@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ | |||
* @package DedeCMS.Administrator | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -1,96 +1,84 @@ | |||
<?php | |||
/** | |||
* 附件添加 | |||
* | |||
* @version $Id: media_add.php 2 15:25 2011-6-2 tianya $ | |||
* @package DedeCMS.Administrator | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
require_once(dirname(__FILE__)."/config.php"); | |||
require_once(dirname(__FILE__) . "/config.php"); | |||
//增加权限检查 | |||
if(empty($dopost)) $dopost = ""; | |||
if (empty($dopost)) $dopost = ""; | |||
//上传 | |||
if($dopost=="upload") | |||
{ | |||
if ($dopost == "upload") { | |||
csrf_check(); | |||
require_once(DEDEINC."/image.func.php"); | |||
$sparr_image = Array("image/pjpeg","image/jpeg","image/gif","image/png","image/x-png","image/wbmp"); | |||
$sparr_flash = Array("application/xshockwaveflash"); | |||
require_once(DEDEINC . "/image.func.php"); | |||
$sparr_image = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/x-png", "image/wbmp"); | |||
$sparr_flash = array("application/xshockwaveflash"); | |||
$okdd = 0; | |||
$uptime = time(); | |||
$adminid = $cuserLogin->getUserID(); | |||
$width = $height = ''; | |||
for($i=0; $i<=40; $i++) | |||
{ | |||
if(isset(${"upfile".$i}) && is_uploaded_file(${"upfile".$i})) | |||
{ | |||
$filesize = ${"upfile".$i."_size"}; | |||
$upfile_type = ${"upfile".$i."_type"}; | |||
$upfile_name = ${"upfile".$i."_name"}; | |||
for ($i = 0; $i <= 40; $i++) { | |||
if (isset(${"upfile" . $i}) && is_uploaded_file(${"upfile" . $i})) { | |||
$filesize = ${"upfile" . $i . "_size"}; | |||
$upfile_type = ${"upfile" . $i . "_type"}; | |||
$upfile_name = ${"upfile" . $i . "_name"}; | |||
$dpath = MyDate("ymd", $uptime); | |||
if(in_array($upfile_type, $sparr_image)) | |||
{ | |||
if (in_array($upfile_type, $sparr_image)) { | |||
$mediatype = 1; | |||
$savePath = $cfg_image_dir."/".$dpath; | |||
} | |||
else if(in_array($upfile_type, $sparr_flash)){ | |||
$savePath = $cfg_image_dir . "/" . $dpath; | |||
} else if (in_array($upfile_type, $sparr_flash)) { | |||
$mediatype = 2; | |||
$savePath = $cfg_other_medias."/".$dpath; | |||
$savePath = $cfg_other_medias . "/" . $dpath; | |||
} | |||
// 2011-6-2 修复附件无法上传的错误(by:tianya) | |||
else if(preg_match('#audio|media|video#i', $upfile_type) && preg_match("#\.".$cfg_mediatype."$#i", $upfile_name)) | |||
{ | |||
$mediatype=3; | |||
$savePath = $cfg_other_medias."/".$dpath; | |||
} | |||
else if(preg_match("#\.".$cfg_softtype."+\.".$cfg_softtype."$#i", $upfile_name)) | |||
{ | |||
$mediatype=4; | |||
$savePath = $cfg_soft_dir."/".$dpath; | |||
} | |||
else | |||
{ | |||
else if (preg_match('#audio|media|video#i', $upfile_type) && preg_match("#\." . $cfg_mediatype . "$#i", $upfile_name)) { | |||
$mediatype = 3; | |||
$savePath = $cfg_other_medias . "/" . $dpath; | |||
} else if (preg_match("#\." . $cfg_softtype . "+\." . $cfg_softtype . "$#i", $upfile_name)) { | |||
$mediatype = 4; | |||
$savePath = $cfg_soft_dir . "/" . $dpath; | |||
} else { | |||
continue; | |||
} | |||
$filename = "{$adminid}_".MyDate("His",$uptime).mt_rand(100,999).$i; | |||
$fs = explode(".",${"upfile".$i."_name"}); | |||
$filename = $filename.".".$fs[count($fs)-1]; | |||
$filename = $savePath."/".$filename; | |||
if(!is_dir($cfg_basedir.$savePath)) | |||
{ | |||
MkdirAll($cfg_basedir.$savePath,777); | |||
$filename = "{$adminid}_" . MyDate("His", $uptime) . mt_rand(100, 999) . $i; | |||
$fs = explode(".", ${"upfile" . $i . "_name"}); | |||
$filename = $filename . "." . $fs[count($fs) - 1]; | |||
$filename = $savePath . "/" . $filename; | |||
if (!is_dir($cfg_basedir . $savePath)) { | |||
MkdirAll($cfg_basedir . $savePath, 777); | |||
CloseFtp(); | |||
} | |||
/* | |||
/* | |||
dedecms后台文件任意上传漏洞 | |||
漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。 | |||
*/ | |||
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); } | |||
$fullfilename = $cfg_basedir.$filename; | |||
if($mediatype==1) | |||
{ | |||
@move_uploaded_file(${"upfile".$i}, $fullfilename); | |||
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { | |||
ShowMsg("你指定的文件名被系统禁止!", "javascript:;"); | |||
exit(); | |||
} | |||
$fullfilename = $cfg_basedir . $filename; | |||
if ($mediatype == 1) { | |||
@move_uploaded_file(${"upfile" . $i}, $fullfilename); | |||
$info = ''; | |||
$data = getImagesize($fullfilename, $info); | |||
$width = $data[0]; | |||
$height = $data[1]; | |||
if(in_array($upfile_type, $cfg_photo_typenames)) WaterImg($fullfilename, 'up'); | |||
}else | |||
{ | |||
@move_uploaded_file(${"upfile".$i}, $fullfilename); | |||
} | |||
if($i>1) | |||
{ | |||
$ntitle = $title."_".$i; | |||
if (in_array($upfile_type, $cfg_photo_typenames)) WaterImg($fullfilename, 'up'); | |||
} else { | |||
@move_uploaded_file(${"upfile" . $i}, $fullfilename); | |||
} | |||
else | |||
{ | |||
if ($i > 1) { | |||
$ntitle = $title . "_" . $i; | |||
} else { | |||
$ntitle = $title; | |||
} | |||
$inquery = "INSERT INTO `#@__uploads`(title,url,mediatype,width,height,playtime,filesize,uptime,mid) | |||
@@ -99,7 +87,7 @@ if($dopost=="upload") | |||
$dsql->ExecuteNoneQuery($inquery); | |||
} | |||
} | |||
ShowMsg("成功上传 {$okdd} 个文件!","media_main.php"); | |||
ShowMsg("成功上传 {$okdd} 个文件!", "media_main.php"); | |||
exit(); | |||
} | |||
include DedeInclude('templets/media_add.htm'); | |||
include DedeInclude('templets/media_add.htm'); |
@@ -18,6 +18,11 @@ | |||
@set_time_limit(0); | |||
// 在工程所有文件中均不需要单独初始化这个类,可直接用 $dsql 或 $db 进行操作 | |||
// 为了防止错误,操作完后不必关闭数据库 | |||
if (!function_exists("mysqli_init") ) { | |||
echo "DedeCMS提示:尚未发现开启mysqli模块,请在php.ini中启用`extension=mysqli`。"; | |||
exit; | |||
} | |||
$dsql = $dsqli = $db = new DedeSqli(FALSE); | |||
/** | |||
* Dede MySQLi数据库类 | |||
@@ -29,6 +34,10 @@ $dsql = $dsqli = $db = new DedeSqli(FALSE); | |||
if (!defined('MYSQL_BOTH')) { | |||
define('MYSQL_BOTH',MYSQLI_BOTH); | |||
} | |||
if (!defined('MYSQL_ASSOC')) { | |||
define('MYSQL_ASSOC', MYSQLI_ASSOC); | |||
} | |||
class DedeSqli | |||
{ | |||
var $linkID; | |||
@@ -90,7 +99,7 @@ class DedeSqli | |||
} | |||
function SelectDB($dbname) | |||
{ | |||
mysql_select_db($dbname); | |||
mysqli_select_db($this->linkID, $dbname); | |||
} | |||
//设置SQL里的参数 | |||
@@ -1,61 +1,118 @@ | |||
<?php | |||
if(!defined('DEDEINC')) exit('Request Error!'); | |||
if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||
/** | |||
* 文件上传安全校验方法 | |||
* | |||
* @version $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $ | |||
* @package DedeCMS.Libraries | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
if (!defined('DEDEINC')) exit('Request Error!'); | |||
if (isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||
//为了防止用户通过注入的可能性改动了数据库 | |||
//这里强制限定的某些文件类型禁止上传 | |||
$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | |||
$keyarr = array('name', 'type', 'tmp_name', 'size'); | |||
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload'])) | |||
{ | |||
if ( | |||
($GLOBALS['cfg_html_editor'] == 'ckeditor' || | |||
$GLOBALS['cfg_html_editor'] == 'ckeditor4') && isset($_FILES['upload']) | |||
) { | |||
$_FILES['imgfile'] = $_FILES['upload']; | |||
$CKUpload = TRUE; | |||
unset($_FILES['upload']); | |||
} | |||
foreach($_FILES as $_key=>$_value) | |||
{ | |||
foreach($keyarr as $k) | |||
{ | |||
if(!isset($_FILES[$_key][$k])) | |||
{ | |||
foreach ($_FILES as $_key => $_value) { | |||
foreach ($keyarr as $k) { | |||
if (!isset($_FILES[$_key][$k])) { | |||
exit('Request Error!'); | |||
} | |||
} | |||
if( preg_match('#^(cfg_|GLOBALS)#', $_key) ) | |||
{ | |||
if (preg_match('#^(cfg_|GLOBALS)#', $_key)) { | |||
exit('Request var not allow for uploadsafe!'); | |||
} | |||
$$_key = $_FILES[$_key]['tmp_name']; | |||
${$_key.'_name'} = $_FILES[$_key]['name']; | |||
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | |||
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); | |||
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||
{ | |||
if(!defined('DEDEADMIN')) | |||
{ | |||
exit('Not Admin Upload filetype not allow !'); | |||
${$_key . '_name'} = $_FILES[$_key]['name']; | |||
${$_key . '_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | |||
${$_key . '_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#', '', $_FILES[$_key]['size']); | |||
if (is_array(${$_key.'_name'}) && count(${$_key.'_name'}) > 0) { | |||
foreach (${$_key.'_name'} as $key => $value) { | |||
if (!empty($value) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", $value) || !preg_match("#\.#", $value))) { | |||
if (!defined('DEDEADMIN')) { | |||
exit('Not Admin Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
} else { | |||
if (!empty(${$_key . '_name'}) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", ${$_key . '_name'}) || !preg_match("#\.#", ${$_key . '_name'}))) { | |||
if (!defined('DEDEADMIN')) { | |||
exit('Not Admin Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
if(empty(${$_key.'_size'})) | |||
{ | |||
${$_key.'_size'} = @filesize($$_key); | |||
if (empty(${$_key . '_size'})) { | |||
${$_key . '_size'} = @filesize($$_key); | |||
} | |||
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } | |||
$imtypes = array | |||
( | |||
"image/pjpeg", "image/jpeg", "image/gif", "image/png", | |||
"image/xpng", "image/wbmp", "image/bmp" | |||
); | |||
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); | |||
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||
{ | |||
$image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } | |||
if (!is_array($image_dd)) | |||
{ | |||
exit('Upload filetype not allow !'); | |||
if (is_array(${$_key.'_type'}) && count(${$_key.'_type'}) > 0) { | |||
foreach (${$_key.'_type'} as $key => $value) { | |||
if (in_array(strtolower(trim($value)), $imtypes)) { | |||
$image_dd = @getimagesize($$_key); | |||
if ($image_dd == false) { | |||
continue; | |||
} | |||
if (!is_array($image_dd)) { | |||
exit('Upload filetype not allow !'); | |||
} | |||
} | |||
$imtypes = array( | |||
"image/pjpeg", "image/jpeg", "image/gif", "image/png", | |||
"image/xpng", "image/wbmp", "image/bmp" | |||
); | |||
if (in_array(strtolower(trim($value)), $imtypes)) { | |||
$image_dd = @getimagesize($$_key); | |||
if ($image_dd == false) { | |||
continue; | |||
} | |||
if (!is_array($image_dd)) { | |||
exit('Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
} else { | |||
if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) { | |||
$image_dd = @getimagesize($$_key); | |||
if ($image_dd == false) { | |||
continue; | |||
} | |||
if (!is_array($image_dd)) { | |||
exit('Upload filetype not allow !'); | |||
} | |||
} | |||
$imtypes = array( | |||
"image/pjpeg", "image/jpeg", "image/gif", "image/png", | |||
"image/xpng", "image/wbmp", "image/bmp" | |||
); | |||
if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) { | |||
$image_dd = @getimagesize($$_key); | |||
if ($image_dd == false) { | |||
continue; | |||
} | |||
if (!is_array($image_dd)) { | |||
exit('Upload filetype not allow !'); | |||
} | |||
} | |||
} | |||
} | |||
?> |
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -217,8 +217,8 @@ else if($dopost=='save') | |||
ShowMsg("无法获得主键,因此无法进行后续操作!","-1"); | |||
exit(); | |||
} | |||
$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼) | |||
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 | |||
$description = HtmlReplace($description, -1); | |||
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 | |||
//保存到主表 | |||
$inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle, | |||
color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) | |||
@@ -4,7 +4,7 @@ | |||
* | |||
* @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
@@ -1,4 +1,13 @@ | |||
<?php | |||
/** | |||
* 软件添加 | |||
* | |||
* @version $Id: soft_add.php 2 14:16 2010-11-11 tianya $ | |||
* @package DedeCMS.Member | |||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||
* @license http://help.dedecms.com/usersguide/license.html | |||
* @link http://www.dedecms.com | |||
*/ | |||
require_once(dirname(__FILE__)."/config.php"); | |||
//考虑安全原因不管是否开启游客投稿功能,都不允许用户投稿 | |||
CheckRank(0, 0); | |||
@@ -196,7 +205,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'"); | |||
echo $inQuery; | |||
exit(); | |||
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;"); | |||
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;"); | |||
exit(); | |||
} | |||