优化 加强远程下载的安全性
This commit is contained in:
Comsenz
parent
a5c1b95dc4
commit
41eb5bb0a3
|
|
@ -163,6 +163,8 @@ $_config['security']['querysafe']['afullnote'] = 0;
|
|||
$_config['security']['creditsafe']['second'] = 0; // 开启用户积分信息安全,可防止并发刷分,满足 times(次数)/second(秒) 的操作无法提交
|
||||
$_config['security']['creditsafe']['times'] = 10;
|
||||
|
||||
$_config['security']['fsockopensafe']['port'] = array(80); //fsockopen 有效的端口
|
||||
|
||||
$_config['admincp']['founder'] = '1'; // 站点创始人:拥有站点管理后台的最高权限,每个站点可以设置 1名或多名创始人
|
||||
// 可以使用uid,也可以使用用户名;多个创始人之间请使用逗号“,”分开;
|
||||
$_config['admincp']['forcesecques'] = 0; // 管理人员必须设置安全提问才能进入系统设置 0=否, 1=是[安全]
|
||||
|
|
|
|||
|
|
@ -12,28 +12,66 @@ if(!defined('IN_DISCUZ')) {
|
|||
}
|
||||
|
||||
function _isLocalip($ip) {
|
||||
$iplong = ip2long($ip);
|
||||
$iplong = ip2long($ip);
|
||||
return ($iplong >= 167772160 && $iplong <= 184549375) ||
|
||||
($iplong >= 2886729728 && $iplong <= 2887778303) ||
|
||||
($iplong >= 1681915904 && $iplong <= 1686110207) ||
|
||||
($iplong >= 3232235520 && $iplong <= 3232301055) ||
|
||||
($iplong >= 3232235520 && $iplong <= 3232301055) ||
|
||||
($iplong >= 150994944 && $iplong <= 167772159);
|
||||
}
|
||||
|
||||
function _isip($host) {
|
||||
if(function_exists('filter_var')) {
|
||||
return filter_var($host, FILTER_VALIDATE_IP) !== false;
|
||||
function _parse_url($url) {
|
||||
global $_G;
|
||||
$tmp = parse_url($url);
|
||||
if(!$tmp || empty($tmp['host'])) return false;
|
||||
if(isset($tmp['user']) || isset($tmp['pass'])) return false;
|
||||
if(strpbrk($tmp['host'], ':#?[]' ) !== false) return false;
|
||||
if(!in_array(strtolower($tmp['scheme']), array('http', 'https'))) {
|
||||
return false;
|
||||
}
|
||||
$config = $_G['config']['security']['fsockopensafe'];
|
||||
|
||||
$ip = gethostbyname($tmp['host']);
|
||||
if($ip == $tmp['host']) {
|
||||
return false;
|
||||
}
|
||||
if(filter_var($tmp['host'], FILTER_VALIDATE_IP) && _isLocalip($tmp['host'])) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if(!empty($config['port']) && isset($tmp['port'])) {
|
||||
if(isset($_SERVER['SERVER_PORT']) && !in_array($_SERVER['SERVER_PORT'], $config['port'])) {
|
||||
$config['port'][] = $_SERVER['SERVER_PORT'];
|
||||
}
|
||||
if(!in_array($tmp['port'], $config['port'])) {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
if(!isset($tmp['port'])) {
|
||||
$tmp['port'] = strtolower($tmp['scheme']) == 'https' ? 443 : 80;
|
||||
}
|
||||
|
||||
if($ip) {
|
||||
if(!_isLocalip($ip)) {
|
||||
$tmp['ip'] = $ip;
|
||||
return $tmp;
|
||||
}
|
||||
} else {
|
||||
return preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host);
|
||||
return $tmp;
|
||||
}
|
||||
}
|
||||
|
||||
function _dfsockopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE, $encodetype = 'URLENCODE', $allowcurl = TRUE, $position = 0, $files = array()) {
|
||||
$return = '';
|
||||
$matches = parse_url($url);
|
||||
$matches = _parse_url($url);
|
||||
if(!$matches) {
|
||||
return '';
|
||||
}
|
||||
$ip = isset($matches['ip']) ? $matches['ip'] : $ip;
|
||||
$scheme = $matches['scheme'];
|
||||
$host = $matches['host'];
|
||||
if(_isip($host) && _isLocalip($host) || $ip && _isLocalip($ip)) {
|
||||
if($ip && _isLocalip($ip)) {
|
||||
return '';
|
||||
}
|
||||
$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';
|
||||
|
|
@ -60,7 +98,6 @@ function _dfsockopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FAL
|
|||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
|
||||
curl_setopt($ch, CURLOPT_HEADER, 1);
|
||||
if($post) {
|
||||
curl_setopt($ch, CURLOPT_POST, 1);
|
||||
|
|
|
|||
Loading…
Reference in New Issue