hitsword
/
fastadmin
mirror of https://gitee.com/karson/fastadmin.git
1
0
Fork 0
Code Issues Releases Wiki Activity

优化Referer校验

1.x
Karson 2026-06-02 17:16:36 +08:00
parent fc774889b5
commit b993aa7efb
3 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
application/admin/command/Api.php
View File

@ -55,7 +55,7 @@ class Api extends Command
if (!is_dir($outputDir)) { if (!is_dir($outputDir)) {
mkdir($outputDir, 0755, true); mkdir($outputDir, 0755, true);
} }
$outputFilename = $input->getOption('output') ?: 'apidoc_' . date('Ymd_') . strtolower(\fast\Random::alnum(6)) . '.html'; $outputFilename = $input->getOption('output') ?: 'doc_' . date('Ymd_') . strtolower(\fast\Random::alnum(6)) . '.html';
if ($outputFilename === 'api.html') { if ($outputFilename === 'api.html') {
throw new Exception('api.html cannot be used as the output file name'); throw new Exception('api.html cannot be used as the output file name');
} }

4
application/admin/controller/Index.php
View File

@ -129,9 +129,9 @@ class Index extends Backend
{ {
if ($this->request->isPost()) { if ($this->request->isPost()) {
// 加强校验referer是否来自服务器 // 加强校验referer是否来自服务器允许referer为空
$referer = $this->request->server('HTTP_REFERER'); $referer = $this->request->server('HTTP_REFERER');
if (!$referer || strtolower(parse_url($referer, PHP_URL_HOST)) != strtolower($this->request->host())) { if ($referer && strtolower(parse_url($referer, PHP_URL_HOST)) != strtolower($this->request->host())) {
$this->error(__('Invalid request')); $this->error(__('Invalid request'));
} }

1
application/admin/view/index/logout.html
View File

@ -2,7 +2,6 @@
<html> <html>
<head> <head>
{include file="common/meta" /} {include file="common/meta" /}
<meta name="referrer" content="origin" />
<style type="text/css"> <style type="text/css">
body { body {