Score
0
Watch 729 Star 2.1K Fork 1.1K

Discuz! / DiscuzXPHP

Merged
!336 修复 MIME Type设置异常导致严格安全设置下程序异常的问题

老周部落:PR_Fix_Mime_Type_ErrorDiscuz!:master

老周部落 Created on: 2020-01-06 00:33
bug
Reviewer: 134128_discuzx_1578919084 134392_zoewho_1578919099 134400_3dming_1578919100 146896_lootan_1578919519 1157835_comsenzdiscuz_1578943409 5247157_oldhuhu_1578983196   Tester: 5247157_oldhuhu_1578983196

互联网上的资源有各种类型,通常浏览器会根据响应头的Content-Type字段来分辨它们的类型。例如:text/html代表html文档,image/png是PNG图片,text/css是CSS样式文档。

然而,Discuz!系统内有些资源的Content-Type是错的或者未定义。这时,某些浏览器会启用MIME-Sniffing来猜测该资源的类型,解析内容并执行。

部分CDN或安全策略考虑到系统安全,禁止了MIME-Sniffing ( X-Content-Type-Options: nosniff ),此时MIME Type设置异常的功能将不能被正常执行,导致Discuz!程序异常。

本PR为查找到的需要添加MIME Type头的文件添加了相关头。

关联Issue:
#I17UYE:我是discuz的老用户,大约用了四年多了,discuz我真的很想喷你
#IKKGE:Content-Type错误导致验证码无法加载
#IE9AW:登陆,注册所有验证码不显示 x3.4
#ID8TQ:uc通信一直提示链接中,chrome 报错 because its MIME type text html is not executable and strict MIME type checking is enabled.

1 comments, 2 participants 1773794_laozhoubuluo_1578959614

Show action logs Hide action logs
oldhuhu merged Pull Request 2020-01-14 17:24
oldhuhu test passed 2020-01-14 17:24
oldhuhu check passed 2020-01-14 17:24
老周部落 push code 2020-01-08 23:25
老周部落 push code 2020-01-08 23:16
老周部落 push code 2020-01-07 06:16
老周部落 push code 2020-01-06 01:12
老周部落 assigned tester oldhuhu 2020-01-06 00:33
老周部落 assigned reviewer 湖中沉 2020-01-06 00:33
老周部落 assigned reviewer oldhuhu 2020-01-06 00:33
老周部落 assigned reviewer monkeye 2020-01-06 00:33
老周部落 assigned reviewer Discuz! 2020-01-06 00:33
老周部落 assigned reviewer LooTan 2020-01-06 00:33
老周部落 assigned reviewer comsenz-service 2020-01-06 00:33
老周部落 assigned reviewer DiscuzX 2020-01-06 00:33
老周部落 set priority to Secondary 2020-01-06 00:33
老周部落 added label bug 2020-01-06 00:33
popcorner 2020-01-06 02:53

:+1:

Sign in to comment

2020-01-08

(2)

2020-01-07

(1)

2020-01-06

(2)
upload/api/db/dbbak.php
@@ -570,6 +570,7 @@ if($get['method'] == 'export') {
}
$directory->close();
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
@@ -596,6 +597,7 @@ if($get['method'] == 'export') {
}
$directory->close();
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
@@ -691,6 +693,7 @@ function api_msg($code, $msg) {
$out .= "\t</fileinfo>\n";
$out .= "\t<nexturl></nexturl>\n";
$out .= "</root>";
send_mime_type_header();
echo $out;
exit;
}
@@ -716,6 +719,7 @@ function auto_next($get, $sqlfile) {
$out .= "\t</fileinfo>\n";
$out .= "\t<nexturl><![CDATA[$next_url]]></nexturl>\n";
$out .= "</root>";
send_mime_type_header();
echo $out;
exit;
}
@@ -907,4 +911,8 @@ function strexists($haystack, $needle) {
return !(strpos($haystack, $needle) === FALSE);
}
function send_mime_type_header($type = 'application/xml') {
header("Content-Type: ".$type);
}
?>
\ No newline at end of file
upload/api/javascript/advertisement.php
@@ -7,6 +7,7 @@
* $Id: advertisement.php 25246 2011-11-02 03:34:53Z zhangguosheng $
*/
header('Content-Type: application/javascript');
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 60).' GMT');
if(!defined('IN_API')) {
upload/api/javascript/javascript.php
@@ -7,6 +7,7 @@
* $Id: javascript.php 25246 2011-11-02 03:34:53Z zhangguosheng $
*/
header('Content-Type: application/javascript');
header('Expires: '.gmdate('D, d M Y H:i:s', time() + 60).' GMT');
if(!defined('IN_API')) {
upload/install/include/install_function.php
@@ -19,6 +19,7 @@ function show_msg($error_no, $error_msg = 'ok', $success = 1, $quit = TRUE) {
$str = "<root>\n";
$str .= "\t<error errorCode=\"$error_code\" errorMessage=\"$error_msg\" />\n";
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
} else {
@@ -267,6 +268,7 @@ function show_env_result(&$env_items, &$dirfile_items, &$func_items, &$filesock_
$str .= "\t</FileDirs>\n";
$str .= "\t<error errorCode=\"$error_code\" errorMessage=\"\" />\n";
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
@@ -1763,4 +1765,8 @@ function format_space($space) {
}
}
return $space;
}
function send_mime_type_header($type = 'application/xml') {
header("Content-Type: ".$type);
}
\ No newline at end of file
upload/source/class/helper/helper_output.php
@@ -13,30 +13,30 @@ if(!defined('IN_DISCUZ')) {
class helper_output {
protected static function _header() {
protected static function _header($type = 'text/xml') {
global $_G;
ob_end_clean();
$_G['gzipcompress'] ? ob_start('ob_gzhandler') : ob_start();
@header("Expires: -1");
@header("Cache-Control: no-store, private, post-check=0, pre-check=0, max-age=0", FALSE);
@header("Pragma: no-cache");
@header("Content-type: text/xml; charset=".CHARSET);
@header("Content-Type: ".$type."; charset=".CHARSET);
}
public static function xml($s) {
self::_header();
self::_header('text/xml');
echo '<?xml version="1.0" encoding="'.CHARSET.'"?>'."\r\n", '<root><![CDATA[', $s, ']]></root>';
exit();
}
public static function json($data) {
self::_header();
self::_header('application/json');
echo helper_json::encode($data);
exit();
}
public static function html($s) {
self::_header();
self::_header('text/html');
echo $s;
exit();
}
upload/source/module/misc/misc_seccode.php
@@ -60,6 +60,7 @@ if($_GET['action'] == 'update') {
$imemode = $_G['setting']['seccodedata']['type'] != 1 ? 'ime-mode:disabled;' : '';
$message = str_replace("'", "\'", $message);
$seclang = lang('forum/misc');
header("Content-Type: application/javascript");
echo <<<EOF
if($('$showid')) {
if(!$('v$showid')) {
upload/source/module/misc/misc_secqaa.php
@@ -31,6 +31,7 @@ if($_GET['action'] == 'update') {
$message = preg_replace("/\r|\n/", '', $question);
$message = str_replace("'", "\'", $message);
$seclang = lang('forum/misc');
header("Content-Type: application/javascript");
echo <<<EOF
if($('$showid')) {
var sectpl = seccheck_tpl['$idhash'] != '' ? seccheck_tpl['$idhash'].replace(/<hash>/g, 'code$idhash') : '';
upload/source/module/misc/misc_userstatus.php
@@ -47,6 +47,7 @@ if($output['uid']) {
$_G['gzipcompress'] ? ob_start('ob_gzhandler') : ob_start();
}
header("Content-Type: application/json");
echo helper_json::encode($output);
?>
\ No newline at end of file
upload/uc_server/api/dbbak.php
@@ -566,6 +566,7 @@ if($get['method'] == 'export') {
}
$directory->close();
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
@@ -592,6 +593,7 @@ if($get['method'] == 'export') {
}
$directory->close();
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
@@ -687,6 +689,7 @@ function api_msg($code, $msg) {
$out .= "\t</fileinfo>\n";
$out .= "\t<nexturl></nexturl>\n";
$out .= "</root>";
send_mime_type_header();
echo $out;
exit;
}
@@ -712,6 +715,7 @@ function auto_next($get, $sqlfile) {
$out .= "\t</fileinfo>\n";
$out .= "\t<nexturl><![CDATA[$next_url]]></nexturl>\n";
$out .= "</root>";
send_mime_type_header();
echo $out;
exit;
}
@@ -901,4 +905,8 @@ function _authcode($string, $operation = 'DECODE', $key = '', $expiry = 0) {
function strexists($haystack, $needle) {
return !(strpos($haystack, $needle) === FALSE);
}
function send_mime_type_header($type = 'application/xml') {
header("Content-Type: ".$type);
}
\ No newline at end of file
upload/uc_server/control/admin/app.php
@@ -127,6 +127,7 @@ class control extends adminbase {
$url = $_ENV['note']->get_url_code('test', '', $appid);
$status = $_ENV['app']->test_api($url, $ip);
}
header("Content-Type: application/javascript");
if($status == '1') {
echo 'document.getElementById(\'status_'.$appid.'\').innerHTML = "<img src=\'images/correct.gif\' border=\'0\' class=\'statimg\' \/><span class=\'green\'>'.$this->lang['app_connent_ok'].'</span>";testlink();';
} else {
upload/uc_server/install/func.inc.php
@@ -19,6 +19,7 @@ function show_msg($error_no, $error_msg = 'ok', $success = 1, $quit = TRUE) {
$str = "<root>\n";
$str .= "\t<error errorCode=\"$error_code\" errorMessage=\"$error_msg\" />\n";
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
} else {
@@ -235,6 +236,7 @@ function show_env_result(&$env_items, &$dirfile_items, &$func_items) {
$str .= "\t</FileDirs>\n";
$str .= "\t<error errorCode=\"$error_code\" errorMessage=\"\" />\n";
$str .= "</root>";
send_mime_type_header();
echo $str;
exit;
@@ -1110,4 +1112,8 @@ function dhtmlspecialchars($string, $flags = null) {
}
}
return $string;
}
function send_mime_type_header($type = 'application/xml') {
header("Content-Type: ".$type);
}
\ No newline at end of file
PHP
1
https://gitee.com/ComsenzDiscuz/DiscuzX.git
git@gitee.com:ComsenzDiscuz/DiscuzX.git
ComsenzDiscuz
DiscuzX
DiscuzX

Help Search