From 35d651438147ce0a9b04a00c911e6e2eb0661ec5 Mon Sep 17 00:00:00 2001 From: F4nniu Date: Sun, 16 Jul 2023 15:27:20 +0800 Subject: [PATCH 1/9] =?UTF-8?q?api=20=E7=94=9F=E6=88=90=E5=85=BC=E5=AE=B9?= =?UTF-8?q?=20php8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/admin/command/Api.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/admin/command/Api.php b/application/admin/command/Api.php index d9d79c4e..d8098414 100644 --- a/application/admin/command/Api.php +++ b/application/admin/command/Api.php @@ -163,7 +163,7 @@ class Api extends Command if ($getting_namespace === true) { //If the token is a string or the namespace separator... - if (is_array($token) && in_array($token[0], [T_STRING, T_NS_SEPARATOR])) { + if (is_array($token) && in_array($token[0], version_compare(PHP_VERSION, '8.0.0', '<') ? [T_STRING, T_NS_SEPARATOR] : [T_NAME_QUALIFIED])) { //Append the token's value to the name of the namespace $namespace .= $token[1]; From c7da57a109940791192ce125d5521570c8c009e2 Mon Sep 17 00:00:00 2001 From: F4nniu Date: Sun, 16 Jul 2023 17:20:14 +0800 Subject: [PATCH 2/9] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=98=BE=E7=A4=BA?= =?UTF-8?q?=E6=9C=AC=E5=9C=B0=E6=8F=92=E4=BB=B6=E5=88=97=E8=A1=A8=E6=97=B6?= =?UTF-8?q?=E7=9A=84=20null=20=E5=80=BC=E6=8A=A5=E9=94=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/admin/controller/Addon.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/admin/controller/Addon.php b/application/admin/controller/Addon.php index 8d11cf4a..d8e391f4 100644 --- a/application/admin/controller/Addon.php +++ b/application/admin/controller/Addon.php @@ -319,8 +319,8 @@ class Addon extends Backend { $offset = (int)$this->request->get("offset"); $limit = (int)$this->request->get("limit"); - $filter = $this->request->get("filter"); - $search = $this->request->get("search"); + $filter = $this->request->get("filter") ?? ''; + $search = $this->request->get("search") ?? ''; $search = htmlspecialchars(strip_tags($search)); $onlineaddons = $this->getAddonList(); $filter = (array)json_decode($filter, true); From 927510f5ad4f517411c670a1d4c1ad7a9f41f5a7 Mon Sep 17 00:00:00 2001 From: F4nniu Date: Mon, 17 Jul 2023 11:09:58 +0800 Subject: [PATCH 3/9] =?UTF-8?q?captcha=20=E4=B8=BA=E4=BA=86=E5=85=BC?= =?UTF-8?q?=E5=AE=B9=20php8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- composer.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 9ea4c30e..1108d7f4 100755 --- a/composer.json +++ b/composer.json @@ -17,7 +17,7 @@ "require": { "php": ">=7.2.0", "topthink/framework": "dev-master", - "topthink/think-captcha": "^1.0", + "topthink/think-captcha": "^1.0.9", "topthink/think-installer": "^1.0.14", "topthink/think-queue": "1.1.6", "topthink/think-helper": "^1.0.7", @@ -38,6 +38,10 @@ { "type": "git", "url": "https://gitee.com/fastadminnet/framework.git" + }, + { + "type": "git", + "url": "https://gitee.com/fastadminnet/think-captcha.git" } ] } From a64cf1173f9834e2824ee4f6682047d485c3d9ec Mon Sep 17 00:00:00 2001 From: F4nniu Date: Mon, 17 Jul 2023 15:04:20 +0800 Subject: [PATCH 4/9] =?UTF-8?q?=E4=BC=98=E5=8C=96=20php8=20=E5=85=BC?= =?UTF-8?q?=E5=AE=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/admin/controller/Addon.php | 4 ++-- application/common/behavior/Common.php | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/application/admin/controller/Addon.php b/application/admin/controller/Addon.php index d8e391f4..ee1431c7 100644 --- a/application/admin/controller/Addon.php +++ b/application/admin/controller/Addon.php @@ -319,8 +319,8 @@ class Addon extends Backend { $offset = (int)$this->request->get("offset"); $limit = (int)$this->request->get("limit"); - $filter = $this->request->get("filter") ?? ''; - $search = $this->request->get("search") ?? ''; + $filter = $this->request->get("filter", ''); + $search = $this->request->get("search", ''); $search = htmlspecialchars(strip_tags($search)); $onlineaddons = $this->getAddonList(); $filter = (array)json_decode($filter, true); diff --git a/application/common/behavior/Common.php b/application/common/behavior/Common.php index af9e1cfe..369adb3d 100644 --- a/application/common/behavior/Common.php +++ b/application/common/behavior/Common.php @@ -63,7 +63,7 @@ class Common } // 切换多语言 if (Config::get('lang_switch_on')) { - $lang = $request->get('lang'); + $lang = $request->get('lang', ''); if (preg_match("/^([a-zA-Z\-_]{2,10})\$/i", $lang)) { \think\Cookie::set('think_var', $lang); } From 85271d1cf7729196926b03e428f999e9b13b6b08 Mon Sep 17 00:00:00 2001 From: F4nniu Date: Sat, 22 Jul 2023 23:40:58 +0800 Subject: [PATCH 5/9] =?UTF-8?q?=E4=BD=BF=E7=94=A8=E6=A1=86=E6=9E=B6=20get?= =?UTF-8?q?=20=E8=87=AA=E5=B8=A6=E7=9A=84=E8=BF=87=E6=BB=A4=E5=8F=82?= =?UTF-8?q?=E6=95=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/admin/controller/Addon.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/application/admin/controller/Addon.php b/application/admin/controller/Addon.php index ee1431c7..355ddab6 100644 --- a/application/admin/controller/Addon.php +++ b/application/admin/controller/Addon.php @@ -320,8 +320,7 @@ class Addon extends Backend $offset = (int)$this->request->get("offset"); $limit = (int)$this->request->get("limit"); $filter = $this->request->get("filter", ''); - $search = $this->request->get("search", ''); - $search = htmlspecialchars(strip_tags($search)); + $search = $this->request->get("search", '', 'strip_tags,htmlspecialchars'); $onlineaddons = $this->getAddonList(); $filter = (array)json_decode($filter, true); $addons = get_addon_list(); From dd63aa594805a3363a2d5f0c66948c9b62f9f9b9 Mon Sep 17 00:00:00 2001 From: F4nniu Date: Sat, 22 Jul 2023 23:52:07 +0800 Subject: [PATCH 6/9] =?UTF-8?q?=E8=AE=A9=20IDE=20=E6=8F=90=E7=A4=BA?= =?UTF-8?q?=E5=8F=8B=E5=A5=BD?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/common.php b/application/common.php index 68b9e582..69eb22cb 100755 --- a/application/common.php +++ b/application/common.php @@ -11,7 +11,7 @@ if (!function_exists('__')) { /** * 获取语言变量值 * @param string $name 语言变量名 - * @param array $vars 动态变量值 + * @param string | array $vars 动态变量值 * @param string $lang 语言 * @return mixed */ From 7fe625cf5b702570f3dc9091fb78a51d2ee32d26 Mon Sep 17 00:00:00 2001 From: F4nniu Date: Tue, 25 Jul 2023 18:27:20 +0800 Subject: [PATCH 7/9] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20select=20=E7=94=9F?= =?UTF-8?q?=E6=88=90=E5=9C=A8=20php8=20=E7=8E=AF=E5=A2=83=E4=B8=AD?= =?UTF-8?q?=E7=9A=84=E6=8A=A5=E9=94=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/admin/common.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/application/admin/common.php b/application/admin/common.php index c9db617f..2622b4ac 100755 --- a/application/admin/common.php +++ b/application/admin/common.php @@ -18,8 +18,8 @@ if (!function_exists('build_select')) { */ function build_select($name, $options, $selected = [], $attr = []) { - $options = is_array($options) ? $options : explode(',', $options); - $selected = is_array($selected) ? $selected : explode(',', $selected); + $options = is_array($options) ? $options : explode(',', $options ?? ''); + $selected = is_array($selected) ? $selected : explode(',', $selected ?? ''); return Form::select($name, $options, $selected, $attr); } } From 9bbd11e4bcdbacfac2a5827cc89be2222c2eec79 Mon Sep 17 00:00:00 2001 From: Karson Date: Fri, 16 Jun 2023 17:32:00 +0800 Subject: [PATCH 8/9] =?UTF-8?q?=E6=96=B0=E5=A2=9EURL=E6=A3=80=E6=B5=8B?= =?UTF-8?q?=E5=92=8C=E6=B8=85=E7=90=86=E5=87=BD=E6=95=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 优化登录和注册链接跳转 (cherry picked from commit 3549e95ea11d97434c1b3b3fe76d34df8b63b50c) --- application/admin/controller/Index.php | 2 +- application/common.php | 43 ++++++++++++++++++++++++++ application/index/controller/User.php | 13 +++----- 3 files changed, 49 insertions(+), 9 deletions(-) diff --git a/application/admin/controller/Index.php b/application/admin/controller/Index.php index 7a6a6a4a..c387bf82 100644 --- a/application/admin/controller/Index.php +++ b/application/admin/controller/Index.php @@ -66,7 +66,7 @@ class Index extends Backend */ public function login() { - $url = $this->request->get('url', 'index/index'); + $url = $this->request->get('url', 'index/index', 'url_clean'); if ($this->auth->isLogin()) { $this->success(__("You've logged in, do not login again"), $url); } diff --git a/application/common.php b/application/common.php index 69eb22cb..744476d3 100755 --- a/application/common.php +++ b/application/common.php @@ -467,6 +467,19 @@ if (!function_exists('xss_clean')) { } } +if (!function_exists('url_clean')) { + /** + * 清理URL + */ + function url_clean($url) + { + if (!check_url_allowed($url)) { + return ''; + } + return xss_clean($url); + } +} + if (!function_exists('check_ip_allowed')) { /** * 检测IP是否允许 @@ -485,6 +498,36 @@ if (!function_exists('check_ip_allowed')) { } } +if (!function_exists('check_url_allowed')) { + /** + * 检测URL是否允许 + * @param string $url URL + * @return bool + */ + function check_url_allowed($url = null) + { + //允许的主机列表 + $allowedHostArr = [ + strtolower(request()->host()) + ]; + + //如果是站内相对链接则允许 + if (preg_match("/^[\/a-z][a-z0-9][a-z0-9\.\/]+\$/i", $url) && substr($url, 0, 2) !== '//') { + return true; + } + + //如果是站外链接则需要判断HOST是否允许 + if (preg_match("/((http[s]?:\/\/)+(?>[a-z\-0-9]{2,}\.){1,}[a-z]{2,8})(?:\s|\/)/i", $url)) { + + if (in_array(strtolower(parse_url($url, PHP_URL_HOST)), $allowedHostArr)) { + return true; + } + } + + return false; + } +} + if (!function_exists('build_suffix_image')) { /** * 生成文件后缀图片 diff --git a/application/index/controller/User.php b/application/index/controller/User.php index a785fa04..ebceecbe 100644 --- a/application/index/controller/User.php +++ b/application/index/controller/User.php @@ -129,9 +129,8 @@ class User extends Frontend } } //判断来源 - $referer = $this->request->server('HTTP_REFERER'); - if (!$url && (strtolower(parse_url($referer, PHP_URL_HOST)) == strtolower($this->request->host())) - && !preg_match("/(user\/login|user\/register|user\/logout)/i", $referer)) { + $referer = $this->request->server('HTTP_REFERER', '', 'url_clean'); + if (!$url && $referer && !preg_match("/(user\/login|user\/register|user\/logout)/i", $referer)) { $url = $referer; } $this->view->assign('captchaType', config('fastadmin.user_register_captcha')); @@ -147,7 +146,7 @@ class User extends Frontend { $url = $this->request->request('url', '', 'trim,xss_clean'); if ($this->auth->id) { - $this->success(__('You\'ve logged in, do not login again'), $url ? $url : url('user/index')); + $this->success(__('You\'ve logged in, do not login again'), $url ?: url('user/index')); } if ($this->request->isPost()) { $account = $this->request->post('account'); @@ -175,7 +174,6 @@ class User extends Frontend $result = $validate->check($data); if (!$result) { $this->error(__($validate->getError()), null, ['token' => $this->request->token()]); - return false; } if ($this->auth->login($account, $password)) { $this->success(__('Logged in successful'), $url ? $url : url('user/index')); @@ -184,9 +182,8 @@ class User extends Frontend } } //判断来源 - $referer = $this->request->server('HTTP_REFERER'); - if (!$url && (strtolower(parse_url($referer, PHP_URL_HOST)) == strtolower($this->request->host())) - && !preg_match("/(user\/login|user\/register|user\/logout)/i", $referer)) { + $referer = $this->request->server('HTTP_REFERER', '', 'url_clean'); + if (!$url && $referer && !preg_match("/(user\/login|user\/register|user\/logout)/i", $referer)) { $url = $referer; } $this->view->assign('url', $url); From 6b4cdff2e0a5678759c0880903da7824fbc82b3d Mon Sep 17 00:00:00 2001 From: bran <765134355@qq.com> Date: Mon, 28 Aug 2023 08:55:53 +0800 Subject: [PATCH 9/9] =?UTF-8?q?[fix]=E5=85=AC=E5=85=B1=E5=87=BD=E6=95=B0?= =?UTF-8?q?=E5=AD=97=E8=8A=82=E8=BD=AC=E6=8D=A2bug=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/application/common.php b/application/common.php index 744476d3..b7359b81 100755 --- a/application/common.php +++ b/application/common.php @@ -41,7 +41,7 @@ if (!function_exists('format_bytes')) { function format_bytes($size, $delimiter = '', $precision = 2) { $units = array('B', 'KB', 'MB', 'GB', 'TB', 'PB'); - for ($i = 0; $size >= 1024 && $i < 6; $i++) { + for ($i = 0; $size >= 1024 && $i < 5; $i++) { $size /= 1024; } return round($size, $precision) . $delimiter . $units[$i];