mirror_php/typecho
1
0
Fork 0
mirror of https://github.com/typecho/typecho.git synced 2025-01-17 12:38:28 +01:00
Code Issues Projects Releases Wiki Activity

增加token保护

Browse Source 
防垃圾评论
This commit is contained in:
祁宁 2014-03-14 16:11:28 +08:00
parent 308c1beb16
commit 15927ad775
11 changed files with 61 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
install.php
View File

@ -307,6 +307,7 @@ list($prefixVersion, $suffixVersion) = explode('/', $currentVersion);
$installDb->query($installDb->insert('table.options')->rows(array('name' => 'actionTable', 'user' => 0, 'value' => 'a:0:{}')));
$installDb->query($installDb->insert('table.options')->rows(array('name' => 'panelTable', 'user' => 0, 'value' => 'a:0:{}')));
$installDb->query($installDb->insert('table.options')->rows(array('name' => 'attachmentTypes', 'user' => 0, 'value' => '@image@')));
$installDb->query($installDb->insert('table.options')->rows(array('name' => 'secret', 'user' => 0, 'value' => Typecho_Common::randString(32, true))));
/** 初始分类 */
$installDb->query($installDb->insert('table.metas')->rows(array('name' => _t('默认分类'), 'slug' => 'default', 'type' => 'category', 'description' => _t('只是一个默认分类'),

2
var/Typecho/Common.php
View File

@ -22,7 +22,7 @@ define('__TYPECHO_MB_SUPPORTED__', function_exists('mb_get_info'));
class Typecho_Common
{
/** 程序版本 */
const VERSION = '0.9/14.2.24';
const VERSION = '0.9/14.3.14';
/**
* 锁定的代码块

16
var/Upgrade.php
View File

@ -1161,5 +1161,19 @@ Typecho_Date::setTimezoneOffset($options->timezone);
break;
}
}
}
/**
* v0_9r14_3_14
*
* @param mixed $db
* @param mixed $options
* @access public
* @return void
*/
public function v0_9r14_3_14($db, $options)
{
$db->query($db->insert('table.options')
->rows(array('name' => 'secret', 'user' => 0, 'value' => Typecho_Common::randString(32, true))));
}
}

5
var/Widget/Abstract/Contents.php
View File

@ -717,7 +717,7 @@ class Widget_Abstract_Contents extends Widget_Abstract
/** 处理密码保护流程 */
if (!empty($value['password']) &&
$value['password'] != $this->request->protectPassword &&
$value['password'] != Typecho_Cookie::get('protectPassword') &&
$value['authorId'] != $this->user->uid &&
!$this->user->pass('editor', true)) {
$value['hidden'] = true;
@ -732,7 +732,8 @@ class Widget_Abstract_Contents extends Widget_Abstract
/** 如果访问权限被禁止 */
if ($value['hidden']) {
$value['text'] = '<form class="protected" action="' . $value['permalink'] . '" method="post">' .
$value['text'] = '<form class="protected" action="' . $this->security->getTokenUrl($value['permalink'])
. '" method="post">' .
'<p class="word">' . _t('请输入密码访问') . '</p>' .
'<p><input type="password" class="text" name="protectPassword" />
<input type="submit" class="submit" value="' . _t('提交') . '" /></p>' .

11
var/Widget/Archive.php
View File

@ -292,7 +292,7 @@ class Widget_Archive extends Widget_Abstract_Contents
* 评论地址
*
* @access protected
* @return void
* @return string
*/
protected function ___commentUrl()
{
@ -306,7 +306,7 @@ class Widget_Archive extends Widget_Abstract_Contents
$commentUrl .= '?parent=' . $reply;
}
return $commentUrl;
return $this->security->getTokenUrl($commentUrl);
}
/**
@ -320,7 +320,7 @@ class Widget_Archive extends Widget_Abstract_Contents
}
/**
* @param $_archiveSlug the $_archiveSlug to set
* @param string $archiveSlug the $_archiveSlug to set
*/
public function setArchiveSlug($archiveSlug)
{
@ -328,7 +328,7 @@ class Widget_Archive extends Widget_Abstract_Contents
}
/**
* @param $_archiveSingle the $_archiveSingle to set
* @param string $archiveSingle the $_archiveSingle to set
*/
public function setArchiveSingle($archiveSingle)
{
@ -795,6 +795,7 @@ class Widget_Archive extends Widget_Abstract_Contents
/** 保存密码至cookie */
if ($this->request->isPost() && isset($this->request->protectPassword)) {
$this->security->protect();
Typecho_Cookie::set('protectPassword', $this->request->protectPassword, 0);
}
@ -1475,7 +1476,7 @@ class Widget_Archive extends Widget_Abstract_Contents
* 获取回响归档对象
*
* @access public
* @return void
* @return Widget_Comments_Ping
*/
public function pings()
{

3
var/Widget/Feedback.php
View File

@ -37,6 +37,9 @@ class Widget_Feedback extends Widget_Abstract_Comments implements Widget_Interfa
*/
private function comment()
{
// 使用安全模块保护
$this->security->protect();
$comment = array(
'cid' => $this->_content->cid,
'created' => $this->options->gmtTime,

3
var/Widget/Login.php
View File

@ -28,6 +28,9 @@ class Widget_Login extends Widget_Abstract_Users implements Widget_Interface_Do
*/
public function action()
{
// protect
$this->security->protect();
/** 如果已经登录 */
if ($this->user->hasLogin()) {
/** 直接返回 */

8
var/Widget/Options.php
View File

@ -201,8 +201,9 @@ class Widget_Options extends Typecho_Widget
*/
protected function ___loginAction()
{
return Typecho_Router::url('do', array('action' => 'login', 'widget' => 'Login'),
Typecho_Common::url('index.php', $this->rootUrl));
return $this->widget('Widget_Security')->getTokenUrl(
Typecho_Router::url('do', array('action' => 'login', 'widget' => 'Login'),
Typecho_Common::url('index.php', $this->rootUrl)));
}
/**
@ -224,7 +225,8 @@ class Widget_Options extends Typecho_Widget
*/
protected function ___registerAction()
{
return Typecho_Router::url('do', array('action' => 'register', 'widget' => 'Register'), $this->index);
return $this->widget('Widget_Security')->getTokenUrl(
Typecho_Router::url('do', array('action' => 'register', 'widget' => 'Register'), $this->index));
}
/**

8
var/Widget/Options/General.php
View File

@ -179,8 +179,12 @@ class Widget_Options_General extends Widget_Abstract_Options implements Widget_I
$attachmentTypesOther = $this->request->filter('trim', 'strtolower')->attachmentTypesOther;
if ($this->isEnableByCheckbox($settings['attachmentTypes'], '@other@') && !empty($attachmentTypesOther)) {
$attachmentTypes[] = implode(',',
array_filter(array_map('trim', explode(',', $attachmentTypesOther)), array($this, 'removeShell')));
$types = implode(',', array_filter(array_map('trim',
explode(',', $attachmentTypesOther)), array($this, 'removeShell')));
if (!empty($types)) {
$attachmentTypes[] = $types;
}
}
$settings['attachmentTypes'] = implode(',', $attachmentTypes);

3
var/Widget/Register.php
View File

@ -17,6 +17,9 @@ class Widget_Register extends Widget_Abstract_Users implements Widget_Interface_
*/
public function action()
{
// protect
$this->security->protect();
/** 如果已经登录 */
if ($this->user->hasLogin() || !$this->options->allowRegister) {
/** 直接返回 */

30
var/Widget/Security.php
View File

@ -30,13 +30,21 @@ class Widget_Security extends Typecho_Widget
$this->_options = $this->widget('Widget_Options');
$user = $this->widget('Widget_User');
$token = uniqid();
$this->_token = $this->_options->secret;
if ($user->hasLogin()) {
$token = $user->authCode . '&' . $user->uid
. '&' . $this->request->getRequestUrl();
$this->_token .= '&' . $user->authCode . '&' . $user->uid;
}
}
$this->_token = md5($token);
/**
* 获取token
*
* @param string $suffix 后缀
* @return string
*/
public function getToken($suffix)
{
return md5($this->_token . '&' . $suffix);
}
/**
@ -54,7 +62,7 @@ class Widget_Security extends Typecho_Widget
parse_str($parts['query'], $params);
}
$params['_'] = $this->_token;
$params['_'] = $this->getToken($this->request->getRequestUrl());
$parts['query'] = http_build_query($params);
return Typecho_Common::buildUrl($parts);
@ -66,16 +74,8 @@ class Widget_Security extends Typecho_Widget
*/
public function protect()
{
$user = $this->widget('Widget_User');
$token = uniqid();
if ($user->hasLogin()) {
$token = $user->authCode . '&' . $user->uid
. '&' . $this->request->getReferer();
}
if ($this->request->get('_') != md5($token)) {
$this->widget('Widget_Notice')->set(_t('一次不安全的跳转已经被阻止'));
$this->response->redirect($this->_options->adminUrl);
if ($this->request->get('_') != $this->getToken($this->request->getReferer())) {
$this->response->goBack();
}
}