From f46a67c7ec06ccffb920ff64c83e67b99d2a1146 Mon Sep 17 00:00:00 2001 From: Martin Zhou <1009465756@qq.com> Date: Tue, 26 Jan 2016 14:09:59 +0800 Subject: [PATCH] =?UTF-8?q?SRCMS=C2=B7=E8=BD=BB=E5=93=8D=E5=BA=94V1.6?= =?UTF-8?q?=E6=AD=A3=E5=BC=8F=E7=89=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修复外部报告的多个严重安全缺陷 --- .htaccess | 8 + Application/Admin/Common/function.php | 175 +++++++++++++++- .../Controller/LoginController.class.php | 24 +-- .../Controller/ManagerController.class.php | 125 ++++++++++++ .../Admin/Model/ManagerModel.class.php | 23 +++ Application/Admin/Model/MemberModel.class.php | 1 - Application/Admin/View/Manager/add.html | 28 +++ Application/Admin/View/Manager/index.html | 48 +++++ Application/Admin/View/Manager/update.html | 25 +++ Application/Admin/View/Member/add.html | 12 +- Application/Admin/View/Member/index.html | 8 +- Application/Admin/View/Member/update.html | 12 +- Application/Admin/View/Post/update.html | 2 +- Application/Admin/View/Public/sidebar.html | 10 +- Application/Common/Conf/config.php | 1 - .../Home/Controller/HallController.class.php | 4 +- Application/User/Common/function.php | 175 +++++++++++++++- .../User/Controller/GiftController.class.php | 2 +- .../User/Controller/IndexController.class.php | 1 + .../User/Controller/InfoController.class.php | 12 +- .../User/Controller/LoginController.class.php | 4 +- .../User/Controller/PostController.class.php | 6 +- .../User/Controller/RegController.class.php | 10 +- Application/User/Controller/xsshtml.class.php | 187 ++++++++++++++++++ Application/User/Model/MemberModel.class.php | 4 +- Application/User/View/Reg/index.html | 70 ++++--- DB/srcms.sql | 47 +++-- README.md | 8 +- admin.php | 2 +- index.php | 2 +- user.php | 2 +- 31 files changed, 924 insertions(+), 114 deletions(-) create mode 100644 .htaccess create mode 100644 Application/Admin/Controller/ManagerController.class.php create mode 100644 Application/Admin/Model/ManagerModel.class.php create mode 100644 Application/Admin/View/Manager/add.html create mode 100644 Application/Admin/View/Manager/index.html create mode 100644 Application/Admin/View/Manager/update.html create mode 100644 Application/User/Controller/xsshtml.class.php diff --git a/.htaccess b/.htaccess new file mode 100644 index 0000000..929995c --- /dev/null +++ b/.htaccess @@ -0,0 +1,8 @@ + + Options +FollowSymlinks + RewriteEngine On + + RewriteCond %{REQUEST_FILENAME} !-d + RewriteCond %{REQUEST_FILENAME} !-f + RewriteRule ^(.*)$ index.php/$1 [QSA,PT,L] + \ No newline at end of file diff --git a/Application/Admin/Common/function.php b/Application/Admin/Common/function.php index a8733eb..d0f75d2 100644 --- a/Application/Admin/Common/function.php +++ b/Application/Admin/Common/function.php @@ -1,11 +1,170 @@ m_AllowTag = empty($AllowTag) ? $this->m_AllowTag : $AllowTag; + $this->m_xss = strip_tags($html, '<' . implode('><', $this->m_AllowTag) . '>'); + if (empty($this->m_xss)) { + $this->m_ok = FALSE; + return ; + } + $this->m_xss = "" . $this->m_xss . ""; + $this->m_dom = new DOMDocument(); + $this->m_dom->strictErrorChecking = FALSE; + $this->m_ok = @$this->m_dom->loadHTML($this->m_xss); + } + + /** + * ù˺ + */ + public function getHtml() + { + if (!$this->m_ok) { + return ''; + } + $nodeList = $this->m_dom->getElementsByTagName('*'); + for ($i = 0; $i < $nodeList->length; $i++){ + $node = $nodeList->item($i); + if (in_array($node->nodeName, $this->m_AllowTag)) { + if (method_exists($this, "__node_{$node->nodeName}")) { + call_user_func(array($this, "__node_{$node->nodeName}"), $node); + }else{ + call_user_func(array($this, '__node_default'), $node); + } + } + } + $html = strip_tags($this->m_dom->saveHTML(), '<' . implode('><', $this->m_AllowTag) . '>'); + $html = preg_replace('/^\n(.*)\n$/s', '$1', $html); + return $html; + } + + private function __true_url($url){ + if (preg_match('#^https?://.+#is', $url)) { + return $url; + }else{ + return 'http://' . $url; + } + } + + private function __get_style($node){ + if ($node->attributes->getNamedItem('style')) { + $style = $node->attributes->getNamedItem('style')->nodeValue; + $style = str_replace('\\', ' ', $style); + $style = str_replace(array('&#', '/*', '*/'), ' ', $style); + $style = preg_replace('#e.*x.*p.*r.*e.*s.*s.*i.*o.*n#Uis', ' ', $style); + return $style; + }else{ + return ''; + } + } + + private function __get_link($node, $att){ + $link = $node->attributes->getNamedItem($att); + if ($link) { + return $this->__true_url($link->nodeValue); + }else{ + return ''; + } + } + + private function __setAttr($dom, $attr, $val){ + if (!empty($val)) { + $dom->setAttribute($attr, $val); + } + } + + private function __set_default_attr($node, $attr, $default = '') + { + $o = $node->attributes->getNamedItem($attr); + if ($o) { + $this->__setAttr($node, $attr, $o->nodeValue); + }else{ + $this->__setAttr($node, $attr, $default); + } + } + + private function __common_attr($node) + { + $list = array(); + foreach ($node->attributes as $attr) { + if (!in_array($attr->nodeName, + $this->m_AllowAttr)) { + $list[] = $attr->nodeName; + } + } + foreach ($list as $attr) { + $node->removeAttribute($attr); + } + $style = $this->__get_style($node); + $this->__setAttr($node, 'style', $style); + $this->__set_default_attr($node, 'title'); + $this->__set_default_attr($node, 'id'); + $this->__set_default_attr($node, 'class'); + } + + private function __node_img($node){ + $this->__common_attr($node); + + $this->__set_default_attr($node, 'src'); + $this->__set_default_attr($node, 'width'); + $this->__set_default_attr($node, 'height'); + $this->__set_default_attr($node, 'alt'); + $this->__set_default_attr($node, 'align'); + + } + + private function __node_a($node){ + $this->__common_attr($node); + $href = $this->__get_link($node, 'href'); + + $this->__setAttr($node, 'href', $href); + $this->__set_default_attr($node, 'target', '_blank'); + } + + private function __node_embed($node){ + $this->__common_attr($node); + $link = $this->__get_link($node, 'src'); + + $this->__setAttr($node, 'src', $link); + $this->__setAttr($node, 'allowscriptaccess', 'never'); + $this->__set_default_attr($node, 'width'); + $this->__set_default_attr($node, 'height'); + } + + private function __node_default($node){ + $this->__common_attr($node); + } } + +function waf($data) +{ + $xss = new XssHtml($data); + $html = $xss->getHtml(); + echo $html; + +} + ?> \ No newline at end of file diff --git a/Application/Admin/Controller/LoginController.class.php b/Application/Admin/Controller/LoginController.class.php index 4df8e42..43aa27a 100644 --- a/Application/Admin/Controller/LoginController.class.php +++ b/Application/Admin/Controller/LoginController.class.php @@ -17,7 +17,7 @@ class LoginController extends Controller { //登陆验证 public function login(){ if(!IS_POST)$this->error("非法请求"); - $member = M('member'); + $member = M('manager'); $username =I('username'); $password =I('password','','md5'); $code = I('verify','','strtolower'); @@ -32,12 +32,12 @@ class LoginController extends Controller { $this->error('账号或密码错误 :(') ; } //验证账户是否被禁用 - if($user['status'] == 0){ - $this->error('账号被禁用,请联系超级管理员 :(') ; - } - if($user['type'] == 1){ - $this->error('您没权限登陆后台 :(') ; - } + //if($user['status'] == 0){ + //$this->error('账号被禁用,请联系超级管理员 :(') ; + //} + //if($user['type'] == 1){ + //$this->error('您没权限登陆后台 :(') ; + //} //验证是否为管理员 //更新登陆信息 $data =array( @@ -55,7 +55,7 @@ class LoginController extends Controller { $ip = get_client_ip(); $time = date("Y-m-d h:i:sa"); $con='您好,您的后台管理账户 '.$username.' 于 '.$time.' 被登录,登录IP地址为 '.$ip.' 如果该操作非您本人操作,可能帐号信息已经被泄露,请您及时修改密码。 '; - SendMail('1009465756@qq.com','应急响应中心后台登录提示',$con,'应急响应中心'); //使用时注意将1009465756@qq.com修改为您的邮箱帐号 + SendMail($user['email'],'应急响应中心后台登录提示',$con,'应急响应中心'); $this->success("登陆成功",U('Index/index')); } //定向之后台主页 @@ -64,10 +64,10 @@ class LoginController extends Controller { } //验证码 public function verify(){ - ob_clean(); + ob_clean(); $Verify = new \Think\Verify(); - $Verify->codeSet = '0123456789'; - $Verify->fontSize = 13; + $Verify->codeSet = 'AECDEFGHIGJ123456'; + $Verify->fontSize = 16; $Verify->length = 4; $Verify->entry(); } @@ -81,4 +81,4 @@ class LoginController extends Controller { session('username',null); redirect(U('Login/index')); } -} +} \ No newline at end of file diff --git a/Application/Admin/Controller/ManagerController.class.php b/Application/Admin/Controller/ManagerController.class.php new file mode 100644 index 0000000..61b2ce4 --- /dev/null +++ b/Application/Admin/Controller/ManagerController.class.php @@ -0,0 +1,125 @@ + 12:28 2016/1/26 + * @copyright 2105-2018 SRCMS + * @homepage http://www.src.pw + * @version 1.6 + */ + +/** + * 后台用户管理 + */ +class ManagerController extends BaseController +{ + /** + * 用户列表 + * @return [type] [description] + */ + public function index($key="") + { + if($key == ""){ + $model = M('manager'); + }else{ + $where['username'] = array('like',"%$key%"); + $where['email'] = array('like',"%$key%"); + $where['_logic'] = 'or'; + $model = M('member')->where($where); + } + + $count = $model->where($where)->count();// 查询满足要求的总记录数 + $Page = new \Extend\Page($count,15);// 实例化分页类 传入总记录数和每页显示的记录数(25) + $show = $Page->show();// 分页显示输出 + $member = $model->limit($Page->firstRow.','.$Page->listRows)->where($where)->order('id DESC')->select(); + $this->assign('member', $member); + $this->assign('page',$show); + $this->display(); + } + + /** + * 添加用户 + */ + public function add() + { + //默认显示添加表单 + if (!IS_POST) { + $this->display(); + } + if (IS_POST) { + //如果用户提交数据 + $model = D("Manager"); + if (!$model->field('username,email,password,repassword')->create()) { + // 如果创建失败 表示验证没有通过 输出错误提示信息 + $this->error($model->getError()); + exit(); + } else { + if ($model->add()) { + $this->success("后台用户添加成功", U('manager/index')); + } else { + $this->error("后台用户添加失败"); + } + } + } + } + /** + * 更新后台用户信息 + * @param [type] $id [管理员ID] + * @return [type] [description] + */ + public function update() + { + //默认显示添加表单 + if (!IS_POST) { + $model = M('manager')->find(I('id',0,'intval')); + $this->assign('model',$model); + $this->display(); + } + if (IS_POST) { + $model = D("manager"); + if (!$model->field('username,email,password')->create()) { + $this->error($model->getError()); + }else{ + //验证密码是否为空 + $data = I(); + unset($data['password']); + if(I('password') != ""){ + $data['password'] = md5(I('password')); + } + //更新 + if ($model->save($data)) { + $this->success("用户信息更新成功", U('manager/index')); + } else { + $this->error("未做任何修改,用户信息更新失败"); + } + } + } + } + /** + * 删除后台用户 + * @param [type] $id [description] + * @return [type] [description] + */ + public function delete() + { + $id = I('get.id',0,'intval'); + if(C('SUPER_ADMIN_ID') == $id) $this->error("超级管理员不可禁用!"); + $model = M('manager'); + //查询status字段值 + $result = $model->find($id); + //更新字段 + $data['id']=$id; + if($result['status'] == 1){ + $data['status']=0; + } + if($result['status'] == 0){ + $data['status']=1; + } + if($model->save($data)){ + $this->success("状态更新成功", U('manager/index')); + }else{ + $this->error("状态更新失败"); + } + } +} diff --git a/Application/Admin/Model/ManagerModel.class.php b/Application/Admin/Model/ManagerModel.class.php new file mode 100644 index 0000000..2891158 --- /dev/null +++ b/Application/Admin/Model/ManagerModel.class.php @@ -0,0 +1,23 @@ + +
+
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+
+ +
+ + +
+
+ + diff --git a/Application/Admin/View/Manager/index.html b/Application/Admin/View/Manager/index.html new file mode 100644 index 0000000..ce2008f --- /dev/null +++ b/Application/Admin/View/Manager/index.html @@ -0,0 +1,48 @@ + +
+
+
+ 添加用户 +
+
+
+
+ + + + +
+
+
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + +
编号用户名邮箱创建时间上次登陆登陆IP操作
{$v.id}{$v.username}{$v.email}{$v.create_at|date="Y/m/d H:i:s",###}{$v.update_at|date="Y/m/d H:i:s",###}{$v.login_ip}编辑
+
+ + \ No newline at end of file diff --git a/Application/Admin/View/Manager/update.html b/Application/Admin/View/Manager/update.html new file mode 100644 index 0000000..e5fdddd --- /dev/null +++ b/Application/Admin/View/Manager/update.html @@ -0,0 +1,25 @@ + +
+
+
+ + +
+
+ + +
+
+ + +
+
+ + +
+ + +
+
+ + \ No newline at end of file diff --git a/Application/Admin/View/Member/add.html b/Application/Admin/View/Member/add.html index f4d8354..65b2af5 100644 --- a/Application/Admin/View/Member/add.html +++ b/Application/Admin/View/Member/add.html @@ -18,12 +18,18 @@
- + + +
diff --git a/Application/Admin/View/Member/index.html b/Application/Admin/View/Member/index.html index 971cd47..5e6e96c 100644 --- a/Application/Admin/View/Member/index.html +++ b/Application/Admin/View/Member/index.html @@ -1,4 +1,4 @@ - +
@@ -41,8 +41,10 @@ {$v.update_at|date="Y/m/d H:i:s",###} {$v.login_ip} - 会员 - 管理员 + 路人 + 实习白帽子 + 普通白帽子 + 核心白帽子 正常禁用 diff --git a/Application/Admin/View/Member/update.html b/Application/Admin/View/Member/update.html index ec6a437..35028a8 100644 --- a/Application/Admin/View/Member/update.html +++ b/Application/Admin/View/Member/update.html @@ -14,12 +14,18 @@
- + + +
diff --git a/Application/Admin/View/Post/update.html b/Application/Admin/View/Post/update.html index 9c59652..c3bcd79 100644 --- a/Application/Admin/View/Post/update.html +++ b/Application/Admin/View/Post/update.html @@ -27,7 +27,7 @@
- +
diff --git a/Application/Admin/View/Public/sidebar.html b/Application/Admin/View/Public/sidebar.html index 5f1dae6..0678c52 100644 --- a/Application/Admin/View/Public/sidebar.html +++ b/Application/Admin/View/Public/sidebar.html @@ -12,9 +12,13 @@
  • 博客管理
    • -
  • - 用户管理 -
    • +
  • + + +
  • 贡献榜管理
    • diff --git a/Application/Common/Conf/config.php b/Application/Common/Conf/config.php index 80f2ec3..8959683 100644 --- a/Application/Common/Conf/config.php +++ b/Application/Common/Conf/config.php @@ -14,7 +14,6 @@ return array( 'SHOW_ERROR_MSG' => true, //用户注册默认信息 'DEFAULT_SCORE'=>100, - //'LOTTERY_NUM'=>3, //每天最多的抽奖次数 'MAIL_ADDRESS'=>'xxxx@126.com', // 此处填写邮箱地址 'MAIL_SMTP'=>'smtp.126.com', // 邮箱SMTP服务器 'MAIL_LOGINNAME'=>'xxxxx', // 邮箱登录帐号 diff --git a/Application/Home/Controller/HallController.class.php b/Application/Home/Controller/HallController.class.php index 5b9d9b5..e6fbd3c 100644 --- a/Application/Home/Controller/HallController.class.php +++ b/Application/Home/Controller/HallController.class.php @@ -1,7 +1,7 @@ 12:28 2016/1/23 + * @author Zhou Yuyang <1009465756@qq.com> 13:59 2016/1/25 * @copyright 2105-2018 SRCMS * @homepage http://www.src.pw * @version 1.5 @@ -13,7 +13,7 @@ use Think\Controller; class HallController extends Controller{ - public function index() + public function index() { $xuhao = 1; $model = M('member'); diff --git a/Application/User/Common/function.php b/Application/User/Common/function.php index a8733eb..d0f75d2 100644 --- a/Application/User/Common/function.php +++ b/Application/User/Common/function.php @@ -1,11 +1,170 @@ m_AllowTag = empty($AllowTag) ? $this->m_AllowTag : $AllowTag; + $this->m_xss = strip_tags($html, '<' . implode('><', $this->m_AllowTag) . '>'); + if (empty($this->m_xss)) { + $this->m_ok = FALSE; + return ; + } + $this->m_xss = "" . $this->m_xss . ""; + $this->m_dom = new DOMDocument(); + $this->m_dom->strictErrorChecking = FALSE; + $this->m_ok = @$this->m_dom->loadHTML($this->m_xss); + } + + /** + * ù˺ + */ + public function getHtml() + { + if (!$this->m_ok) { + return ''; + } + $nodeList = $this->m_dom->getElementsByTagName('*'); + for ($i = 0; $i < $nodeList->length; $i++){ + $node = $nodeList->item($i); + if (in_array($node->nodeName, $this->m_AllowTag)) { + if (method_exists($this, "__node_{$node->nodeName}")) { + call_user_func(array($this, "__node_{$node->nodeName}"), $node); + }else{ + call_user_func(array($this, '__node_default'), $node); + } + } + } + $html = strip_tags($this->m_dom->saveHTML(), '<' . implode('><', $this->m_AllowTag) . '>'); + $html = preg_replace('/^\n(.*)\n$/s', '$1', $html); + return $html; + } + + private function __true_url($url){ + if (preg_match('#^https?://.+#is', $url)) { + return $url; + }else{ + return 'http://' . $url; + } + } + + private function __get_style($node){ + if ($node->attributes->getNamedItem('style')) { + $style = $node->attributes->getNamedItem('style')->nodeValue; + $style = str_replace('\\', ' ', $style); + $style = str_replace(array('&#', '/*', '*/'), ' ', $style); + $style = preg_replace('#e.*x.*p.*r.*e.*s.*s.*i.*o.*n#Uis', ' ', $style); + return $style; + }else{ + return ''; + } + } + + private function __get_link($node, $att){ + $link = $node->attributes->getNamedItem($att); + if ($link) { + return $this->__true_url($link->nodeValue); + }else{ + return ''; + } + } + + private function __setAttr($dom, $attr, $val){ + if (!empty($val)) { + $dom->setAttribute($attr, $val); + } + } + + private function __set_default_attr($node, $attr, $default = '') + { + $o = $node->attributes->getNamedItem($attr); + if ($o) { + $this->__setAttr($node, $attr, $o->nodeValue); + }else{ + $this->__setAttr($node, $attr, $default); + } + } + + private function __common_attr($node) + { + $list = array(); + foreach ($node->attributes as $attr) { + if (!in_array($attr->nodeName, + $this->m_AllowAttr)) { + $list[] = $attr->nodeName; + } + } + foreach ($list as $attr) { + $node->removeAttribute($attr); + } + $style = $this->__get_style($node); + $this->__setAttr($node, 'style', $style); + $this->__set_default_attr($node, 'title'); + $this->__set_default_attr($node, 'id'); + $this->__set_default_attr($node, 'class'); + } + + private function __node_img($node){ + $this->__common_attr($node); + + $this->__set_default_attr($node, 'src'); + $this->__set_default_attr($node, 'width'); + $this->__set_default_attr($node, 'height'); + $this->__set_default_attr($node, 'alt'); + $this->__set_default_attr($node, 'align'); + + } + + private function __node_a($node){ + $this->__common_attr($node); + $href = $this->__get_link($node, 'href'); + + $this->__setAttr($node, 'href', $href); + $this->__set_default_attr($node, 'target', '_blank'); + } + + private function __node_embed($node){ + $this->__common_attr($node); + $link = $this->__get_link($node, 'src'); + + $this->__setAttr($node, 'src', $link); + $this->__setAttr($node, 'allowscriptaccess', 'never'); + $this->__set_default_attr($node, 'width'); + $this->__set_default_attr($node, 'height'); + } + + private function __node_default($node){ + $this->__common_attr($node); + } } + +function waf($data) +{ + $xss = new XssHtml($data); + $html = $xss->getHtml(); + echo $html; + +} + ?> \ No newline at end of file diff --git a/Application/User/Controller/GiftController.class.php b/Application/User/Controller/GiftController.class.php index c7f7f69..f591bd0 100644 --- a/Application/User/Controller/GiftController.class.php +++ b/Application/User/Controller/GiftController.class.php @@ -40,7 +40,7 @@ class GiftController extends BaseController{ $model = D("order"); $model->user_id = 1; $model->username = 1; - if (!$model->create()) { + if (!$model->field('username,email,password,repassword,gid')->create()) { // 如果创建失败 表示验证没有通过 输出错误提示信息 $this->error($model->getError()); exit(); diff --git a/Application/User/Controller/IndexController.class.php b/Application/User/Controller/IndexController.class.php index 6b8c5e9..17848fd 100644 --- a/Application/User/Controller/IndexController.class.php +++ b/Application/User/Controller/IndexController.class.php @@ -11,6 +11,7 @@ use Think\Controller; class IndexController extends BaseController { public function index(){ + echo waf('111111'); $id = session('userId'); $tmodel= M('setting'); $title = $tmodel->where('id=1')->select(); diff --git a/Application/User/Controller/InfoController.class.php b/Application/User/Controller/InfoController.class.php index 9a86c4e..f47199f 100644 --- a/Application/User/Controller/InfoController.class.php +++ b/Application/User/Controller/InfoController.class.php @@ -3,10 +3,10 @@ namespace User\Controller; use Think\Controller; /** - * @author Zhou Yuyang <1009465756@qq.com> 12:28 2016/1/23 + * @author Zhou Yuyang <1009465756@qq.com> 12:21 2016/1/26 * @copyright 2105-2018 SRCMS * @homepage http://www.src.pw - * @version 1.5 + * @version 1.6 */ class InfoController extends BaseController{ @@ -35,7 +35,7 @@ class InfoController extends BaseController{ $model = D("info"); $model->user_id = 1; $model->username = 1; - if (!$model->create()) { + if (!$model->field('realname,zipcode,location,tel,alipay')->create()) { // 如果创建失败 表示验证没有通过 输出错误提示信息 $this->error($model->getError()); exit(); @@ -67,15 +67,15 @@ class InfoController extends BaseController{ $model = D("info"); $model->user_id = 1; $model->username = 1; - if (!$model->create()) { + if (!$model->field('realname,zipcode,location,tel,alipay')->create()) { // 如果创建失败 表示验证没有通过 输出错误提示信息 $this->error($model->getError()); exit(); } else { if ($model->save()) { - $this->success("更新成功", U('info/index')); + $this->success("联系方式更新成功", U('info/index')); } else { - $this->error("更新失败"); + $this->error("联系方式更新失败"); } } } diff --git a/Application/User/Controller/LoginController.class.php b/Application/User/Controller/LoginController.class.php index 20ebeb4..11df61e 100644 --- a/Application/User/Controller/LoginController.class.php +++ b/Application/User/Controller/LoginController.class.php @@ -59,7 +59,7 @@ class LoginController extends Controller { //验证码 public function verify(){ - ob_clean(); + ob_clean(); $Verify = new \Think\Verify(); $Verify->codeSet = '123456789abcdefg'; $Verify->fontSize = 16; @@ -78,4 +78,4 @@ class LoginController extends Controller { session('username',null); redirect(U('Login/index')); } -} +} \ No newline at end of file diff --git a/Application/User/Controller/PostController.class.php b/Application/User/Controller/PostController.class.php index 2c2968b..7580743 100644 --- a/Application/User/Controller/PostController.class.php +++ b/Application/User/Controller/PostController.class.php @@ -57,7 +57,7 @@ class PostController extends BaseController $model = D("Post"); $model->time = time(); $model->user_id = 1; - if (!$model->create()) { + if (!$model->field('title,user_id,cate_id,content')->create()) { // 如果创建失败 表示验证没有通过 输出错误提示信息 $this->error($model->getError()); exit(); @@ -77,8 +77,8 @@ class PostController extends BaseController public function view(){ $id = session('userId'); $rid = I('get.rid',0,'intval'); - $model = M("Post"); - $post = $model->where(array('user_id'=>$id,'id'=>$rid))->find(); + $model = M("Post"); + $post = $model->where(array('user_id'=>$id,'id'=>$rid))->find(); //修复越权漏洞 $tmodel= M('setting'); $title = $tmodel->where('id=1')->select(); $this->assign('title', $title); diff --git a/Application/User/Controller/RegController.class.php b/Application/User/Controller/RegController.class.php index fdbd147..f64a107 100644 --- a/Application/User/Controller/RegController.class.php +++ b/Application/User/Controller/RegController.class.php @@ -3,10 +3,10 @@ namespace User\Controller; use Think\Controller; /** - * @author Zhou Yuyang <1009465756@qq.com> 12:28 2016/1/23 + * @author Zhou Yuyang <1009465756@qq.com> 11:28 2016/1/26 * @copyright 2105-2018 SRCMS * @homepage http://www.src.pw - * @version 1.5 + * @version 1.6 */ @@ -38,15 +38,15 @@ class RegController extends Controller{ if (IS_POST) { //如果用户提交数据 $model = D("Member"); - if (!$model->create()) { + if (!$model->field('username,email,password,repassword')->create()) { // 如果创建失败 表示验证没有通过 输出错误提示信息 $this->error($model->getError()); exit(); } else { if ($model->add()) { - $this->success("用户添加成功", U('index/index')); + $this->success("注册成功", U('index/index')); } else { - $this->error("用户添加失败"); + $this->error("注册失败"); } } } diff --git a/Application/User/Controller/xsshtml.class.php b/Application/User/Controller/xsshtml.class.php new file mode 100644 index 0000000..57cbb10 --- /dev/null +++ b/Application/User/Controller/xsshtml.class.php @@ -0,0 +1,187 @@ + in 2014 and placed in +# the public domain. +# +# phithon 编写于20140621 +# From: XDSEC & 离别歌 +# Usage: +# '; +# $xss = new XssHtml($html); +# $html = $xss->getHtml(); +# ?\> +# +# 需求: +# PHP Version > 5.0 +# 浏览器版本:IE7+ 或其他浏览器,无法防御IE6及以下版本浏览器中的XSS +# 更多使用选项见 http://phith0n.github.io/XssHtml + +class XssHtml { + private $m_dom; + private $m_xss; + private $m_ok; + private $m_AllowAttr = array('title', 'src', 'href', 'id', 'class', 'style', 'width', 'height', 'alt', 'target', 'align'); + private $m_AllowTag = array('a', 'img', 'br', 'strong', 'b', 'code', 'pre', 'p', 'div', 'em', 'span', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'table', 'ul', 'ol', 'tr', 'th', 'td', 'hr', 'li', 'u'); + + /** + * 构造函数 + * + * @param string $html 待过滤的文本 + * @param string $charset 文本编码,默认utf-8 + * @param array $AllowTag 允许的标签,如果不清楚请保持默认,默认已涵盖大部分功能,不要增加危险标签 + */ + public function __construct($html, $charset = 'utf-8', $AllowTag = array()){ + $this->m_AllowTag = empty($AllowTag) ? $this->m_AllowTag : $AllowTag; + $this->m_xss = strip_tags($html, '<' . implode('><', $this->m_AllowTag) . '>'); + if (empty($this->m_xss)) { + $this->m_ok = FALSE; + return ; + } + $this->m_xss = "" . $this->m_xss . ""; + $this->m_dom = new DOMDocument(); + $this->m_dom->strictErrorChecking = FALSE; + $this->m_ok = @$this->m_dom->loadHTML($this->m_xss); + } + + /** + * 获得过滤后的内容 + */ + public function getHtml() + { + if (!$this->m_ok) { + return ''; + } + $nodeList = $this->m_dom->getElementsByTagName('*'); + for ($i = 0; $i < $nodeList->length; $i++){ + $node = $nodeList->item($i); + if (in_array($node->nodeName, $this->m_AllowTag)) { + if (method_exists($this, "__node_{$node->nodeName}")) { + call_user_func(array($this, "__node_{$node->nodeName}"), $node); + }else{ + call_user_func(array($this, '__node_default'), $node); + } + } + } + $html = strip_tags($this->m_dom->saveHTML(), '<' . implode('><', $this->m_AllowTag) . '>'); + $html = preg_replace('/^\n(.*)\n$/s', '$1', $html); + return $html; + } + + private function __true_url($url){ + if (preg_match('#^https?://.+#is', $url)) { + return $url; + }else{ + return 'http://' . $url; + } + } + + private function __get_style($node){ + if ($node->attributes->getNamedItem('style')) { + $style = $node->attributes->getNamedItem('style')->nodeValue; + $style = str_replace('\\', ' ', $style); + $style = str_replace(array('&#', '/*', '*/'), ' ', $style); + $style = preg_replace('#e.*x.*p.*r.*e.*s.*s.*i.*o.*n#Uis', ' ', $style); + return $style; + }else{ + return ''; + } + } + + private function __get_link($node, $att){ + $link = $node->attributes->getNamedItem($att); + if ($link) { + return $this->__true_url($link->nodeValue); + }else{ + return ''; + } + } + + private function __setAttr($dom, $attr, $val){ + if (!empty($val)) { + $dom->setAttribute($attr, $val); + } + } + + private function __set_default_attr($node, $attr, $default = '') + { + $o = $node->attributes->getNamedItem($attr); + if ($o) { + $this->__setAttr($node, $attr, $o->nodeValue); + }else{ + $this->__setAttr($node, $attr, $default); + } + } + + private function __common_attr($node) + { + $list = array(); + foreach ($node->attributes as $attr) { + if (!in_array($attr->nodeName, + $this->m_AllowAttr)) { + $list[] = $attr->nodeName; + } + } + foreach ($list as $attr) { + $node->removeAttribute($attr); + } + $style = $this->__get_style($node); + $this->__setAttr($node, 'style', $style); + $this->__set_default_attr($node, 'title'); + $this->__set_default_attr($node, 'id'); + $this->__set_default_attr($node, 'class'); + } + + private function __node_img($node){ + $this->__common_attr($node); + + $this->__set_default_attr($node, 'src'); + $this->__set_default_attr($node, 'width'); + $this->__set_default_attr($node, 'height'); + $this->__set_default_attr($node, 'alt'); + $this->__set_default_attr($node, 'align'); + + } + + private function __node_a($node){ + $this->__common_attr($node); + $href = $this->__get_link($node, 'href'); + + $this->__setAttr($node, 'href', $href); + $this->__set_default_attr($node, 'target', '_blank'); + } + + private function __node_embed($node){ + $this->__common_attr($node); + $link = $this->__get_link($node, 'src'); + + $this->__setAttr($node, 'src', $link); + $this->__setAttr($node, 'allowscriptaccess', 'never'); + $this->__set_default_attr($node, 'width'); + $this->__set_default_attr($node, 'height'); + } + + private function __node_default($node){ + $this->__common_attr($node); + } +} + +// if(php_sapi_name() == "cli"){ +// $html = $argv[1]; +// $xss = new XssHtml($html); +// $html = $xss->getHtml(); +// echo "'$html'"; +// } +?> \ No newline at end of file diff --git a/Application/User/Model/MemberModel.class.php b/Application/User/Model/MemberModel.class.php index 9530519..236683d 100644 --- a/Application/User/Model/MemberModel.class.php +++ b/Application/User/Model/MemberModel.class.php @@ -8,8 +8,8 @@ class MemberModel extends Model{ array('email','email','邮箱格式错误!'), //默认情况下用正则进行验证 array('password','require','请填写密码!','','',self::MODEL_INSERT), //默认情况下用正则进行验证 array('repassword','password','确认密码不正确',0,'confirm'), // 验证确认密码是否和密码一致 - array('username','','用户名已存在!',0,'unique',self::MODEL_BOTH), // 在新增的时候验证name字段是否唯一 - array('email','','邮箱已存在!',0,'unique',self::MODEL_BOTH), // 在新增的时候验证name字段是否唯一 + array('username','','该用户名已存在',0,'unique',self::MODEL_BOTH), // 在新增的时候验证name字段是否唯一 + array('email','','该邮箱已存在',0,'unique',self::MODEL_BOTH), // 在新增的时候验证name字段是否唯一 ); protected $_auto = array( diff --git a/Application/User/View/Reg/index.html b/Application/User/View/Reg/index.html index 885e771..7d25d7e 100644 --- a/Application/User/View/Reg/index.html +++ b/Application/User/View/Reg/index.html @@ -3,40 +3,56 @@ - 应急响应中心 - + <foreach name="title" item="v">{$v.value}</foreach>安全应急响应中心 - + + - - -
    -
    -
    - 应急响应中心 - - - - - -
    - -
    -
    + +
    +
    diff --git a/DB/srcms.sql b/DB/srcms.sql index 21a7bc4..224ffad 100644 --- a/DB/srcms.sql +++ b/DB/srcms.sql @@ -3,7 +3,7 @@ -- http://www.phpmyadmin.net -- -- 主机: localhost --- 生成日期: 2016 年 01 月 24 日 10:47 +-- 生成日期: 2016 年 01 月 26 日 14:02 -- 服务器版本: 5.5.40 -- PHP 版本: 5.3.29 @@ -124,7 +124,7 @@ CREATE TABLE IF NOT EXISTS `info` ( INSERT INTO `info` (`user_id`, `username`, `realname`, `location`, `tel`, `zipcode`, `alipay`) VALUES (1, 'admin', '周三<input>', '北京市百度科技大厦', '15176528910', '10092@', ''), -(2, 'martin', '王二', '江苏', '18712345612', '214000', '1009465@qq.com'); +(2, 'admin2', '王二', '江苏', '18712345612', '214000', '1009465@qq.com'); -- -------------------------------------------------------- @@ -152,6 +152,30 @@ INSERT INTO `links` (`id`, `title`, `url`, `sort`) VALUES -- -------------------------------------------------------- +-- +-- 表的结构 `manager` +-- + +CREATE TABLE IF NOT EXISTS `manager` ( + `id` int(2) NOT NULL AUTO_INCREMENT, + `username` varchar(20) NOT NULL, + `email` varchar(100) NOT NULL, + `password` varchar(32) NOT NULL, + `login_ip` varchar(20) NOT NULL, + `create_at` varchar(11) NOT NULL, + `update_at` varchar(11) NOT NULL, + PRIMARY KEY (`id`) +) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ; + +-- +-- 转存表中的数据 `manager` +-- + +INSERT INTO `manager` (`id`, `username`, `email`, `password`, `login_ip`, `create_at`, `update_at`) VALUES +(1, 'admin', '100946575@qq.com', '21232f297a57a5a743894a0e4a801fc3', '0.0.0.0', '1453778451', '1453787197'); + +-- -------------------------------------------------------- + -- -- 表的结构 `member` -- @@ -171,15 +195,7 @@ CREATE TABLE IF NOT EXISTS `member` ( PRIMARY KEY (`id`), KEY `username` (`username`) USING BTREE, KEY `password` (`password`) USING BTREE -) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=3 ; - --- --- 转存表中的数据 `member` --- - -INSERT INTO `member` (`id`, `username`, `email`, `password`, `avatar`, `create_at`, `update_at`, `login_ip`, `status`, `type`, `jifen`) VALUES -(1, 'admin', '1009465756@qq.com', '21232f297a57a5a743894a0e4a801fc3', NULL, '1436679338', '1453600331', '0.0.0.0', 1, 2, 0), -(2, 'martin', '1009465756@qq.com', '21232f297a57a5a743894a0e4a801fc3', NULL, '1438016593', '1453552900', '0.0.0.0', 1, 1, 105); +) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ; -- -------------------------------------------------------- @@ -243,14 +259,7 @@ CREATE TABLE IF NOT EXISTS `post` ( PRIMARY KEY (`id`), KEY `cate_id` (`cate_id`), KEY `user_id` (`user_id`) -) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=2 ; - --- --- 转存表中的数据 `post` --- - -INSERT INTO `post` (`id`, `session`, `title`, `content`, `advise`, `time`, `day`, `cate_id`, `user_id`, `rank`, `type`) VALUES -(1, '04b9c8e7ed9989c', '示例漏洞报告', '<p>这里是示例漏洞报告的内~容。</p><p><img src="http://localhost/dev/Public/Home/images/unknow.jpeg"/></p>', '建议过滤特殊字符', '1438043542', 4, 2, 2, 2, 4); +) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ; -- -------------------------------------------------------- diff --git a/README.md b/README.md index d9d1c80..9ace04c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# 欢迎使用SRCMS·轻响应框架 V1.5正式版 +# 欢迎使用SRCMS·轻响应框架 V1.6正式版 **SRCMS**是专门为中小企业和互联网产品创业团队打造的应急响应中心网站建站框架。有了它,如今你可以像使用办公软件一样容易,为你的企业建立起美观完备的安全应急响应中心 > * **项目维护:** Martin Zhou > * **E-Mail**:1009465756@qq.com @@ -24,6 +24,12 @@ --- ##版本更新日志 +#####2016-01-26 +* **修复** 三处严重的前台个人中心安全问题(Issued By phithon) +* **修复** 富文本过滤不严格的问题(Issued By mramydnei) +* **修复** 后台漏洞审核BUG +* **修复** 关闭开发模式,防止报错显示敏感信息 + #####2016-01-24 * **新增** 新版首页:简洁、大方、更为灵活,方便您建立有自己特色的安全应急响应中心 * **新增** 新版前台个人中心:支持支付宝账号的录入 diff --git a/admin.php b/admin.php index 181a707..7af01cc 100644 --- a/admin.php +++ b/admin.php @@ -18,7 +18,7 @@ if(version_compare(PHP_VERSION,'5.3.0','<')) die('require PHP > 5.3.0 !'); define('BIND_MODULE','Admin'); // 开启调试模式 建议开发阶段开启 部署阶段注释或者设为false -define('APP_DEBUG',True); +define('APP_DEBUG',False); // 定义应用目录 define('APP_PATH','./Application/'); diff --git a/index.php b/index.php index 92b1b89..e2b0da8 100644 --- a/index.php +++ b/index.php @@ -20,7 +20,7 @@ if(version_compare(PHP_VERSION,'5.3.0','<')) die('require PHP > 5.3.0 !'); define('BIND_MODULE','Home'); // 开启调试模式 建议开发阶段开启 部署阶段注释或者设为false -define('APP_DEBUG',True); +define('APP_DEBUG',False); // 定义应用目录 define('APP_PATH','./Application/'); diff --git a/user.php b/user.php index 058c5f6..4000560 100644 --- a/user.php +++ b/user.php @@ -20,7 +20,7 @@ if(version_compare(PHP_VERSION,'5.3.0','<')) die('require PHP > 5.3.0 !'); define('BIND_MODULE','User'); // 开启调试模式 建议开发阶段开启 部署阶段注释或者设为false -define('APP_DEBUG',True); +define('APP_DEBUG',False); // 定义应用目录 define('APP_PATH','./Application/');