xiaoz
/
onenav
mirror of https://github.com/helloxz/onenav.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

20220315

pull/55/head
xiaoz 3 years ago
parent
c755c37ea5
commit
95b19a687b
2 changed files with 9 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      data/update.log
  2. 7
      index.php

3
data/update.log
Unescape View File

@ -63,3 +63,6 @@ CREATE INDEX on_options_key_IDX ON on_options ("key");
1. 新增API:根据ID查询单个分类信息 1. 新增API:根据ID查询单个分类信息
2. 修复后台编辑链接,分类信息显示不正确 2. 修复后台编辑链接,分类信息显示不正确
3. 书签导入时文件名过滤 3. 书签导入时文件名过滤
20220315
1. 修复一个任意文件漏洞

7
index.php
Unescape View File

@ -43,8 +43,11 @@ if((!isset($c)) || ($c == '')){
else{ else{
//对请求参数进行过滤,同时检查文件是否存在 //对请求参数进行过滤,同时检查文件是否存在
$c = str_replace('../','',$c); $c = str_replace('\\','/',$c);
$c = str_replace('./','',$c); $pattern = "%\./%";
if ( preg_match_all($pattern,$c) ) {
exit('非法请求!');
}
//控制器文件 //控制器文件
$controller_file = "./controller/".$c.'.php'; $controller_file = "./controller/".$c.'.php';
if( file_exists($controller_file) ) { if( file_exists($controller_file) ) {

Write Preview
Loading…
Cancel
Save