diff --git a/src/admin/recycling.php b/src/admin/recycling.php index fa046974..bb80c94b 100644 --- a/src/admin/recycling.php +++ b/src/admin/recycling.php @@ -15,6 +15,7 @@ if (empty($cid)) { $cid = '0'; $whereSql = ''; } +$cid = intval($cid); if ($cid != 0) { require_once(DEDEINC.'/channelunit.func.php'); $whereSql = " AND arc.typeid IN (".GetSonIds($cid).")"; diff --git a/src/admin/search_keywords_main.php b/src/admin/search_keywords_main.php index e6e03e47..48466747 100644 --- a/src/admin/search_keywords_main.php +++ b/src/admin/search_keywords_main.php @@ -14,6 +14,9 @@ if (empty($pagesize)) $pagesize = 30; if (empty($pageno)) $pageno = 1; if (empty($dopost)) $dopost = ''; if (empty($orderby)) $orderby = 'aid'; +$orderby = HtmlReplace($orderby, -1); +$pageno = intval($pageno); +$pagesize = intval($pagesize); //重载列表 if ($dopost == 'getlist') { AjaxHead(); diff --git a/src/admin/templets_one_add.php b/src/admin/templets_one_add.php index 206bcee4..5c695aab 100644 --- a/src/admin/templets_one_add.php +++ b/src/admin/templets_one_add.php @@ -21,6 +21,10 @@ if ($dopost == "save") { ShowMsg("文件扩展名已被系统禁止", "javascript:;"); exit(); } + if (!preg_match('#\.html$#i', trim($filename))) { + ShowMsg("文件扩展名已被系统禁止", "javascript:;"); + exit(); + } if ($likeid == '') { $likeid = $likeidsel; } diff --git a/src/admin/templets_one_edit.php b/src/admin/templets_one_edit.php index 37fda934..cad1dd28 100644 --- a/src/admin/templets_one_edit.php +++ b/src/admin/templets_one_edit.php @@ -14,6 +14,16 @@ if (empty($dopost)) $dopost = ""; $aid = isset($aid) && is_numeric($aid) ? $aid : 0; if ($dopost == "saveedit") { include_once(DEDEINC."/archive/sgpage.class.php"); + $files = json_decode(file_get_contents(DEDEDATA.'/admin/files.txt')); + $currentFolder = basename(__DIR__); + $realFiles = array(); + foreach ($files as $ff) { + $rfi = preg_replace("#^admin/#",$currentFolder.'/',$ff->filename); + $realFiles[] = $rfi; + } + function realdir($path) { + return dirname(realpath($path)); + } $uptime = time(); $body = str_replace('"', '\\"', $body); $filename = preg_replace("#^\/#", "", $nfilename); @@ -24,6 +34,17 @@ if ($dopost == "saveedit") { } //如果修改了文件名,删除旧文件 if ($oldfilename != $filename) { + $f = str_replace("..", "", $oldfilename); + $f = $cfg_basedir.$activepath."/$oldfilename"; + if (!file_exists(dirname(__FILE__).'/../license.txt')) { + ShowMsg("许可协议不存在,无法重名文件", "javascript:;"); + exit(); + } + $f = str_replace(realdir(dirname(__FILE__).'/../license.txt').'/', "", $f); + if (in_array($f,$realFiles)) { + ShowMsg("系统文件禁止重名", "javascript:;"); + exit(); + } $oldfilename = $cfg_basedir.$cfg_cmspath."/".$oldfilename; if (is_file($oldfilename)) { unlink($oldfilename);