Explorar el Código

完善dedebiz首页防篡改功能

tags/6.0.2
tianya hace 3 años
padre
commit
43061345e4
Se han modificado 4 ficheros con 146 adiciones y 176 borrados
  1. +127
    -161
      src/dede/article_add.php
  2. +4
    -1
      src/dede/makehtml_homepage.php
  3. +1
    -1
      src/dede/templets/index_body.htm
  4. +14
    -13
      src/dede/templets/makehtml_homepage.htm

+ 127
- 161
src/dede/article_add.php Ver fichero

@@ -1,4 +1,5 @@
<?php
/**
* 文档发布
*
@@ -8,208 +9,182 @@
* @license https://www.dedebiz.com/license
* @link https://www.dedebiz.com
*/
require_once(dirname(__FILE__).'/config.php');
require_once(dirname(__FILE__) . '/config.php');
CheckPurview('a_New,a_AccNew');
require_once(DEDEINC.'/customfields.func.php');
require_once(DEDEADMIN.'/inc/inc_archives_functions.php');
if(file_exists(DEDEDATA.'/template.rand.php'))
{
require_once(DEDEDATA.'/template.rand.php');
require_once(DEDEINC . '/customfields.func.php');
require_once(DEDEADMIN . '/inc/inc_archives_functions.php');
if (file_exists(DEDEDATA . '/template.rand.php')) {
require_once(DEDEDATA . '/template.rand.php');
}
if(empty($dopost)) $dopost = '';
if (empty($dopost)) $dopost = '';
if($dopost!='save')
{
require_once(DEDEINC."/dedetag.class.php");
require_once(DEDEADMIN."/inc/inc_catalog_options.php");
if ($dopost != 'save') {
require_once(DEDEINC . "/dedetag.class.php");
require_once(DEDEADMIN . "/inc/inc_catalog_options.php");
ClearMyAddon();
$channelid = empty($channelid) ? 0 : intval($channelid);
$cid = empty($cid) ? 0 : intval($cid);
if(empty($litpic_b64)) $litpic_b64 = '';
if (empty($litpic_b64)) $litpic_b64 = '';
if (empty($geturl)) $geturl = '';
if(empty($geturl)) $geturl = '';
$keywords = $writer = $source = $body = $description = $title = '';
//采集单个网页
if(preg_match("#^http:\/\/#", $geturl))
{
require_once(DEDEADMIN."/inc/inc_coonepage.php");
if (preg_match("#^http:\/\/#", $geturl)) {
require_once(DEDEADMIN . "/inc/inc_coonepage.php");
$redatas = CoOnePage($geturl);
extract($redatas);
}
//获得频道模型ID
if($cid>0 && $channelid==0)
{
if ($cid > 0 && $channelid == 0) {
$row = $dsql->GetOne("Select channeltype From `#@__arctype` where id='$cid'; ");
$channelid = $row['channeltype'];
}
else
{
if($channelid==0)
{
} else {
if ($channelid == 0) {
$channelid = 1;
}
}
//获得频道模型信息
$cInfos = $dsql->GetOne(" Select * From `#@__channeltype` where id='$channelid' ");
//获取文章最大id以确定当前权重
$maxWright = $dsql->GetOne("SELECT COUNT(*) AS cc FROM #@__archives");
$maxWright = $dsql->GetOne("SELECT COUNT(*) AS cc FROM `#@__archives`");
include DedeInclude("templets/article_add.htm");
exit();
}
/*--------------------------------
function __save(){ }
-------------------------------*/
else if($dopost=='save')
{
require_once(DEDEINC.'/image.func.php');
require_once(DEDEINC.'/oxwindow.class.php');
$flag = isset($flags) ? join(',',$flags) : '';
$notpost = isset($notpost) && $notpost == 1 ? 1: 0;
if(empty($typeid2)) $typeid2 = '';
if(!isset($autokey)) $autokey = 0;
if(!isset($remote)) $remote = 0;
if(!isset($dellink)) $dellink = 0;
if(!isset($autolitpic)) $autolitpic = 0;
if(empty($click)) $click = ($cfg_arc_click=='-1' ? mt_rand(50, 200) : $cfg_arc_click);
if(empty($typeid))
{
ShowMsg("请指定文档的栏目!","-1");
-------------------------------*/ else if ($dopost == 'save') {
require_once(DEDEINC . '/image.func.php');
require_once(DEDEINC . '/oxwindow.class.php');
$flag = isset($flags) ? join(',', $flags) : '';
$notpost = isset($notpost) && $notpost == 1 ? 1 : 0;
if (empty($typeid2)) $typeid2 = '';
if (!isset($autokey)) $autokey = 0;
if (!isset($remote)) $remote = 0;
if (!isset($dellink)) $dellink = 0;
if (!isset($autolitpic)) $autolitpic = 0;
if (empty($click)) $click = ($cfg_arc_click == '-1' ? mt_rand(50, 200) : $cfg_arc_click);
if (empty($typeid)) {
ShowMsg("请指定文档的栏目!", "-1");
exit();
}
if(empty($channelid))
{
ShowMsg("文档为非指定的类型,请检查你发布内容的表单是否合法!","-1");
if (empty($channelid)) {
ShowMsg("文档为非指定的类型,请检查你发布内容的表单是否合法!", "-1");
exit();
}
if(!CheckChannel($typeid,$channelid))
{
ShowMsg("你所选择的栏目与当前模型不相符,请选择白色的选项!","-1");
if (!CheckChannel($typeid, $channelid)) {
ShowMsg("你所选择的栏目与当前模型不相符,请选择白色的选项!", "-1");
exit();
}
if(!TestPurview('a_New'))
{
CheckCatalog($typeid,"对不起,你没有操作栏目 {$typeid} 的权限!");
if (!TestPurview('a_New')) {
CheckCatalog($typeid, "对不起,你没有操作栏目 {$typeid} 的权限!");
}
//对保存的内容进行处理
if(empty($writer))$writer=$cuserLogin->getUserName();
if(empty($source))$source='未知';
if (empty($writer)) $writer = $cuserLogin->getUserName();
if (empty($source)) $source = '未知';
$pubdate = GetMkTime($pubdate);
$senddate = time();
$sortrank = AddDay($pubdate,$sortup);
$ismake = $ishtml==0 ? -1 : 0;
$sortrank = AddDay($pubdate, $sortup);
$ismake = $ishtml == 0 ? -1 : 0;
$title = preg_replace("#\"#", '"', $title);
$title = dede_htmlspecialchars(cn_substrR($title,$cfg_title_maxlen));
$shorttitle = cn_substrR($shorttitle,36);
$color = cn_substrR($color,7);
$writer = cn_substrR($writer,20);
$source = cn_substrR($source,30);
$description = cn_substrR($description,$cfg_auot_description);
$keywords = cn_substrR($keywords,60);
$filename = trim(cn_substrR($filename,40));
$title = dede_htmlspecialchars(cn_substrR($title, $cfg_title_maxlen));
$shorttitle = cn_substrR($shorttitle, 36);
$color = cn_substrR($color, 7);
$writer = cn_substrR($writer, 20);
$source = cn_substrR($source, 30);
$description = cn_substrR($description, $cfg_auot_description);
$keywords = cn_substrR($keywords, 60);
$filename = trim(cn_substrR($filename, 40));
$userip = GetIP();
$isremote = 0;
$serviterm=empty($serviterm)? "" : $serviterm;
$serviterm = empty($serviterm) ? "" : $serviterm;
if(!TestPurview('a_Check,a_AccCheck,a_MyCheck'))
{
if (!TestPurview('a_Check,a_AccCheck,a_MyCheck')) {
$arcrank = -1;
}
$adminid = $cuserLogin->getUserID();
//处理上传的缩略图
if(empty($ddisremote))
{
if (empty($ddisremote)) {
$ddisremote = 0;
}
$litpic = GetDDImage('none', $picname, $ddisremote);
// 处理新的缩略图上传
if ($litpic_b64 != "") {
$data = explode( ',', $litpic_b64 );
$data = explode(',', $litpic_b64);
$ntime = time();
$savepath = $ddcfg_image_dir.'/'.MyDate($cfg_addon_savetype, $ntime);
$savepath = $ddcfg_image_dir . '/' . MyDate($cfg_addon_savetype, $ntime);
CreateDir($savepath);
$fullUrl = $savepath.'/'.dd2char(MyDate('mdHis', $ntime).$cuserLogin->getUserID().mt_rand(1000, 9999));
$fullUrl = $fullUrl.".png";
file_put_contents($cfg_basedir.$fullUrl, base64_decode( $data[ 1 ] ));
$fullUrl = $savepath . '/' . dd2char(MyDate('mdHis', $ntime) . $cuserLogin->getUserID() . mt_rand(1000, 9999));
$fullUrl = $fullUrl . ".png";
file_put_contents($cfg_basedir . $fullUrl, base64_decode($data[1]));
// 加水印
WaterImg($cfg_basedir.$fullUrl, 'up');
WaterImg($cfg_basedir . $fullUrl, 'up');
$litpic = $fullUrl;
}
//生成文档ID
$arcID = GetIndexKey($arcrank,$typeid,$sortrank,$channelid,$senddate,$adminid);
if(empty($arcID))
{
ShowMsg("无法获得主键,因此无法进行后续操作!","-1");
$arcID = GetIndexKey($arcrank, $typeid, $sortrank, $channelid, $senddate, $adminid);
if (empty($arcID)) {
ShowMsg("无法获得主键,因此无法进行后续操作!", "-1");
exit();
}
if(trim($title) == '')
{
if (trim($title) == '') {
ShowMsg('标题不能为空', '-1');
exit();
}
//处理body字段自动摘要、自动提取缩略图等
$body = AnalyseHtmlBody($body,$description,$litpic,$keywords,'htmltext');
$body = AnalyseHtmlBody($body, $description, $litpic, $keywords, 'htmltext');
//自动分页
if($sptype=='auto')
{
$body = SpLongBody($body,$spsize*1024,"#p#分页标题#e#");
if ($sptype == 'auto') {
$body = SpLongBody($body, $spsize * 1024, "#p#分页标题#e#");
}
//分析处理附加表数据
$inadd_f = $inadd_v = '';
if(!empty($dede_addonfields))
{
$addonfields = explode(';',$dede_addonfields);
if(is_array($addonfields))
{
foreach($addonfields as $v)
{
if($v=='') continue;
$vs = explode(',',$v);
if($vs[1]=='htmltext'||$vs[1]=='textdata')
{
${$vs[0]} = AnalyseHtmlBody(${$vs[0]},$description,$litpic,$keywords,$vs[1]);
if (!empty($dede_addonfields)) {
$addonfields = explode(';', $dede_addonfields);
if (is_array($addonfields)) {
foreach ($addonfields as $v) {
if ($v == '') continue;
$vs = explode(',', $v);
if ($vs[1] == 'htmltext' || $vs[1] == 'textdata') {
${$vs[0]} = AnalyseHtmlBody(${$vs[0]}, $description, $litpic, $keywords, $vs[1]);
} else {
if (!isset(${$vs[0]})) ${$vs[0]} = '';
${$vs[0]} = GetFieldValueA(${$vs[0]}, $vs[1], $arcID);
}
else
{
if(!isset(${$vs[0]})) ${$vs[0]} = '';
${$vs[0]} = GetFieldValueA(${$vs[0]},$vs[1],$arcID);
}
$inadd_f .= ','.$vs[0];
$inadd_v .= " ,'".${$vs[0]}."' ";
$inadd_f .= ',' . $vs[0];
$inadd_v .= " ,'" . ${$vs[0]} . "' ";
}
}
}
//处理图片文档的自定义属性
if($litpic!='' && !preg_match("#p#", $flag))
{
$flag = ($flag=='' ? 'p' : $flag.',p');
if ($litpic != '' && !preg_match("#p#", $flag)) {
$flag = ($flag == '' ? 'p' : $flag . ',p');
}
if($redirecturl!='' && !preg_match("#j#", $flag))
{
$flag = ($flag=='' ? 'j' : $flag.',j');
if ($redirecturl != '' && !preg_match("#j#", $flag)) {
$flag = ($flag == '' ? 'j' : $flag . ',j');
}
//跳转网址的文档强制为动态
if(preg_match("#j#", $flag)) $ismake = -1;
if (preg_match("#j#", $flag)) $ismake = -1;
//保存到主表
$query = "INSERT INTO `#@__archives`(id,typeid,typeid2,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,
@@ -218,69 +193,60 @@ else if($dopost=='save')
'$title','$shorttitle','$color','$writer','$source','$litpic','$pubdate','$senddate',
'$adminid','0','$notpost','$description','$keywords','$filename','$adminid','$weight');";
if(!$dsql->ExecuteNoneQuery($query))
{
if (!$dsql->ExecuteNoneQuery($query)) {
$gerr = $dsql->GetError();
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'");
ShowMsg("把数据保存到数据库主表 `#@__archives` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;");
ShowMsg("把数据保存到数据库主表 `#@__archives` 时出错,请把相关信息提交给DedeCMS官方。" . str_replace('"', '', $gerr), "javascript:;");
exit();
}
//保存到附加表
$cts = $dsql->GetOne("SELECT addtable FROM `#@__channeltype` WHERE id='$channelid' ");
$addtable = trim($cts['addtable']);
if(empty($addtable))
{
if (empty($addtable)) {
$dsql->ExecuteNoneQuery("DELETE FROM `#@__archives` WHERE id='$arcID'");
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'");
ShowMsg("没找到当前模型[{$channelid}]的主表信息,无法完成操作!。","javascript:;");
ShowMsg("没找到当前模型[{$channelid}]的主表信息,无法完成操作!。", "javascript:;");
exit();
}
$useip = GetIP();
$templet = empty($templet) ? '' : $templet;
$query = "INSERT INTO `{$addtable}`(aid,typeid,redirecturl,templet,userip,body{$inadd_f}) Values('$arcID','$typeid','$redirecturl','$templet','$useip','$body'{$inadd_v})";
if(!$dsql->ExecuteNoneQuery($query))
{
if (!$dsql->ExecuteNoneQuery($query)) {
$gerr = $dsql->GetError();
$dsql->ExecuteNoneQuery("Delete From `#@__archives` where id='$arcID'");
$dsql->ExecuteNoneQuery("Delete From `#@__arctiny` where id='$arcID'");
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;");
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。" . str_replace('"', '', $gerr), "javascript:;");
exit();
}
//生成HTML
InsertTags($tags,$arcID);
if($cfg_remote_site=='Y' && $isremote=="1")
{
if($serviterm!=""){
list($servurl,$servuser,$servpwd) = explode(',',$serviterm);
$config=array( 'hostname' => $servurl, 'username' => $servuser, 'password' => $servpwd,'debug' => 'TRUE');
}else{
$config=array();
InsertTags($tags, $arcID);
if ($cfg_remote_site == 'Y' && $isremote == "1") {
if ($serviterm != "") {
list($servurl, $servuser, $servpwd) = explode(',', $serviterm);
$config = array('hostname' => $servurl, 'username' => $servuser, 'password' => $servpwd, 'debug' => 'TRUE');
} else {
$config = array();
}
if (!$ftp->connect($config)) exit('Error:None FTP Connection!');
}
$picTitle = false;
if (count($_SESSION['bigfile_info']) > 0) {
foreach ($_SESSION['bigfile_info'] as $k => $v) {
if (!empty($v)) {
$pictitle = ${'picinfook' . $k};
$titleSet = '';
if (!empty($pictitle)) {
$picTitle = TRUE;
$titleSet = ",title='{$pictitle}'";
}
$dsql->ExecuteNoneQuery("UPDATE `#@__uploads` SET arcid='{$arcID}'{$titleSet} WHERE url LIKE '{$v}'; ");
}
}
if(!$ftp->connect($config)) exit('Error:None FTP Connection!');
}
$picTitle = false;
if(count($_SESSION['bigfile_info']) > 0)
{
foreach ($_SESSION['bigfile_info'] as $k => $v)
{
if(!empty($v))
{
$pictitle = ${'picinfook'.$k};
$titleSet = '';
if(!empty($pictitle))
{
$picTitle = TRUE;
$titleSet = ",title='{$pictitle}'";
}
$dsql->ExecuteNoneQuery("UPDATE `#@__uploads` SET arcid='{$arcID}'{$titleSet} WHERE url LIKE '{$v}'; ");
}
}
}
$artUrl = MakeArt($arcID,true,true,$isremote);
if($artUrl=='')
{
$artUrl = $cfg_phpurl."/view.php?aid=$arcID";
$artUrl = MakeArt($arcID, true, true, $isremote);
if ($artUrl == '') {
$artUrl = $cfg_phpurl . "/view.php?aid=$arcID";
}
ClearMyAddon($arcID, $title);
@@ -290,7 +256,7 @@ else if($dopost=='save')
if (isset(${$key}) && !empty(${$key})) {
$ids = explode(",", ${$key});
foreach ($ids as $id) {
MakeArt($id,true,true,$isremote);
MakeArt($id, true, true, $isremote);
}
}
}
@@ -302,18 +268,18 @@ else if($dopost=='save')
&nbsp;&nbsp;
<a href='$artUrl' target='_blank' class='btn btn-secondary btn-sm'>查看文章</a>
&nbsp;&nbsp;
<a href='archives_do.php?aid=".$arcID."&dopost=editArchives' class='btn btn-secondary btn-sm'>更改文章</a>
<a href='archives_do.php?aid=" . $arcID . "&dopost=editArchives' class='btn btn-secondary btn-sm'>更改文章</a>
&nbsp;&nbsp;
<a href='catalog_do.php?cid=$typeid&dopost=listArchives' class='btn btn-secondary btn-sm'>已发布文章管理</a>
&nbsp;&nbsp;
$backurl
";
$msg = "<div style=\"line-height:36px;height:36px\">{$msg}</div>".GetUpdateTest();
$msg = "<div style=\"line-height:36px;height:36px\">{$msg}</div>" . GetUpdateTest();
$wintitle = "成功发布文章!";
$wecome_info = "文章管理::发布文章";
$win = new OxWindow();
$win->AddTitle("成功发布文章:");
$win->AddMsgItem($msg);
$winform = $win->GetWindow("hand","&nbsp;",false);
$winform = $win->GetWindow("hand", "&nbsp;", false);
$win->Display();
}

+ 4
- 1
src/dede/makehtml_homepage.php Ver fichero

@@ -26,7 +26,10 @@ if ($dopost == "view") {
$client->appid = $cfg_bizcore_appid;
$client->key = $cfg_bizcore_key;
$data = $client->AdminPWDExists();
if ($data->data == "false") {
$data = json_decode($data->data);
$rs = (array)($data->result);
if ($rs["admin_pwd_exists"] == "false") {
// 设定dedebiz admin密码
if ($dedebiz_admin == "" || $dedebiz_admin !== $re_dedebiz_admin) {
echo "<link rel=\"stylesheet\" href=\"{$cfg_cmsurl}/static/css/bootstrap.min.css\"><style>.modal {position: static;}</style>";


+ 1
- 1
src/dede/templets/index_body.htm Ver fichero

@@ -426,7 +426,7 @@
`;
}
if (rsp.result.core.code != 200) {
if (rsp.result.core === null || rsp.result.core.code != 200) {
// 下面是DedeBIZ Core组件信息
infoStr += `
<tr>


+ 14
- 13
src/dede/templets/makehtml_homepage.htm Ver fichero

@@ -81,7 +81,7 @@
</tr>
<tr>
<td height="20" colspan="2" valign="top" bgcolor="#dee2e6">
首页防篡改(主页位置更改请重新启动DedeBIZ商业组件)
首页防篡改(主页位置更改请重新启动DedeBIZ商业组件)
</td>
</tr>
<?php
@@ -90,13 +90,14 @@
$client->appid = $cfg_bizcore_appid;
$client->key = $cfg_bizcore_key;
$data = $client->AdminPWDExists();
$rs = (array)json_decode($data->data);
$data = json_decode($data->data);
$rs = (array)($data->result);
if($rs["admin_pwd_exists"] == "false") {?>
<tr>
<td height="20" valign="top" bgcolor="#FFFFFF">设置DedeBIZ操作密码:</td>
<td height="20" valign="top" bgcolor="#FFFFFF">
<input name="dedebiz_admin" type="password" id="dedebiz_admin" value="" size="30">
<input name="dedebiz_admin" type="password" id="dedebiz_admin" value="" size="30">
设定后所有的DedeBIZ涉及安全操作输入当前操作密码
</td>
</tr>
@@ -107,12 +108,12 @@
</td>
</tr>
<?php }else{ ?>
<tr>
<td height="20" valign="top" bgcolor="#FFFFFF">DedeBIZ操作密码:</td>
<td height="20" valign="top" bgcolor="#FFFFFF">
<input name="dedebiz_admin" type="password" id="dedebiz_admin" value="" size="30">
</td>
</tr>
<tr>
<td height="20" valign="top" bgcolor="#FFFFFF">DedeBIZ操作密码:</td>
<td height="20" valign="top" bgcolor="#FFFFFF">
<input name="dedebiz_admin" type="password" id="dedebiz_admin" value="" size="30">
</td>
</tr>
<?php
}
}?>
@@ -120,11 +121,11 @@
<td height="20" valign="top" bgcolor="#FFFFFF">首页状态:</td>
<td height="20" valign="top" bgcolor="#FFFFFF">
<label><input name="lockindex" type="radio" class="np" value="unlock"
<?php echo ($rs['index_lock_state']==true)? "checked='checked'" : "";?> />
解锁</label>
<?php echo ($rs['index_lock_state']==true)? "checked='checked'" : "";?> />
解锁</label>
<label><input name="lockindex" type="radio" value="lock" class="np"
<?php echo ($row['index_lock_state']==false)? "checked='checked'" : "";?> />
锁定</label>
<?php echo ($row['index_lock_state']==false)? "checked='checked'" : "";?> />
锁定</label>
</td>
</tr>
<tr>


Cargando…
Cancelar
Guardar