@@ -4,7 +4,7 @@ | |||||
* | * | ||||
* @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ | * @version $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $ | ||||
* @package DedeCMS.Administrator | * @package DedeCMS.Administrator | ||||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
* @license http://help.dedecms.com/usersguide/license.html | * @license http://help.dedecms.com/usersguide/license.html | ||||
* @link http://www.dedecms.com | * @link http://www.dedecms.com | ||||
*/ | */ | ||||
@@ -1,96 +1,84 @@ | |||||
<?php | <?php | ||||
/** | /** | ||||
* 附件添加 | * 附件添加 | ||||
* | * | ||||
* @version $Id: media_add.php 2 15:25 2011-6-2 tianya $ | * @version $Id: media_add.php 2 15:25 2011-6-2 tianya $ | ||||
* @package DedeCMS.Administrator | * @package DedeCMS.Administrator | ||||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
* @license http://help.dedecms.com/usersguide/license.html | * @license http://help.dedecms.com/usersguide/license.html | ||||
* @link http://www.dedecms.com | * @link http://www.dedecms.com | ||||
*/ | */ | ||||
require_once(dirname(__FILE__)."/config.php"); | |||||
require_once(dirname(__FILE__) . "/config.php"); | |||||
//增加权限检查 | //增加权限检查 | ||||
if(empty($dopost)) $dopost = ""; | |||||
if (empty($dopost)) $dopost = ""; | |||||
//上传 | //上传 | ||||
if($dopost=="upload") | |||||
{ | |||||
if ($dopost == "upload") { | |||||
csrf_check(); | csrf_check(); | ||||
require_once(DEDEINC."/image.func.php"); | |||||
$sparr_image = Array("image/pjpeg","image/jpeg","image/gif","image/png","image/x-png","image/wbmp"); | |||||
$sparr_flash = Array("application/xshockwaveflash"); | |||||
require_once(DEDEINC . "/image.func.php"); | |||||
$sparr_image = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/x-png", "image/wbmp"); | |||||
$sparr_flash = array("application/xshockwaveflash"); | |||||
$okdd = 0; | $okdd = 0; | ||||
$uptime = time(); | $uptime = time(); | ||||
$adminid = $cuserLogin->getUserID(); | $adminid = $cuserLogin->getUserID(); | ||||
$width = $height = ''; | $width = $height = ''; | ||||
for($i=0; $i<=40; $i++) | |||||
{ | |||||
if(isset(${"upfile".$i}) && is_uploaded_file(${"upfile".$i})) | |||||
{ | |||||
$filesize = ${"upfile".$i."_size"}; | |||||
$upfile_type = ${"upfile".$i."_type"}; | |||||
$upfile_name = ${"upfile".$i."_name"}; | |||||
for ($i = 0; $i <= 40; $i++) { | |||||
if (isset(${"upfile" . $i}) && is_uploaded_file(${"upfile" . $i})) { | |||||
$filesize = ${"upfile" . $i . "_size"}; | |||||
$upfile_type = ${"upfile" . $i . "_type"}; | |||||
$upfile_name = ${"upfile" . $i . "_name"}; | |||||
$dpath = MyDate("ymd", $uptime); | $dpath = MyDate("ymd", $uptime); | ||||
if(in_array($upfile_type, $sparr_image)) | |||||
{ | |||||
if (in_array($upfile_type, $sparr_image)) { | |||||
$mediatype = 1; | $mediatype = 1; | ||||
$savePath = $cfg_image_dir."/".$dpath; | |||||
} | |||||
else if(in_array($upfile_type, $sparr_flash)){ | |||||
$savePath = $cfg_image_dir . "/" . $dpath; | |||||
} else if (in_array($upfile_type, $sparr_flash)) { | |||||
$mediatype = 2; | $mediatype = 2; | ||||
$savePath = $cfg_other_medias."/".$dpath; | |||||
$savePath = $cfg_other_medias . "/" . $dpath; | |||||
} | } | ||||
// 2011-6-2 修复附件无法上传的错误(by:tianya) | // 2011-6-2 修复附件无法上传的错误(by:tianya) | ||||
else if(preg_match('#audio|media|video#i', $upfile_type) && preg_match("#\.".$cfg_mediatype."$#i", $upfile_name)) | |||||
{ | |||||
$mediatype=3; | |||||
$savePath = $cfg_other_medias."/".$dpath; | |||||
} | |||||
else if(preg_match("#\.".$cfg_softtype."+\.".$cfg_softtype."$#i", $upfile_name)) | |||||
{ | |||||
$mediatype=4; | |||||
$savePath = $cfg_soft_dir."/".$dpath; | |||||
} | |||||
else | |||||
{ | |||||
else if (preg_match('#audio|media|video#i', $upfile_type) && preg_match("#\." . $cfg_mediatype . "$#i", $upfile_name)) { | |||||
$mediatype = 3; | |||||
$savePath = $cfg_other_medias . "/" . $dpath; | |||||
} else if (preg_match("#\." . $cfg_softtype . "+\." . $cfg_softtype . "$#i", $upfile_name)) { | |||||
$mediatype = 4; | |||||
$savePath = $cfg_soft_dir . "/" . $dpath; | |||||
} else { | |||||
continue; | continue; | ||||
} | } | ||||
$filename = "{$adminid}_".MyDate("His",$uptime).mt_rand(100,999).$i; | |||||
$fs = explode(".",${"upfile".$i."_name"}); | |||||
$filename = $filename.".".$fs[count($fs)-1]; | |||||
$filename = $savePath."/".$filename; | |||||
if(!is_dir($cfg_basedir.$savePath)) | |||||
{ | |||||
MkdirAll($cfg_basedir.$savePath,777); | |||||
$filename = "{$adminid}_" . MyDate("His", $uptime) . mt_rand(100, 999) . $i; | |||||
$fs = explode(".", ${"upfile" . $i . "_name"}); | |||||
$filename = $filename . "." . $fs[count($fs) - 1]; | |||||
$filename = $savePath . "/" . $filename; | |||||
if (!is_dir($cfg_basedir . $savePath)) { | |||||
MkdirAll($cfg_basedir . $savePath, 777); | |||||
CloseFtp(); | CloseFtp(); | ||||
} | } | ||||
/* | |||||
/* | |||||
dedecms后台文件任意上传漏洞 | dedecms后台文件任意上传漏洞 | ||||
漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。 | 漏洞描述:dedecms早期版本后台存在大量的富文本编辑器,该控件提供了一些文件上传接口,同时dedecms对上传文件的后缀类型未进行严格的限制,这导致了黑客可以上传WEBSHELL,获取网站后台权限。 | ||||
*/ | */ | ||||
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止!"); exit(); } | |||||
$fullfilename = $cfg_basedir.$filename; | |||||
if($mediatype==1) | |||||
{ | |||||
@move_uploaded_file(${"upfile".$i}, $fullfilename); | |||||
if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { | |||||
ShowMsg("你指定的文件名被系统禁止!", "javascript:;"); | |||||
exit(); | |||||
} | |||||
$fullfilename = $cfg_basedir . $filename; | |||||
if ($mediatype == 1) { | |||||
@move_uploaded_file(${"upfile" . $i}, $fullfilename); | |||||
$info = ''; | $info = ''; | ||||
$data = getImagesize($fullfilename, $info); | $data = getImagesize($fullfilename, $info); | ||||
$width = $data[0]; | $width = $data[0]; | ||||
$height = $data[1]; | $height = $data[1]; | ||||
if(in_array($upfile_type, $cfg_photo_typenames)) WaterImg($fullfilename, 'up'); | |||||
}else | |||||
{ | |||||
@move_uploaded_file(${"upfile".$i}, $fullfilename); | |||||
} | |||||
if($i>1) | |||||
{ | |||||
$ntitle = $title."_".$i; | |||||
if (in_array($upfile_type, $cfg_photo_typenames)) WaterImg($fullfilename, 'up'); | |||||
} else { | |||||
@move_uploaded_file(${"upfile" . $i}, $fullfilename); | |||||
} | } | ||||
else | |||||
{ | |||||
if ($i > 1) { | |||||
$ntitle = $title . "_" . $i; | |||||
} else { | |||||
$ntitle = $title; | $ntitle = $title; | ||||
} | } | ||||
$inquery = "INSERT INTO `#@__uploads`(title,url,mediatype,width,height,playtime,filesize,uptime,mid) | $inquery = "INSERT INTO `#@__uploads`(title,url,mediatype,width,height,playtime,filesize,uptime,mid) | ||||
@@ -99,7 +87,7 @@ if($dopost=="upload") | |||||
$dsql->ExecuteNoneQuery($inquery); | $dsql->ExecuteNoneQuery($inquery); | ||||
} | } | ||||
} | } | ||||
ShowMsg("成功上传 {$okdd} 个文件!","media_main.php"); | |||||
ShowMsg("成功上传 {$okdd} 个文件!", "media_main.php"); | |||||
exit(); | exit(); | ||||
} | } | ||||
include DedeInclude('templets/media_add.htm'); | |||||
include DedeInclude('templets/media_add.htm'); |
@@ -18,6 +18,11 @@ | |||||
@set_time_limit(0); | @set_time_limit(0); | ||||
// 在工程所有文件中均不需要单独初始化这个类,可直接用 $dsql 或 $db 进行操作 | // 在工程所有文件中均不需要单独初始化这个类,可直接用 $dsql 或 $db 进行操作 | ||||
// 为了防止错误,操作完后不必关闭数据库 | // 为了防止错误,操作完后不必关闭数据库 | ||||
if (!function_exists("mysqli_init") ) { | |||||
echo "DedeCMS提示:尚未发现开启mysqli模块,请在php.ini中启用`extension=mysqli`。"; | |||||
exit; | |||||
} | |||||
$dsql = $dsqli = $db = new DedeSqli(FALSE); | $dsql = $dsqli = $db = new DedeSqli(FALSE); | ||||
/** | /** | ||||
* Dede MySQLi数据库类 | * Dede MySQLi数据库类 | ||||
@@ -29,6 +34,10 @@ $dsql = $dsqli = $db = new DedeSqli(FALSE); | |||||
if (!defined('MYSQL_BOTH')) { | if (!defined('MYSQL_BOTH')) { | ||||
define('MYSQL_BOTH',MYSQLI_BOTH); | define('MYSQL_BOTH',MYSQLI_BOTH); | ||||
} | } | ||||
if (!defined('MYSQL_ASSOC')) { | |||||
define('MYSQL_ASSOC', MYSQLI_ASSOC); | |||||
} | |||||
class DedeSqli | class DedeSqli | ||||
{ | { | ||||
var $linkID; | var $linkID; | ||||
@@ -90,7 +99,7 @@ class DedeSqli | |||||
} | } | ||||
function SelectDB($dbname) | function SelectDB($dbname) | ||||
{ | { | ||||
mysql_select_db($dbname); | |||||
mysqli_select_db($this->linkID, $dbname); | |||||
} | } | ||||
//设置SQL里的参数 | //设置SQL里的参数 | ||||
@@ -1,61 +1,118 @@ | |||||
<?php | <?php | ||||
if(!defined('DEDEINC')) exit('Request Error!'); | |||||
if(isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||||
/** | |||||
* 文件上传安全校验方法 | |||||
* | |||||
* @version $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $ | |||||
* @package DedeCMS.Libraries | |||||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
* @license http://help.dedecms.com/usersguide/license.html | |||||
* @link http://www.dedecms.com | |||||
*/ | |||||
if (!defined('DEDEINC')) exit('Request Error!'); | |||||
if (isset($_FILES['GLOBALS'])) exit('Request not allow!'); | |||||
//为了防止用户通过注入的可能性改动了数据库 | //为了防止用户通过注入的可能性改动了数据库 | ||||
//这里强制限定的某些文件类型禁止上传 | //这里强制限定的某些文件类型禁止上传 | ||||
$cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml"; | ||||
$keyarr = array('name', 'type', 'tmp_name', 'size'); | $keyarr = array('name', 'type', 'tmp_name', 'size'); | ||||
if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload'])) | |||||
{ | |||||
if ( | |||||
($GLOBALS['cfg_html_editor'] == 'ckeditor' || | |||||
$GLOBALS['cfg_html_editor'] == 'ckeditor4') && isset($_FILES['upload']) | |||||
) { | |||||
$_FILES['imgfile'] = $_FILES['upload']; | $_FILES['imgfile'] = $_FILES['upload']; | ||||
$CKUpload = TRUE; | $CKUpload = TRUE; | ||||
unset($_FILES['upload']); | unset($_FILES['upload']); | ||||
} | } | ||||
foreach($_FILES as $_key=>$_value) | |||||
{ | |||||
foreach($keyarr as $k) | |||||
{ | |||||
if(!isset($_FILES[$_key][$k])) | |||||
{ | |||||
foreach ($_FILES as $_key => $_value) { | |||||
foreach ($keyarr as $k) { | |||||
if (!isset($_FILES[$_key][$k])) { | |||||
exit('Request Error!'); | exit('Request Error!'); | ||||
} | } | ||||
} | } | ||||
if( preg_match('#^(cfg_|GLOBALS)#', $_key) ) | |||||
{ | |||||
if (preg_match('#^(cfg_|GLOBALS)#', $_key)) { | |||||
exit('Request var not allow for uploadsafe!'); | exit('Request var not allow for uploadsafe!'); | ||||
} | } | ||||
$$_key = $_FILES[$_key]['tmp_name']; | $$_key = $_FILES[$_key]['tmp_name']; | ||||
${$_key.'_name'} = $_FILES[$_key]['name']; | |||||
${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | |||||
${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']); | |||||
if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) ) | |||||
{ | |||||
if(!defined('DEDEADMIN')) | |||||
{ | |||||
exit('Not Admin Upload filetype not allow !'); | |||||
${$_key . '_name'} = $_FILES[$_key]['name']; | |||||
${$_key . '_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']); | |||||
${$_key . '_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#', '', $_FILES[$_key]['size']); | |||||
if (is_array(${$_key.'_name'}) && count(${$_key.'_name'}) > 0) { | |||||
foreach (${$_key.'_name'} as $key => $value) { | |||||
if (!empty($value) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", $value) || !preg_match("#\.#", $value))) { | |||||
if (!defined('DEDEADMIN')) { | |||||
exit('Not Admin Upload filetype not allow !'); | |||||
} | |||||
} | |||||
} | |||||
} else { | |||||
if (!empty(${$_key . '_name'}) && (preg_match("#\.(" . $cfg_not_allowall . ")$#i", ${$_key . '_name'}) || !preg_match("#\.#", ${$_key . '_name'}))) { | |||||
if (!defined('DEDEADMIN')) { | |||||
exit('Not Admin Upload filetype not allow !'); | |||||
} | |||||
} | } | ||||
} | } | ||||
if(empty(${$_key.'_size'})) | |||||
{ | |||||
${$_key.'_size'} = @filesize($$_key); | |||||
if (empty(${$_key . '_size'})) { | |||||
${$_key . '_size'} = @filesize($$_key); | |||||
} | } | ||||
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } } | |||||
$imtypes = array | |||||
( | |||||
"image/pjpeg", "image/jpeg", "image/gif", "image/png", | |||||
"image/xpng", "image/wbmp", "image/bmp" | |||||
); | |||||
$imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); | |||||
if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) | |||||
{ | |||||
$image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } | |||||
if (!is_array($image_dd)) | |||||
{ | |||||
exit('Upload filetype not allow !'); | |||||
if (is_array(${$_key.'_type'}) && count(${$_key.'_type'}) > 0) { | |||||
foreach (${$_key.'_type'} as $key => $value) { | |||||
if (in_array(strtolower(trim($value)), $imtypes)) { | |||||
$image_dd = @getimagesize($$_key); | |||||
if ($image_dd == false) { | |||||
continue; | |||||
} | |||||
if (!is_array($image_dd)) { | |||||
exit('Upload filetype not allow !'); | |||||
} | |||||
} | |||||
$imtypes = array( | |||||
"image/pjpeg", "image/jpeg", "image/gif", "image/png", | |||||
"image/xpng", "image/wbmp", "image/bmp" | |||||
); | |||||
if (in_array(strtolower(trim($value)), $imtypes)) { | |||||
$image_dd = @getimagesize($$_key); | |||||
if ($image_dd == false) { | |||||
continue; | |||||
} | |||||
if (!is_array($image_dd)) { | |||||
exit('Upload filetype not allow !'); | |||||
} | |||||
} | |||||
} | |||||
} else { | |||||
if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) { | |||||
$image_dd = @getimagesize($$_key); | |||||
if ($image_dd == false) { | |||||
continue; | |||||
} | |||||
if (!is_array($image_dd)) { | |||||
exit('Upload filetype not allow !'); | |||||
} | |||||
} | |||||
$imtypes = array( | |||||
"image/pjpeg", "image/jpeg", "image/gif", "image/png", | |||||
"image/xpng", "image/wbmp", "image/bmp" | |||||
); | |||||
if (in_array(strtolower(trim(${$_key . '_type'})), $imtypes)) { | |||||
$image_dd = @getimagesize($$_key); | |||||
if ($image_dd == false) { | |||||
continue; | |||||
} | |||||
if (!is_array($image_dd)) { | |||||
exit('Upload filetype not allow !'); | |||||
} | |||||
} | } | ||||
} | } | ||||
} | } | ||||
?> |
@@ -4,7 +4,7 @@ | |||||
* | * | ||||
* @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $ | * @version $Id: album_add.php 1 13:52 2010年7月9日Z tianya $ | ||||
* @package DedeCMS.Member | * @package DedeCMS.Member | ||||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
* @license http://help.dedecms.com/usersguide/license.html | * @license http://help.dedecms.com/usersguide/license.html | ||||
* @link http://www.dedecms.com | * @link http://www.dedecms.com | ||||
*/ | */ | ||||
@@ -217,8 +217,8 @@ else if($dopost=='save') | |||||
ShowMsg("无法获得主键,因此无法进行后续操作!","-1"); | ShowMsg("无法获得主键,因此无法进行后续操作!","-1"); | ||||
exit(); | exit(); | ||||
} | } | ||||
$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 (by:织梦的鱼) | |||||
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 | |||||
$description = HtmlReplace($description, -1); | |||||
$mtypesid = intval($mtypesid); //对输入参数mtypesid未进行int整型转义,导致SQL注入的发生。 | |||||
//保存到主表 | //保存到主表 | ||||
$inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle, | $inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle, | ||||
color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) | color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype) | ||||
@@ -4,7 +4,7 @@ | |||||
* | * | ||||
* @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $ | * @version $Id: article_add.php 1 8:38 2010年7月9日Z tianya $ | ||||
* @package DedeCMS.Member | * @package DedeCMS.Member | ||||
* @copyright Copyright (c) 2007 - 2010, DesDev, Inc. | |||||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
* @license http://help.dedecms.com/usersguide/license.html | * @license http://help.dedecms.com/usersguide/license.html | ||||
* @link http://www.dedecms.com | * @link http://www.dedecms.com | ||||
*/ | */ | ||||
@@ -1,4 +1,13 @@ | |||||
<?php | <?php | ||||
/** | |||||
* 软件添加 | |||||
* | |||||
* @version $Id: soft_add.php 2 14:16 2010-11-11 tianya $ | |||||
* @package DedeCMS.Member | |||||
* @copyright Copyright (c) 2007 - 2020, DesDev, Inc. | |||||
* @license http://help.dedecms.com/usersguide/license.html | |||||
* @link http://www.dedecms.com | |||||
*/ | |||||
require_once(dirname(__FILE__)."/config.php"); | require_once(dirname(__FILE__)."/config.php"); | ||||
//考虑安全原因不管是否开启游客投稿功能,都不允许用户投稿 | //考虑安全原因不管是否开启游客投稿功能,都不允许用户投稿 | ||||
CheckRank(0, 0); | CheckRank(0, 0); | ||||
@@ -196,7 +205,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank' | |||||
$dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'"); | $dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'"); | ||||
echo $inQuery; | echo $inQuery; | ||||
exit(); | exit(); | ||||
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;"); | |||||
ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错,请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;"); | |||||
exit(); | exit(); | ||||
} | } | ||||