【修复】 加强安全

This commit is contained in:
Comsenz 2018-05-31 14:32:30 +08:00
parent 9103a22339
commit f759f176c4
9 changed files with 11 additions and 11 deletions

View File

@ -310,7 +310,7 @@ if($operation == 'export') {
@unlink($dumpfile);
$mysqlbin = $mysql_base == '/' ? '' : addslashes($mysql_base).'bin/';
@shell_exec($mysqlbin.'mysqldump --force --quick '.($db->version() > '4.1' ? '--skip-opt --create-options' : '-all').' --add-drop-table'.($_GET['extendins'] == 1 ? ' --extended-insert' : '').''.($db->version() > '4.1' && $_GET['sqlcompat'] == 'MYSQL40' ? ' --compatible=mysql40' : '').' --host="'.$dbhost.($dbport ? (is_numeric($dbport) ? ' --port='.$dbport : ' --socket="'.$dbport.'"') : '').'" --user="'.$dbuser.'" --password="'.$dbpw.'" "'.$dbname.'" '.$tablesstr.' > '.$dumpfile);
@shell_exec($mysqlbin.'mysqldump --force --quick '.($db->version() > '4.1' ? '--skip-opt --create-options' : '-all').' --add-drop-table'.($_GET['extendins'] == 1 ? ' --extended-insert' : '').''.($db->version() > '4.1' && $_GET['sqlcompat'] == 'MYSQL40' ? ' --compatible=mysql40' : '').' --host="'.$dbhost.($dbport ? (is_numeric($dbport) ? ' --port='.$dbport : ' --socket="'.$dbport.'"') : '').'" --user="'.$dbuser.'" --password="'.$dbpw.'" "'.$dbname.'" '.escapeshellarg($tablesstr).' > '.$dumpfile);
if(@file_exists($dumpfile)) {
@ -1235,4 +1235,4 @@ function slowcheck($type1, $type2) {
return FALSE;
}
?>
?>

View File

@ -368,7 +368,7 @@ class discuz_database_safecheck {
private static function _do_query_safe($sql) {
$sql = str_replace(array('\\\\', '\\\'', '\\"', '\'\''), '', $sql);
$mark = $clean = '';
if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false && strpos($sql, '@') === false && strpos($sql, '`') === false) {
if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false && strpos($sql, '@') === false && strpos($sql, '`') === false && strpos($sql, '"') === false) {
$clean = preg_replace("/'(.+?)'/s", '', $sql);
} else {
$len = strlen($sql);

View File

@ -729,7 +729,7 @@ class table_forum_post extends discuz_table
for($i = 0; $i < count($keywords); $i++) {
if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".$keywords[$i]."'";
$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
} else {
$keywords[$i] = addslashes($keywords[$i]);
$sqlkeywords .= " $or p.subject LIKE '%".$keywords[$i]."%' OR p.message LIKE '%".$keywords[$i]."%'";
@ -776,7 +776,7 @@ class table_forum_post extends discuz_table
for($i = 0; $i < count($keywords); $i++) {
if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".$keywords[$i]."'";
$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
} else {
$keywords[$i] = addslashes($keywords[$i]);
$sqlkeywords .= " $or p.subject LIKE '%".$keywords[$i]."%' OR p.message LIKE '%".$keywords[$i]."%'";

View File

@ -218,7 +218,7 @@ class table_home_blog extends discuz_table
$keywords[$i] = daddslashes($keywords[$i]);
if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
$sqlkeywords .= " $or b.subject REGEXP '".$keywords[$i]."' OR bf.message REGEXP '".$keywords[$i]."'";
$sqlkeywords .= " $or b.subject REGEXP '".$keywords[$i]."' OR bf.message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
} else {
$sqlkeywords .= " $or b.subject LIKE '%".$keywords[$i]."%' OR bf.message LIKE '%".$keywords[$i]."%'";
}

View File

@ -83,7 +83,7 @@ class table_home_doing extends discuz_table
$keywords[$i] = addslashes(stripsearchkey($keywords[$i]));
if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
$sqlkeywords .= " $or message REGEXP '".$keywords[$i]."'";
$sqlkeywords .= " $or message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
} else {
$sqlkeywords .= " $or message LIKE '%".$keywords[$i]."%'";
}

View File

@ -115,7 +115,7 @@ class notemodel {
}
$this->base->load('misc');
$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
if($app['extra']['apppath'] && @include $app['extra']['apppath'].'./api/'.$apifilename) {
if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include $app['extra']['apppath'].'./api/'.$apifilename) {
$uc_note = new uc_note();
$method = $note['operation'];
if(is_string($method) && !empty($method)) {

View File

@ -130,7 +130,7 @@ class control extends adminbase {
}
if($app = $this->cache['apps'][$appid]) {
$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
if($app['extra']['apppath'] && @include $app['extra']['apppath'].'./api/'.$apifilename) {
if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include $app['extra']['apppath'].'./api/'.$apifilename) {
$uc_note = new uc_note();
$data = trim($uc_note->getcreditsettings('', ''));
} else {

View File

@ -291,7 +291,7 @@ class usercontrol extends base {
$this->load('misc');
$app = $this->cache['apps'][$appid];
$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
if($app['extra']['apppath'] && @include $app['extra']['apppath'].'./api/'.$apifilename) {
if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include $app['extra']['apppath'].'./api/'.$apifilename) {
$uc_note = new uc_note();
return $uc_note->getcredit(array('uid' => $uid, 'credit' => $credit), '');
} else {

View File

@ -139,7 +139,7 @@ class notemodel {
}
$this->base->load('misc');
$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
if($app['extra']['apppath'] && @include_once $app['extra']['apppath'].'./api/'.$apifilename) {
if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include_once $app['extra']['apppath'].'./api/'.$apifilename) {
$uc_note = new uc_note();
$method = $note['operation'];
if(is_string($method) && !empty($method)) {