优化 加强远程下载的安全性
This commit is contained in:
Comsenz
parent
a5c1b95dc4
commit
41eb5bb0a3
|
|
@ -163,6 +163,8 @@ $_config['security']['querysafe']['afullnote'] = 0;
|
||||||
$_config['security']['creditsafe']['second'] = 0; // 开启用户积分信息安全,可防止并发刷分,满足 times(次数)/second(秒) 的操作无法提交
|
$_config['security']['creditsafe']['second'] = 0; // 开启用户积分信息安全,可防止并发刷分,满足 times(次数)/second(秒) 的操作无法提交
|
||||||
$_config['security']['creditsafe']['times'] = 10;
|
$_config['security']['creditsafe']['times'] = 10;
|
||||||
|
|
||||||
|
$_config['security']['fsockopensafe']['port'] = array(80); //fsockopen 有效的端口
|
||||||
|
|
||||||
$_config['admincp']['founder'] = '1'; // 站点创始人:拥有站点管理后台的最高权限,每个站点可以设置 1名或多名创始人
|
$_config['admincp']['founder'] = '1'; // 站点创始人:拥有站点管理后台的最高权限,每个站点可以设置 1名或多名创始人
|
||||||
// 可以使用uid,也可以使用用户名;多个创始人之间请使用逗号“,”分开;
|
// 可以使用uid,也可以使用用户名;多个创始人之间请使用逗号“,”分开;
|
||||||
$_config['admincp']['forcesecques'] = 0; // 管理人员必须设置安全提问才能进入系统设置 0=否, 1=是[安全]
|
$_config['admincp']['forcesecques'] = 0; // 管理人员必须设置安全提问才能进入系统设置 0=否, 1=是[安全]
|
||||||
|
|
|
||||||
|
|
@ -12,28 +12,66 @@ if(!defined('IN_DISCUZ')) {
|
||||||
}
|
}
|
||||||
|
|
||||||
function _isLocalip($ip) {
|
function _isLocalip($ip) {
|
||||||
$iplong = ip2long($ip);
|
$iplong = ip2long($ip);
|
||||||
return ($iplong >= 167772160 && $iplong <= 184549375) ||
|
return ($iplong >= 167772160 && $iplong <= 184549375) ||
|
||||||
($iplong >= 2886729728 && $iplong <= 2887778303) ||
|
($iplong >= 2886729728 && $iplong <= 2887778303) ||
|
||||||
($iplong >= 1681915904 && $iplong <= 1686110207) ||
|
($iplong >= 1681915904 && $iplong <= 1686110207) ||
|
||||||
($iplong >= 3232235520 && $iplong <= 3232301055) ||
|
($iplong >= 3232235520 && $iplong <= 3232301055) ||
|
||||||
($iplong >= 150994944 && $iplong <= 167772159);
|
($iplong >= 150994944 && $iplong <= 167772159);
|
||||||
}
|
}
|
||||||
|
|
||||||
function _isip($host) {
|
function _parse_url($url) {
|
||||||
if(function_exists('filter_var')) {
|
global $_G;
|
||||||
return filter_var($host, FILTER_VALIDATE_IP) !== false;
|
$tmp = parse_url($url);
|
||||||
|
if(!$tmp || empty($tmp['host'])) return false;
|
||||||
|
if(isset($tmp['user']) || isset($tmp['pass'])) return false;
|
||||||
|
if(strpbrk($tmp['host'], ':#?[]' ) !== false) return false;
|
||||||
|
if(!in_array(strtolower($tmp['scheme']), array('http', 'https'))) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
$config = $_G['config']['security']['fsockopensafe'];
|
||||||
|
|
||||||
|
$ip = gethostbyname($tmp['host']);
|
||||||
|
if($ip == $tmp['host']) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if(filter_var($tmp['host'], FILTER_VALIDATE_IP) && _isLocalip($tmp['host'])) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!empty($config['port']) && isset($tmp['port'])) {
|
||||||
|
if(isset($_SERVER['SERVER_PORT']) && !in_array($_SERVER['SERVER_PORT'], $config['port'])) {
|
||||||
|
$config['port'][] = $_SERVER['SERVER_PORT'];
|
||||||
|
}
|
||||||
|
if(!in_array($tmp['port'], $config['port'])) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(!isset($tmp['port'])) {
|
||||||
|
$tmp['port'] = strtolower($tmp['scheme']) == 'https' ? 443 : 80;
|
||||||
|
}
|
||||||
|
|
||||||
|
if($ip) {
|
||||||
|
if(!_isLocalip($ip)) {
|
||||||
|
$tmp['ip'] = $ip;
|
||||||
|
return $tmp;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
return preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host);
|
return $tmp;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function _dfsockopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE, $encodetype = 'URLENCODE', $allowcurl = TRUE, $position = 0, $files = array()) {
|
function _dfsockopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FALSE, $ip = '', $timeout = 15, $block = TRUE, $encodetype = 'URLENCODE', $allowcurl = TRUE, $position = 0, $files = array()) {
|
||||||
$return = '';
|
$return = '';
|
||||||
$matches = parse_url($url);
|
$matches = _parse_url($url);
|
||||||
|
if(!$matches) {
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
$ip = isset($matches['ip']) ? $matches['ip'] : $ip;
|
||||||
$scheme = $matches['scheme'];
|
$scheme = $matches['scheme'];
|
||||||
$host = $matches['host'];
|
$host = $matches['host'];
|
||||||
if(_isip($host) && _isLocalip($host) || $ip && _isLocalip($ip)) {
|
if($ip && _isLocalip($ip)) {
|
||||||
return '';
|
return '';
|
||||||
}
|
}
|
||||||
$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';
|
$path = $matches['path'] ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';
|
||||||
|
|
@ -60,7 +98,6 @@ function _dfsockopen($url, $limit = 0, $post = '', $cookie = '', $bysocket = FAL
|
||||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
|
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
|
||||||
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
|
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
|
||||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
|
||||||
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
|
|
||||||
curl_setopt($ch, CURLOPT_HEADER, 1);
|
curl_setopt($ch, CURLOPT_HEADER, 1);
|
||||||
if($post) {
|
if($post) {
|
||||||
curl_setopt($ch, CURLOPT_POST, 1);
|
curl_setopt($ch, CURLOPT_POST, 1);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue