一些bug修复等

4 年之前 · 4204cfe0a4
--- a/src/dede/co_export.php
+++ b/src/dede/co_export.php
@@ -4,7 +4,7 @@
 *
 * @version        $Id: co_edit_text.php 1 14:31 2010年7月12日Z tianya $
 * @package        DedeCMS.Administrator
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
@@ -217,7 +217,8 @@ else
        $mainSql = str_replace('@sortrank@', $sortrank, $mainSql);
        $mainSql = str_replace('@pubdate@', $pubdate, $mainSql);
        $mainSql = str_replace('@senddate@', $senddate, $mainSql);
        $mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql);
        $mainSql = str_replace('@title@', cn_substr($title, $cfg_title_maxlen), $mainSql);
 		//$mainSql = str_replace('@title@', cn_substr($title, 60), $mainSql);	原来的语句，采集的文章导出到栏目后标题不全
        $addSql = str_replace('@sortrank@', $sortrank, $addSql);
        $addSql = str_replace('@senddate@', $senddate, $addSql);
--- a/src/dede/media_add.php
+++ b/src/dede/media_add.php
@@ -4,7 +4,7 @@
 *
 * @version        $Id: media_add.php 2 15:25 2011-6-2 tianya $
 * @package        DedeCMS.Administrator
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
@@ -67,6 +67,11 @@ if($dopost=="upload")
                MkdirAll($cfg_basedir.$savePath,777);
                CloseFtp();
            }
 			/*
 			dedecms后台文件任意上传漏洞
 			漏洞描述：dedecms早期版本后台存在大量的富文本编辑器，该控件提供了一些文件上传接口，同时dedecms对上传文件的后缀类型未进行严格的限制，这导致了黑客可以上传WEBSHELL，获取网站后台权限。
 			*/
 			if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)[^a-zA-Z0-9]+$#i', trim($filename))) { ShowMsg("你指定的文件名被系统禁止！"); exit(); }
            $fullfilename = $cfg_basedir.$filename;
            if($mediatype==1)
            {
--- a/src/include/uploadsafe.inc.php
+++ b/src/include/uploadsafe.inc.php
@@ -1,13 +1,4 @@
 <?php
 /**
 * 文件上传安全校验方法
 *
 * @version        $Id: uploadsafe.inc.php 1 15:59 2020年8月19日Z tianya $
 * @package        DedeCMS.Libraries
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
 if(!defined('DEDEINC')) exit('Request Error!');
 if(isset($_FILES['GLOBALS'])) exit('Request not allow!');
@@ -16,9 +7,7 @@ if(isset($_FILES['GLOBALS'])) exit('Request not allow!');
 //这里强制限定的某些文件类型禁止上传
 $cfg_not_allowall = "php|pl|cgi|asp|aspx|jsp|php3|shtm|shtml";
 $keyarr = array('name', 'type', 'tmp_name', 'size');
 if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']) || 
 $GLOBALS['cfg_html_editor']=='ckeditor4' && isset($_FILES['upload'])
 )
 if ($GLOBALS['cfg_html_editor']=='ckeditor' && isset($_FILES['upload']))
 {
    $_FILES['imgfile'] = $_FILES['upload'];
    $CKUpload = TRUE;
@@ -41,33 +30,18 @@ foreach($_FILES as $_key=>$_value)
    ${$_key.'_name'} = $_FILES[$_key]['name'];
    ${$_key.'_type'} = $_FILES[$_key]['type'] = preg_replace('#[^0-9a-z\./]#i', '', $_FILES[$_key]['type']);
    ${$_key.'_size'} = $_FILES[$_key]['size'] = preg_replace('#[^0-9]#','',$_FILES[$_key]['size']);
    if (is_array(${$_key.'_name'})) {
        if (count(${$_key.'_name'}) > 0) {
            foreach (${$_key.'_name'} as $key => $value) {
                if (!empty($value) && (preg_match("#\.(".$cfg_not_allowall.")$#i", $value) || !preg_match("#\.#", $value))) {
                    if(!defined('DEDEADMIN'))
                    {
                        exit('Not Admin Upload filetype not allow !');
                    }
                }
            }
        }
    } else {
        if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
    if(!empty(${$_key.'_name'}) && (preg_match("#\.(".$cfg_not_allowall.")$#i",${$_key.'_name'}) || !preg_match("#\.#", ${$_key.'_name'})) )
    {
        if(!defined('DEDEADMIN'))
        {
            if(!defined('DEDEADMIN'))
            {
                exit('Not Admin Upload filetype not allow !');
            }
            exit('Not Admin Upload filetype not allow !');
        }
    }
    if(empty(${$_key.'_size'}))
    {
        ${$_key.'_size'} = @filesize($$_key);
        ${$_key.'_size'} = @filesize($$_key); 
    }
 	 $imtypes = array("image/pjpeg", "image/jpeg", "image/gif", "image/png", "image/xpng", "image/wbmp", "image/bmp"); if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes)) { $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; } if (!is_array($image_dd)) { exit('Upload filetype not allow !'); } }
    $imtypes = array
    (
@@ -75,30 +49,13 @@ foreach($_FILES as $_key=>$_value)
        "image/xpng", "image/wbmp", "image/bmp"
    );
    if (is_array(${$_key.'_type'})) {
        if (count(${$_key.'_type'}) > 0) {
            foreach (${$_key.'_type'} as $key => $value) {
                if(in_array(strtolower(trim($value)), $imtypes))
                {
                    $image_dd = @getimagesize($$_key);
                    if (!is_array($image_dd))
                    {
                        exit('Upload filetype not allow !');
                    }
                }
            }
        }
    } else {
        if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
    if(in_array(strtolower(trim(${$_key.'_type'})), $imtypes))
    {
        $image_dd = @getimagesize($$_key); if($image_dd == false){ continue; }
        if (!is_array($image_dd))
        {
            $image_dd = @getimagesize($$_key);
            if (!is_array($image_dd))
            {
                exit('Upload filetype not allow !');
            }
            exit('Upload filetype not allow !');
        }
    }
 }
 ?>
--- a/src/member/album_add.php
+++ b/src/member/album_add.php
@@ -4,7 +4,7 @@
 * 
 * @version        $Id: album_add.php 1 13:52 2010年7月9日Z tianya $
 * @package        DedeCMS.Member
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
@@ -217,7 +217,8 @@ else if($dopost=='save')
        ShowMsg("无法获得主键，因此无法进行后续操作！","-1");
        exit();
    }
 	$description = HtmlReplace($description, -1);
 	$description = HtmlReplace($description, -1);//2011.06.30 增加html过滤 （by:织梦的鱼）
 	$mtypesid = intval($mtypesid);	             //对输入参数mtypesid未进行int整型转义，导致SQL注入的发生。
    //保存到主表
    $inQuery = "INSERT INTO `#@__archives`(id,typeid,sortrank,flag,ismake,channel,arcrank,click,money,title,shorttitle,
 color,writer,source,litpic,pubdate,senddate,mid,description,keywords,mtype)
--- a/src/member/article_add.php
+++ b/src/member/article_add.php
@@ -4,7 +4,7 @@
 * 
 * @version        $Id: article_add.php 1 8:38 2010年7月9日Z tianya $
 * @package        DedeCMS.Member
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
@@ -80,7 +80,7 @@ else if($dopost=='save')
        }
    }
    if (empty($dede_fieldshash) || $dede_fieldshash != md5($dede_addonfields.$cfg_cookie_encode))
    if (empty($dede_fieldshash) || ( $dede_fieldshash != md5($dede_addonfields . $cfg_cookie_encode) && $dede_fieldshash != md5($dede_addonfields . 'anythingelse' . $cfg_cookie_encode)) ) 
    {
        showMsg('数据校验不对，程序返回', '-1');
        exit();
--- a/src/member/inc/archives_check_edit.php
+++ b/src/member/inc/archives_check_edit.php
@@ -4,7 +4,7 @@
 * 
 * @version        $Id: archives_check_edit.php 1 13:52 2010年7月9日Z tianya $
 * @package        DedeCMS.Member
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
@@ -89,5 +89,5 @@ if($litpic != '')
 }
 else
 {
    $litpic =$oldlitpic;
    $litpic =$oldlitpic; if (strpos( $litpic, '..') !== false || strpos( $litpic, $cfg_user_dir."/{$userid}/" ) === false) exit('not allowed path!');
 }
--- a/src/member/inc/inc_archives_functions.php
+++ b/src/member/inc/inc_archives_functions.php
@@ -4,7 +4,7 @@
 * 
 * @version        $Id: inc_archives_functions.php 1 13:52 2010年7月9日Z tianya $
 * @package        DedeCMS.Member
 * @copyright      Copyright (c) 2007 - 2020, DesDev, Inc.
 * @copyright      Copyright (c) 2007 - 2010, DesDev, Inc.
 * @license        http://help.dedecms.com/usersguide/license.html
 * @link           http://www.dedecms.com
 */
@@ -236,7 +236,7 @@ function PrintAutoFieldsAdd(&$fieldset, $loadtype='all', $isprint=TRUE)
        }
    }
    if ($isprint) echo "<input type='hidden' name='dede_addonfields' value=\"".$dede_addonfields."\">\r\n";
    echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields.$cfg_cookie_encode)."\" />";
 	echo "<input type=\"hidden\" name=\"dede_fieldshash\" value=\"".md5($dede_addonfields . 'anythingelse' .$cfg_cookie_encode) ."\" />";
    // 增加一个返回
    return $addonfieldsname;
 }
--- a/src/member/soft_add.php
+++ b/src/member/soft_add.php
@@ -148,11 +148,10 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
    //软件链接列表
    $softurl1 = stripslashes($softurl1);
    $softurl1 = str_replace(array("{dede:","{/dede:","}"), "#", $softurl1);
    $servermsg1 = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg1);
    $urls = '';
    if($softurl1!='')
    {
        $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n";
         if (preg_match("#}(.*?){/dede:link}{dede:#sim", $servermsg1) != 1) { $urls .= "{dede:link islocal='1' text='{$servermsg1}'} $softurl1 {/dede:link}\r\n"; }
    }
    for($i=2; $i<=12; $i++)
    {
@@ -161,7 +160,6 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
            $servermsg = str_replace("'","",stripslashes(${'servermsg'.$i}));
            $softurl = stripslashes(${'softurl'.$i});
 			$softurl = str_replace(array("{dede:","{/dede:","}"), "#", $softurl);
 			$servermsg = str_replace(array("{dede:","{/dede:","}"), "#", $servermsg);
            if($servermsg=='')
            {
                $servermsg = '下载地址'.$i;
@@ -198,7 +196,7 @@ VALUES ('$arcID','$typeid','$sortrank','$flag','$ismake','$channelid','$arcrank'
        $dsql->ExecuteNoneQuery("DELETE FROM `#@__arctiny` WHERE id='$arcID'");
        echo $inQuery;
        exit();
        ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错，请把相关信息提交给DedeCMS官方。".str_replace('"','',$gerr),"javascript:;");
        ShowMsg("把数据保存到数据库附加表 `{$addtable}` 时出错，请把相关信息提交给DedeCms官方。".str_replace('"','',$gerr),"javascript:;");
        exit();
    }
--- a/src/plus/guestbook/edit.inc.php
+++ b/src/plus/guestbook/edit.inc.php
@@ -52,6 +52,10 @@ else if($job=='editok')
        }
    }
 	$msg = HtmlReplace($msg, -1);
 	/*
 	漏洞描述：dedecms留言板注入漏洞。
 	*/
 	$msg = addslashes($msg);
    $dsql->ExecuteNoneQuery("UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='".time()."' WHERE id='$id' ");
    ShowMsg("成功更改或回复一条留言！", $GUEST_BOOK_POS);
    exit();
@@ -66,4 +70,4 @@ else
 {
    $row = $dsql->GetOne("SELECT id,title FROM `#@__guestbook` WHERE id='$id'");
    require_once(DEDETEMPLATE.'/plus/guestbook-user.htm');
 }
 }