/templets/index-notlogin.htm b/src/member/templets/index-notlogin.htm index c1eba81..8e193b1 100755 --- a/src/member/templets/index-notlogin.htm +++ b/src/member/templets/index-notlogin.htm @@ -98,7 +98,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/login.htm b/src/member/templets/login.htm index 691c0d5..aecc92c 100755 --- a/src/member/templets/login.htm +++ b/src/member/templets/login.htm @@ -105,7 +105,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS 织梦科技 版权所有
diff --git a/src/member/templets/reg-new.htm b/src/member/templets/reg-new.htm index 3594054..81883d5 100755 --- a/src/member/templets/reg-new.htm +++ b/src/member/templets/reg-new.htm @@ -201,7 +201,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/reg-new2.htm b/src/member/templets/reg-new2.htm index 5209f38..97efd1b 100755 --- a/src/member/templets/reg-new2.htm +++ b/src/member/templets/reg-new2.htm @@ -116,7 +116,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/reg-new3.htm b/src/member/templets/reg-new3.htm index 20bc987..abb42dc 100755 --- a/src/member/templets/reg-new3.htm +++ b/src/member/templets/reg-new3.htm @@ -54,7 +54,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/resetpassword.htm b/src/member/templets/resetpassword.htm index 4dc4d6b..7698896 100755 --- a/src/member/templets/resetpassword.htm +++ b/src/member/templets/resetpassword.htm @@ -129,7 +129,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/resetpassword2.htm b/src/member/templets/resetpassword2.htm index d69c9bf..dc31a4d 100755 --- a/src/member/templets/resetpassword2.htm +++ b/src/member/templets/resetpassword2.htm @@ -130,7 +130,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
diff --git a/src/member/templets/resetpassword3.htm b/src/member/templets/resetpassword3.htm index e7ee038..5b3c7f1 100755 --- a/src/member/templets/resetpassword3.htm +++ b/src/member/templets/resetpassword3.htm @@ -127,7 +127,7 @@ document.write("午夜好,"); }
-
Copyright © 2004-2019 DedeCMS. 织梦科技 版权所有
+
Copyright © 2004-2020 DedeCMS. 织梦科技 版权所有
From 766853fa6bc2df9b5dcdd5dbfa1317949080286d Mon Sep 17 00:00:00 2001 From: llgoer Date: Sat, 25 Apr 2020 19:18:29 +0800 Subject: [PATCH 3/5] Update qrcode.lib.php --- src/include/taglib/qrcode.lib.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/include/taglib/qrcode.lib.php b/src/include/taglib/qrcode.lib.php index 5a1222f..14379d0 100755 --- a/src/include/taglib/qrcode.lib.php +++ b/src/include/taglib/qrcode.lib.php @@ -37,7 +37,7 @@ function lib_qrcode(&$ctag,&$refObj) var __dedeqrcode_id={$GLOBALS['qrcode_id']}; var __dedeqrcode_aid={$id}; var __dedeqrcode_type='{$type}'; - var __dedeqrcode_dir='{$GLOBALS['cfg_images_dir']}'; + var __dedeqrcode_dir='{$GLOBALS['cfg_plus_dir']}'; EOT; From 08fe541e4bbffd07c9deb048e66bf9196a357238 Mon Sep 17 00:00:00 2001 From: llgoer Date: Sat, 25 Apr 2020 19:26:29 +0800 Subject: [PATCH 4/5] =?UTF-8?q?=E8=B0=83=E6=95=B4=E5=90=8E=E5=8F=B0?= =?UTF-8?q?=E9=A1=B5=E9=9D=A2=E8=AF=B4=E6=98=8E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/dede/templets/index_body.htm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/dede/templets/index_body.htm b/src/dede/templets/index_body.htm index 7ed275e..c41bd41 100755 --- a/src/dede/templets/index_body.htm +++ b/src/dede/templets/index_body.htm @@ -188,11 +188,11 @@ $(function() - + - +
主程序研发: 织梦团队织梦团队
鸣谢:热心用户赞助商热心用户赞助商
From 487d83b8b795a3a481e54abc9ac5e4237fbc89c9 Mon Sep 17 00:00:00 2001 From: llgoer Date: Sat, 25 Apr 2020 19:42:04 +0800 Subject: [PATCH 5/5] Update .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 4badc84..8e2043a 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ src/data/admin/ src/data/module/ src/uploads/*.php src/data/time.lock.inc +src/m/index.html