From 0f9d521c0e290cd2c966045c256d52e6c2c5c3b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=81=E5=91=A8=E9=83=A8=E8=90=BD?= Date: Tue, 14 Dec 2021 22:51:59 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20=E9=98=B2=E6=B2=A6?= =?UTF-8?q?=E9=99=B7=E5=AE=89=E5=85=A8=E6=9B=B4=E6=96=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- upload/api/uc.php | 8 ++++++-- upload/install/include/install_function.php | 4 ++++ upload/install/index.php | 4 ++-- upload/source/function/media/media_56.php | 2 +- upload/source/function/media/media_ku6.php | 4 ++-- upload/source/function/media/media_sina.php | 4 ++-- upload/source/function/media/media_sohu.php | 4 ++-- upload/source/function/media/media_tudou.php | 2 +- upload/source/function/media/media_youku.php | 2 +- upload/source/function/media/media_youtube.php | 2 +- 10 files changed, 22 insertions(+), 14 deletions(-) diff --git a/upload/api/uc.php b/upload/api/uc.php index 09f012317..7c8c27b7e 100644 --- a/upload/api/uc.php +++ b/upload/api/uc.php @@ -111,7 +111,10 @@ class uc_note { return API_RETURN_FORBIDDEN; } - + $len = strlen($get['newusername']); + if($len > 22 || $len < 3 || preg_match("/\s+|^c:\\con\\con|[%,\*\"\s\<\>\&\(\)']/is", $get['newusername'])) { + return API_RETURN_FAILED; + } $tables = array( 'common_block' => array('id' => 'uid', 'name' => 'username'), @@ -292,9 +295,10 @@ class uc_note { if($UC_API && is_writeable(DISCUZ_ROOT.'./config/config_ucenter.php')) { if(preg_match('/^https?:\/\//is', $UC_API)) { + require DISCUZ_ROOT.'./config/config_ucenter.php'; $configfile = trim(file_get_contents(DISCUZ_ROOT.'./config/config_ucenter.php')); $configfile = substr($configfile, -2) == '?>' ? substr($configfile, 0, -2) : $configfile; - $configfile = preg_replace("/define\('UC_API',\s*'.*?'\);/i", "define('UC_API', '".addslashes($UC_API)."');", $configfile); + $configfile = str_replace("define('UC_API', '".addslashes(UC_API)."')", "define('UC_API', '".addslashes($UC_API)."')", $configfile); if($fp = @fopen(DISCUZ_ROOT.'./config/config_ucenter.php', 'w')) { @fwrite($fp, trim($configfile)); @fclose($fp); diff --git a/upload/install/include/install_function.php b/upload/install/include/install_function.php index 374011689..6494b450a 100644 --- a/upload/install/include/install_function.php +++ b/upload/install/include/install_function.php @@ -1496,6 +1496,10 @@ function buildarray($array, $level = 0, $pre = '$_config') { } foreach ($array as $key => $val) { + if(!preg_match("/^[a-zA-Z0-9_\x7f-\xff]+$/", $key)) { + continue; + } + if($level == 0) { $newline = str_pad(' CONFIG '.strtoupper($key).' ', 70, '-', STR_PAD_BOTH); $return .= "\r\n// $newline //\r\n"; diff --git a/upload/install/index.php b/upload/install/index.php index a5bdb0fb4..537d8c858 100644 --- a/upload/install/index.php +++ b/upload/install/index.php @@ -110,7 +110,7 @@ if($method == 'show_license') { } foreach($items as $k => $v) { $tmp = $$key; - $$k = $tmp[$k]; + $$k = addslashes($tmp[$k]); if(empty($$k) || !preg_match($v['reg'], $$k)) { if(empty($$k) && !$v['required']) { continue; @@ -252,7 +252,7 @@ if($method == 'show_license') { } foreach($items as $k => $v) { $tmp = $$key; - $$k = $tmp[$k]; + $$k = addslashes($tmp[$k]); if(empty($$k) || !preg_match($v['reg'], $$k)) { if(empty($$k) && !$v['required']) { continue; diff --git a/upload/source/function/media/media_56.php b/upload/source/function/media/media_56.php index 9f31befa0..9698b0665 100644 --- a/upload/source/function/media/media_56.php +++ b/upload/source/function/media/media_56.php @@ -15,7 +15,7 @@ function media_56($url, $width, $height) { } if(!$width && !$height && !empty($matches[1])) { $api = 'http://vxml.56.com/json/'.str_replace('v_', '', $matches[1]).'/?src=out'; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str) && preg_match("/\"img\":\"(.+?)\"/i", $str, $image)) { $imgurl = trim($image[1]); } diff --git a/upload/source/function/media/media_ku6.php b/upload/source/function/media/media_ku6.php index 5f6c502ab..5dab09a73 100644 --- a/upload/source/function/media/media_ku6.php +++ b/upload/source/function/media/media_ku6.php @@ -11,7 +11,7 @@ function media_ku6($url, $width, $height) { $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf'; if(!$width && !$height) { $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html'; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } @@ -20,7 +20,7 @@ function media_ku6($url, $width, $height) { $flv = 'http://player.ku6.com/refer/'.$matches[1].'/v.swf'; if(!$width && !$height) { $api = 'http://vo.ku6.com/fetchVideo4Player/1/'.$matches[1].'.html'; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str) && preg_match("/\"picpath\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } diff --git a/upload/source/function/media/media_sina.php b/upload/source/function/media/media_sina.php index fcb863225..b1f0ca955 100644 --- a/upload/source/function/media/media_sina.php +++ b/upload/source/function/media/media_sina.php @@ -11,7 +11,7 @@ function media_sina($url, $width, $height) { $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1]; if(!$width && !$height) { $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1]; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str)) { $imgurl = str_replace('imgurl=', '', trim($str)); } @@ -20,7 +20,7 @@ function media_sina($url, $width, $height) { $flv = 'http://vhead.blog.sina.com.cn/player/outer_player.swf?vid='.$matches[1]; if(!$width && !$height) { $api = 'http://interface.video.sina.com.cn/interface/common/getVideoImage.php?vid='.$matches[1]; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str)) { $imgurl = str_replace('imgurl=', '', trim($str)); } diff --git a/upload/source/function/media/media_sohu.php b/upload/source/function/media/media_sohu.php index 86020e886..7d86ce5eb 100644 --- a/upload/source/function/media/media_sohu.php +++ b/upload/source/function/media/media_sohu.php @@ -11,7 +11,7 @@ function media_sohu($url, $width, $height) { $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3'; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } @@ -20,7 +20,7 @@ function media_sohu($url, $width, $height) { $flv = 'http://v.blog.sohu.com/fo/v4/'.$matches[1]; if(!$width && !$height) { $api = 'http://v.blog.sohu.com/videinfo.jhtml?m=view&id='.$matches[1].'&outType=3'; - $str = file_get_contents($api, false, $ctx); + $str = dfsockopen($api); if(!empty($str) && preg_match("/\"cutCoverURL\":\"(.+?)\"/i", $str, $image)) { $imgurl = str_replace(array('\u003a', '\u002e'), array(':', '.'), $image[1]); } diff --git a/upload/source/function/media/media_tudou.php b/upload/source/function/media/media_tudou.php index dde9d2747..090bfdd97 100644 --- a/upload/source/function/media/media_tudou.php +++ b/upload/source/function/media/media_tudou.php @@ -11,7 +11,7 @@ function media_tudou($url, $width, $height) { $flv = 'http://www.tudou.com/v/'.$matches[2]; $iframe = 'http://www.tudou.com/programs/view/html5embed.action?code='.$matches[2]; if(!$width && !$height) { - $str = file_get_contents($url, false); + $str = dfsockopen($api); if(!empty($str) && preg_match("/(.+?)<\/span>/i", $str, $image)) { $imgurl = trim($image[1]); } diff --git a/upload/source/function/media/media_youku.php b/upload/source/function/media/media_youku.php index 8a98cbb47..410b0cb90 100644 --- a/upload/source/function/media/media_youku.php +++ b/upload/source/function/media/media_youku.php @@ -14,7 +14,7 @@ function media_youku($url, $width, $height) { $iframe = 'https://player.youku.com/embed/'.$params[0]; if(!$width && !$height) { $api = 'http://v.youku.com/player/getPlayList/VideoIDS/'.$params[0]; - $str = stripslashes(file_get_contents($api, false, $ctx)); + $str = stripslashes(dfsockopen($api)); if(!empty($str) && preg_match("/\"logo\":\"(.+?)\"/i", $str, $image)) { $url = substr($image[1], 0, strrpos($image[1], '/')+1); $filename = substr($image[1], strrpos($image[1], '/')+2); diff --git a/upload/source/function/media/media_youtube.php b/upload/source/function/media/media_youtube.php index b516a5cf4..3972fe77e 100644 --- a/upload/source/function/media/media_youtube.php +++ b/upload/source/function/media/media_youtube.php @@ -11,7 +11,7 @@ function media_youtube($url, $width, $height) { $flv = 'https://www.youtube.com/v/'.$matches[2].'&fs=1'; $iframe = 'https://www.youtube.com/embed/'.$matches[2]; if(!$width && !$height) { - $str = file_get_contents($url, false); + $str = dfsockopen($url); if(!empty($str) && preg_match("/'VIDEO_HQ_THUMB':\s'(.+?)'/i", $str, $image)) { $url = substr($image[1], 0, strrpos($image[1], '/')+1); $filename = substr($image[1], strrpos($image[1], '/')+3); -- Gitee