DedeBIZ
/
DedeV6
关注 2
点赞 0
派生 0
代码 合并请求 0 版本发布 31 动态
浏览代码

兼容性调整,代码格式化

tags/6.0.0
tianya 5 年前
父节点
4204cfe0a4
当前提交
50dffc3ed5
共有 7 个文件被更改,包括 166 次插入103 次删除
分列视图
Diff 选项
显示统计 下载 Patch 文件 下载 Diff 文件
  1. +1
    -1
      src/dede/co_export.php
  2. +47
    -59
      src/dede/media_add.php
  3. +10
    -1
      src/include/dedesqli.class.php
  4. +94
    -37
      src/include/uploadsafe.inc.php
  5. +3
    -3
      src/member/album_add.php
  6. +1
    -1
      src/member/article_add.php
  7. +10
    -1
      src/member/soft_add.php

+ 1
- 1
src/dede/co_export.php 查看文件

@@ -4,7 +4,7 @@
*
* @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $
* @package DedeCMS.Administrator
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/


+ 47
- 59
src/dede/media_add.php 查看文件

@@ -1,96 +1,84 @@
<?php

/**
* 附件添加
*
* @version $Id: media_add.php 2 15:25 2011-6-2 tianya $
* @package DedeCMS.Administrator
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
require_once(dirname(__FILE__) . "/config.php");

//增加权限检查
if(empty($dopost)) $dopost = "";
if (empty($dopost)) $dopost = "";

//上传
if($dopost=="upload")
{
if ($dopost == "upload") {
csrf_check();
require_once(DEDEINC."/image.func.php");
$sparr_image = Array("image/pjpeg","image/jpeg","image/gif","image/png","image/x-png","image/wbmp");
$sparr_flash = Array("application/xshockwaveflash");
require_once(DEDEINC . "/image.func.php");
$sparr_image = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/x-png", "image/wbmp");
$sparr_flash = array("application/xshockwaveflash");
$okdd = 0;
$uptime = time();
$adminid = $cuserLogin->getUserID();
$width = $height = '';
for($i=0; $i<=40; $i++)
{
if(isset(${"upfile".$i}) && is_uploaded_file(${"upfile".$i}))
{
$filesize = ${"upfile".$i."_size"};
$upfile_type = ${"upfile".$i."_type"};
$upfile_name = ${"upfile".$i."_name"};

for ($i = 0; $i <= 40; $i++) {
if (isset(${"upfile" . $i}) && is_uploaded_file(${"upfile" . $i})) {
$filesize = ${"upfile" . $i . "_size"};
$upfile_type = ${"upfile" . $i . "_type"};
$upfile_name = ${"upfile" . $i . "_name"};
$dpath = MyDate("ymd", $uptime);

if(in_array($upfile_type, $sparr_image))
{
if (in_array($upfile_type, $sparr_image)) {
$mediatype = 1;
$savePath = $cfg_image_dir."/".$dpath;
}
else if(in_array($upfile_type, $sparr_flash)){
$savePath = $cfg_image_dir . "/" . $dpath;
} else if (in_array($upfile_type, $sparr_flash)) {
$mediatype = 2;
$savePath = $cfg_other_medias."/".$dpath;
$savePath = $cfg_other_medias . "/" . $dpath;
}
// 2011-6-2 修复附件无法上传的错误(by:tianya)
else if(preg_match('#audio|media|video#i', $upfile_type) && preg_match("#\.".$cfg_mediatype."$#i", $upfile_name))
{
$mediatype=3;
$savePath = $cfg_other_medias."/".$dpath;
}
else if(preg_match("#\.".$cfg_softtype."+\.".$cfg_softtype."$#i", $upfile_name))
{
$mediatype=4;
$savePath = $cfg_soft_dir."/".$dpath;
}
else
{
else if (preg_match('#audio|media|video#i', $upfile_type) && preg_match("#\." . $cfg_mediatype . "$#i", $upfile_name)) {
$mediatype = 3;
$savePath = $cfg_other_medias . "/" . $dpath;
} else if (preg_match("#\." . $cfg_softtype . "+\." . $cfg_softtype . "$#i", $upfile_name)) {
$mediatype = 4;
$savePath = $cfg_soft_dir . "/" . $dpath;
} else {
continue;
}
$filename = "{$adminid}_".MyDate("His",$uptime).mt_rand(100,999).$i;
$fs = explode(".",${"upfile".$i."_name"});
$filename = $filename.".".$fs[count($fs)-1];
$filename = $savePath."/".$filename;
if(!is_dir($cfg_basedir.$savePath))
{
MkdirAll($cfg_basedir.$savePath,777);
$filename = "{$adminid}_" . MyDate("His", $uptime) . mt_rand(100, 999) . $i;
$fs = explode(".", ${"upfile" . $i . "_name"});
$filename = $filename . "." . $fs[count($fs) - 1];
$filename = $savePath . "/" . $filename;
if (!is_dir($cfg_basedir . $savePath)) {
MkdirAll($cfg_basedir . $savePath, 777);
CloseFtp();
}
/*
/*
dedecms后台文件任意上传漏洞
漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。
*/
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); }
$fullfilename = $cfg_basedir.$filename;
if($mediatype==1)
{
@move_uploaded_file(${"upfile".$i}, $fullfilename);
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) {
ShowMsg("你指定的文件名被系统禁止!", "javascript:;");
exit();
}
$fullfilename = $cfg_basedir . $filename;
if ($mediatype == 1) {
@move_uploaded_file(${"upfile" . $i}, $fullfilename);
$info = '';
$data = getImagesize($fullfilename, $info);
$width = $data[0];
$height = $data[1];
if(in_array($upfile_type, $cfg_photo_typenames)) WaterImg($fullfilename, 'up');
}else
{
@move_uploaded_file(${"upfile".$i}, $fullfilename);
}
if($i>1)
{
$ntitle = $title."_".$i;
if (in_array($upfile_type, $cfg_photo_typenames)) WaterImg($fullfilename, 'up');
} else {
@move_uploaded_file(${"upfile" . $i}, $fullfilename);
}
else
{
if ($i > 1) {
$ntitle = $title . "_" . $i;
} else {
$ntitle = $title;
}
$inquery = "INSERT INTO `#@__uploads`(title,url,mediatype,width,height,playtime,filesize,uptime,mid)
@@ -99,7 +87,7 @@ if($dopost=="upload")
$dsql->ExecuteNoneQuery($inquery);
}
}
ShowMsg("成功上传 {$okdd} 个文件!","media_main.php");
ShowMsg("成功上传 {$okdd} 个文件!", "media_main.php");
exit();
}
include DedeInclude('templets/media_add.htm');
include DedeInclude('templets/media_add.htm');

+ 10
- 1
src/include/dedesqli.class.php 查看文件

@@ -18,6 +18,11 @@
@set_time_limit(0);
// 在工程所有文件中均不需要单独初始化这个类,可直接用 $dsql 或 $db 进行操作
// 为了防止错误,操作完后不必关闭数据库
if (!function_exists("mysqli_init") ) {
echo "DedeCMS提示:尚未发现开启mysqli模块,请在php.ini中启用`extension=mysqli`。";
exit;
}
$dsql = $dsqli = $db = new DedeSqli(FALSE);
/**
* Dede MySQLi数据库类
@@ -29,6 +34,10 @@ $dsql = $dsqli = $db = new DedeSqli(FALSE);
if (!defined('MYSQL_BOTH')) {
define('MYSQL_BOTH',MYSQLI_BOTH);
}
if (!defined('MYSQL_ASSOC')) {
define('MYSQL_ASSOC', MYSQLI_ASSOC);
}
class DedeSqli
{
var $linkID;
@@ -90,7 +99,7 @@ class DedeSqli
}
function SelectDB($dbname)
{
mysql_select_db($dbname);
mysqli_select_db($this->linkID, $dbname);
}
//设置SQL里的参数


+ 94
- 37
src/include/uploadsafe.inc.php 查看文件

@@ -1,61 +1,118 @@
<?php
if(!defined('DEDEINC')) exit('Request Error!');
if(isset($_FILES['GLOBALS'])) exit('Request not allow!');
/**
* 文件上传安全校验方法
*
* @version $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $
* @package DedeCMS.Libraries
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
if (!defined('DEDEINC')) exit('Request Error!');
if (isset($_FILES['GLOBALS'])) exit('Request not allow!');
//为了防止用户通过注入的可能性改动了数据库
//这里强制限定的某些文件类型禁止上传
$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";
$keyarr = array('name', 'type', 'tmp_name', 'size');
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']))
{
if (
($GLOBALS['cfg_html_editor'] == 'ckeditor' ||
$GLOBALS['cfg_html_editor'] == 'ckeditor4') && isset($_FILES['upload'])
) {
$_FILES['imgfile'] = $_FILES['upload'];
$CKUpload = TRUE;
unset($_FILES['upload']);
}
foreach($_FILES as $_key=>$_value)
{
foreach($keyarr as $k)
{
if(!isset($_FILES[$_key][$k]))
{
foreach ($_FILES as $_key => $_value) {
foreach ($keyarr as $k) {
if (!isset($_FILES[$_key][$k])) {
exit('Request Error!');
}
}
if( preg_match('#^(cfg_|GLOBALS)#', $_key) )
{
if (preg_match('#^(cfg_|GLOBALS)#', $_key)) {
exit('Request var not allow for uploadsafe!');
}
$$_key = $_FILES[$_key]['tmp_name'];
${$_key.'_name'} = $_FILES[$_key]['name'];
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
{
if(!defined('DEDEADMIN'))
{
exit('Not Admin Upload filetype not allow !');
${$_key . '_name'} = $_FILES[$_key]['name'];
${$_key . '_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
${$_key . '_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#', '', $_FILES[$_key]['size']);
if (is_array(${$_key.'_name'}) && count(${$_key.'_name'}) > 0) {
foreach (${$_key.'_name'} as $key => $value) {
if (!empty($value) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", $value) || !preg_match("#\.#", $value))) {
if (!defined('DEDEADMIN')) {
exit('Not Admin Upload filetype not allow !');
}
}
}
} else {
if (!empty(${$_key . '_name'}) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", ${$_key . '_name'}) || !preg_match("#\.#", ${$_key . '_name'}))) {
if (!defined('DEDEADMIN')) {
exit('Not Admin Upload filetype not allow !');
}
}
}
if(empty(${$_key.'_size'}))
{
${$_key.'_size'} = @filesize($$_key);
if (empty(${$_key . '_size'})) {
${$_key . '_size'} = @filesize($$_key);
}
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } }
$imtypes = array
(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp");
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
{
$image_dd = @getimagesize($$_key); if($image_dd == false){ continue; }
if (!is_array($image_dd))
{
exit('Upload filetype not allow !');
if (is_array(${$_key.'_type'}) && count(${$_key.'_type'}) > 0) {
foreach (${$_key.'_type'} as $key => $value) {
if (in_array(strtolower(trim($value)), $imtypes)) {
$image_dd = @getimagesize($$_key);
if ($image_dd == false) {
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
}
$imtypes = array(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);
if (in_array(strtolower(trim($value)), $imtypes)) {
$image_dd = @getimagesize($$_key);
if ($image_dd == false) {
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
}
}
} else {
if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) {
$image_dd = @getimagesize($$_key);
if ($image_dd == false) {
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
}
$imtypes = array(
"image/pjpeg", "image/jpeg", "image/gif", "image/png",
"image/xpng", "image/wbmp", "image/bmp"
);
if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) {
$image_dd = @getimagesize($$_key);
if ($image_dd == false) {
continue;
}
if (!is_array($image_dd)) {
exit('Upload filetype not allow !');
}
}
}
}
?>

+ 3
- 3
src/member/album_add.php 查看文件

@@ -4,7 +4,7 @@
*
* @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $
* @package DedeCMS.Member
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
@@ -217,8 +217,8 @@ else if($dopost=='save')
ShowMsg("无法获得主键,因此无法进行后续操作!","-1");
exit();
}
$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼)
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。
$description = HtmlReplace($description, -1);
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。
//保存到主表
$inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,
color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype)


+ 1
- 1
src/member/article_add.php 查看文件

@@ -4,7 +4,7 @@
*
* @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $
* @package DedeCMS.Member
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc.
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/


+ 10
- 1
src/member/soft_add.php 查看文件

@@ -1,4 +1,13 @@
<?php
/**
* 软件添加
*
* @version $Id: soft_add.php 2 14:16 2010-11-11 tianya $
* @package DedeCMS.Member
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc.
* @license http://help.dedecms.com/usersguide/license.html
* @link http://www.dedecms.com
*/
require_once(dirname(__FILE__)."/config.php");
//考虑安全原因不管是否开启游客投稿功能,都不允许用户投稿
CheckRank(0, 0);
@@ -196,7 +205,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'");
echo $inQuery;
exit();
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;");
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;");
exit();
}



撰写 预览
正在加载...
取消
保存