mirror_php/typecho
1
0
Fork 0
mirror of https://github.com/typecho/typecho.git synced 2025-01-17 12:38:28 +01:00
Code Issues Projects Releases Wiki Activity

为文件上传加入token保护

Browse Source 
对文件名做更加严格的过滤
This commit is contained in:
祁宁 2014-03-11 15:20:54 +08:00
parent fa7bc750f0
commit a4f93e0231
7 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
admin/file-upload-js.php
View File

@ -120,11 +120,10 @@ $(document).ready(function() {
$('#tab-files').bind('init', function () {
var uploader = new plupload.Uploader({
browse_button : $('.upload-file').get(0),
url : '<?php $options->index('/action/upload'
url : '<?php $security->index('/action/upload'
. (isset($fileParentContent) ? '?cid=' . $fileParentContent->cid : '')); ?>',
runtimes : 'html5,flash,silverlight,html4',
runtimes : 'html5,flash,html4',
flash_swf_url : '<?php $options->adminUrl('js/Moxie.swf'); ?>',
silverlight_xap_url : '<?php $options->adminUrl('js/Moxie.xap'); ?>',
drop_element : $('.upload-area').get(0),
filters : {
max_file_size : '<?php echo $phpMaxFilesize ?>',

BIN
admin/js/Moxie.xap
View File

Binary file not shown.

5
admin/media.php
View File

@ -144,10 +144,9 @@ $(document).ready(function() {
var uploader = new plupload.Uploader({
browse_button : $('.upload-file').get(0),
url : '<?php $options->index('/action/upload?do=modify&cid=' . $attachment->cid); ?>',
runtimes : 'html5,flash,silverlight,html4',
url : '<?php $security->index('/action/upload?do=modify&cid=' . $attachment->cid); ?>',
runtimes : 'html5,flash,html4',
flash_swf_url : '<?php $options->adminUrl('js/Moxie.swf'); ?>',
silverlight_xap_url : '<?php $options->adminUrl('js/Moxie.xap'); ?>',
drop_element : $('.upload-area').get(0),
filters : {
max_file_size : '<?php echo $phpMaxFilesize ?>',

1
var/Widget/Login.php
View File

@ -37,7 +37,6 @@ class Widget_Login extends Widget_Abstract_Users implements Widget_Interface_Do
/** 初始化验证类 */
$validator = new Typecho_Validate();
$validator->addRule('name', 'required', _t('请输入用户名'));
$validator->addRule('name', 'xssCheck', _t('请不要使用特殊字符'));
$validator->addRule('password', 'required', _t('请输入密码'));
/** 截获验证异常 */

2
var/Widget/Metas/Category/Edit.php
View File

@ -200,7 +200,9 @@ class Widget_Metas_Category_Edit extends Widget_Abstract_Metas implements Widget
$name->addRule('required', _t('必须填写分类名称'));
$name->addRule(array($this, 'nameExists'), _t('分类名称已经存在'));
$name->addRule(array($this, 'nameToSlug'), _t('分类名称无法被转换为缩略名'));
$name->addRule('xssCheck', _t('请不要在分类名称中使用特殊字符'));
$slug->addRule(array($this, 'slugExists'), _t('缩略名已经存在'));
$slug->addRule('xssCheck', _t('请不要在缩略名中使用特殊字符'));
}
if ('update' == $action) {

2
var/Widget/Metas/Tag/Edit.php
View File

@ -182,7 +182,9 @@ class Widget_Metas_Tag_Edit extends Widget_Abstract_Metas implements Widget_Inte
$name->addRule('required', _t('必须填写标签名称'));
$name->addRule(array($this, 'nameExists'), _t('标签名称已经存在'));
$name->addRule(array($this, 'nameToSlug'), _t('标签名称无法被转换为缩略名'));
$name->addRule('xssCheck', _t('请不要标签名称中使用特殊字符'));
$slug->addRule(array($this, 'slugExists'), _t('缩略名已经存在'));
$slug->addRule('xssCheck', _t('请不要在缩略名中使用特殊字符'));
}
if ('update' == $action) {

2
var/Widget/Upload.php
View File

@ -65,6 +65,7 @@ class Widget_Upload extends Widget_Abstract_Contents implements Widget_Interface
*/
private static function getSafeName(&$name)
{
$name = str_replace(array('"', '<', '>'), '', $name);
$name = str_replace('\\', '/', $name);
$name = false === strpos($name, '/') ? ('a' . $name) : str_replace('/', '/a', $name);
$info = pathinfo($name);
@ -414,6 +415,7 @@ class Widget_Upload extends Widget_Abstract_Contents implements Widget_Interface
public function action()
{
if ($this->user->pass('contributor', true) && $this->request->isPost()) {
$this->security->protect();
if ($this->request->is('do=modify&cid')) {
$this->modify();
} else {