Mirror
/
zyx0814-dzzoffice
mirror of https://github.com/zyx0814/dzzoffice.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

路由内实现参数过滤,防止xss

pull/157/head
zyx0814 7 years ago
parent
f685bb5881
commit
d910f3e109
2 changed files with 13 additions and 20 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 23
      core/class/dzz/modroute.php
  2. 10
      core/class/dzz/route.php

23
core/class/dzz/modroute.php
View File

@ -5,32 +5,25 @@ class Modroute{
public function run(&$params){
global $_config;
global $_config,$action,$do;
$return = false;
$action = !empty($params[$_config['action_name']]) ? $params[$_config['action_name']]:$_config['default_action'];
$do = !empty($params[$_config['do_name']]) ? $params[$_config['do_name']]:'';
$do = !empty($params[$_config['do_name']]) ? $params[$_config['do_name']]:'';
if(!empty($action)){
if(!preg_match("/\w+/i",$action)) showmessage('undefined_action');
if(!preg_match("/\w+/i",$do) && $do !== '') showmessage('undefined_action');
if(!preg_match("/^\w+$/i",$action)) showmessage('undefined_action');
if(!preg_match("/^\w+$/i",$do) && $do !== '') showmessage('undefined_action');
if(@!file_exists($file = DZZ_ROOT.CURSCRIPT.BS.CURMODULE.BS.OP_NAME.BS.$action.EXT) ){
if(@!file_exists($file = DZZ_ROOT.CURSCRIPT.BS.CURMODULE.BS.OP.BS.$action.BS.$do.EXT)){
if(@!file_exists($file = DZZ_ROOT.CURSCRIPT.BS.CURMODULE.BS.OP_NAME.BS.$action.BS.$do.EXT)){
showmessage($file.lang('file_nonexistence',array('file'=>$file)));
showmessage($file.lang('file_nonexistence',array('file'=>htmlspecialchars($file))));
}
}
$return = include $file;
$params['route_file']=$file;
}
if($return) return false;
else return true;
}
}

10
core/class/dzz/route.php
View File

@ -34,7 +34,7 @@ class Route{
foreach($patharr as $path){
if(!preg_match("/\w+/i",$path)) showmessage(lang('undefined_action'));
if(!preg_match("/^\w+$/i",$path)) showmessage(lang('undefined_action'));
}
$modfile='./'.CURSCRIPT.'/'.str_replace(':','/',$mod).'/'.($op?$op:'index').EXT;
@ -44,22 +44,22 @@ class Route{
//兼容老版
if(@!file_exists($modfile='./'.CURSCRIPT.'/'.CURSCRIPT.'_'.str_replace(':','/',$mod).EXT)){
showmessage($modfile.lang('file_nonexistence',array('modfile'=>$modfile)));
showmessage($modfile.lang('file_nonexistence',array('modfile'=>htmlspecialchars($modfile))));
}
}
}else{
if(!preg_match("/\w+/i",$mod) && $mod !== '') showmessage('undefined_action');
if(!preg_match("/^\w+$/i",$mod) && $mod !== '') showmessage('undefined_action');
if(!preg_match("/\w+/i",$op)) showmessage('undefined_action');
if(!preg_match("/^\w+$/i",$op)) showmessage('undefined_action');
if(@!file_exists(DZZ_ROOT.($modfile = './'.CURSCRIPT.'/'.$mod.'/'.$op.EXT)) && @!file_exists(DZZ_ROOT.($modfile = './'.CURSCRIPT.'/'.$mod.'/'.$mod.EXT))) {
//兼容老版
if(@!file_exists($modfile='./'.CURSCRIPT.'/'.$mod.EXT)){
showmessage(lang('file_nonexistence',array('modfile'=>$modfile)));
showmessage(lang('file_nonexistence',array('modfile'=>htmlspecialchars($modfile))));
}
}

Write Preview
Loading…
Cancel
Save