【修复】加强安全

2018-05-31 14:32:30 +08:00 · 2018-05-31 14:32:30 +08:00 · f759f176c4
parent 9103a22339
commit f759f176c4
9 changed files with 11 additions and 11 deletions
--- a/upload/source/admincp/admincp_db.php
+++ b/upload/source/admincp/admincp_db.php
@ -310,7 +310,7 @@ if($operation == 'export') {
 			@unlink($dumpfile);

 			$mysqlbin = $mysql_base == '/' ? '' : addslashes($mysql_base).'bin/';
-			@shell_exec($mysqlbin.'mysqldump --force --quick '.($db->version() > '4.1' ? '--skip-opt --create-options' : '-all').' --add-drop-table'.($_GET['extendins'] == 1 ? ' --extended-insert' : '').''.($db->version() > '4.1' && $_GET['sqlcompat'] == 'MYSQL40' ? ' --compatible=mysql40' : '').' --host="'.$dbhost.($dbport ? (is_numeric($dbport) ? ' --port='.$dbport : ' --socket="'.$dbport.'"') : '').'" --user="'.$dbuser.'" --password="'.$dbpw.'" "'.$dbname.'" '.$tablesstr.' > '.$dumpfile);
+			@shell_exec($mysqlbin.'mysqldump --force --quick '.($db->version() > '4.1' ? '--skip-opt --create-options' : '-all').' --add-drop-table'.($_GET['extendins'] == 1 ? ' --extended-insert' : '').''.($db->version() > '4.1' && $_GET['sqlcompat'] == 'MYSQL40' ? ' --compatible=mysql40' : '').' --host="'.$dbhost.($dbport ? (is_numeric($dbport) ? ' --port='.$dbport : ' --socket="'.$dbport.'"') : '').'" --user="'.$dbuser.'" --password="'.$dbpw.'" "'.$dbname.'" '.escapeshellarg($tablesstr).' > '.$dumpfile);

 			if(@file_exists($dumpfile)) {

@ -1235,4 +1235,4 @@ function slowcheck($type1, $type2) {
 	return FALSE;
 }

-?>
+?>
--- a/upload/source/class/discuz/discuz_database.php
+++ b/upload/source/class/discuz/discuz_database.php
@ -368,7 +368,7 @@ class discuz_database_safecheck {
 	private static function _do_query_safe($sql) {
 		$sql = str_replace(array('\\\\', '\\\'', '\\"', '\'\''), '', $sql);
 		$mark = $clean = '';
-		if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false && strpos($sql, '@') === false && strpos($sql, '`') === false) {
+		if (strpos($sql, '/') === false && strpos($sql, '#') === false && strpos($sql, '-- ') === false && strpos($sql, '@') === false && strpos($sql, '`') === false && strpos($sql, '"') === false) {
 			$clean = preg_replace("/'(.+?)'/s", '', $sql);
 		} else {
 			$len = strlen($sql);
--- a/upload/source/class/table/table_forum_post.php
+++ b/upload/source/class/table/table_forum_post.php
@ -729,7 +729,7 @@ class table_forum_post extends discuz_table
 			for($i = 0; $i < count($keywords); $i++) {
 				if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
 					$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
-					$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".$keywords[$i]."'";
+					$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
 				} else {
 					$keywords[$i] = addslashes($keywords[$i]);
 					$sqlkeywords .= " $or p.subject LIKE '%".$keywords[$i]."%' OR p.message LIKE '%".$keywords[$i]."%'";
@ -776,7 +776,7 @@ class table_forum_post extends discuz_table
 			for($i = 0; $i < count($keywords); $i++) {
 				if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
 					$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
-					$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".$keywords[$i]."'";
+					$sqlkeywords .= " $or p.subject REGEXP '".$keywords[$i]."' OR p.message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
 				} else {
 					$keywords[$i] = addslashes($keywords[$i]);
 					$sqlkeywords .= " $or p.subject LIKE '%".$keywords[$i]."%' OR p.message LIKE '%".$keywords[$i]."%'";
--- a/upload/source/class/table/table_home_blog.php
+++ b/upload/source/class/table/table_home_blog.php
@ -218,7 +218,7 @@ class table_home_blog extends discuz_table
 				$keywords[$i] = daddslashes($keywords[$i]);
 				if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
 					$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
-					$sqlkeywords .= " $or b.subject REGEXP '".$keywords[$i]."' OR bf.message REGEXP '".$keywords[$i]."'";
+					$sqlkeywords .= " $or b.subject REGEXP '".$keywords[$i]."' OR bf.message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
 				} else {
 					$sqlkeywords .= " $or b.subject LIKE '%".$keywords[$i]."%' OR bf.message LIKE '%".$keywords[$i]."%'";
 				}
--- a/upload/source/class/table/table_home_doing.php
+++ b/upload/source/class/table/table_home_doing.php
@ -83,7 +83,7 @@ class table_home_doing extends discuz_table
 					$keywords[$i] = addslashes(stripsearchkey($keywords[$i]));
 					if(preg_match("/\{(\d+)\}/", $keywords[$i])) {
 						$keywords[$i] = preg_replace("/\\\{(\d+)\\\}/", ".{0,\\1}", preg_quote($keywords[$i], '/'));
-						$sqlkeywords .= " $or message REGEXP '".$keywords[$i]."'";
+						$sqlkeywords .= " $or message REGEXP '".addslashes(stripsearchkey($keywords[$i]))."'";
 					} else {
 						$sqlkeywords .= " $or message LIKE '%".$keywords[$i]."%'";
 					}
--- a/upload/uc_client/model/note.php
+++ b/upload/uc_client/model/note.php
@ -115,7 +115,7 @@ class notemodel {
 		}
 		$this->base->load('misc');
 		$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
-		if($app['extra']['apppath'] && @include $app['extra']['apppath'].'./api/'.$apifilename) {
+		if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include $app['extra']['apppath'].'./api/'.$apifilename) {
 			$uc_note = new uc_note();
 			$method = $note['operation'];
 			if(is_string($method) && !empty($method)) {
--- a/upload/uc_server/control/admin/credit.php
+++ b/upload/uc_server/control/admin/credit.php
@ -130,7 +130,7 @@ class control extends adminbase {
 			}
 			if($app = $this->cache['apps'][$appid]) {
 				$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
-				if($app['extra']['apppath'] && @include $app['extra']['apppath'].'./api/'.$apifilename) {
+				if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include $app['extra']['apppath'].'./api/'.$apifilename) {
 					$uc_note = new uc_note();
 					$data = trim($uc_note->getcreditsettings('', ''));
 				} else {
--- a/upload/uc_server/control/user.php
+++ b/upload/uc_server/control/user.php
@ -291,7 +291,7 @@ class usercontrol extends base {
 		$this->load('misc');
 		$app = $this->cache['apps'][$appid];
 		$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
-		if($app['extra']['apppath'] && @include $app['extra']['apppath'].'./api/'.$apifilename) {
+		if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include $app['extra']['apppath'].'./api/'.$apifilename) {
 			$uc_note = new uc_note();
 			return $uc_note->getcredit(array('uid' => $uid, 'credit' => $credit), '');
 		} else {
--- a/upload/uc_server/model/note.php
+++ b/upload/uc_server/model/note.php
@ -139,7 +139,7 @@ class notemodel {
 		}
 		$this->base->load('misc');
 		$apifilename = isset($app['apifilename']) && $app['apifilename'] ? $app['apifilename'] : 'uc.php';
-		if($app['extra']['apppath'] && @include_once $app['extra']['apppath'].'./api/'.$apifilename) {
+		if($app['extra']['apppath'] && substr(strrchr($apifilename, '.'), 1, 10) == 'php' && @include_once $app['extra']['apppath'].'./api/'.$apifilename) {
 			$uc_note = new uc_note();
 			$method = $note['operation'];
 			if(is_string($method) && !empty($method)) {