From 851713c0358aeb7d1428dbd67b6081a0f24213d8 Mon Sep 17 00:00:00 2001
From: xiaoz <xiaoz93@outlook.com>
Date: Fri, 25 Feb 2022 18:52:16 +0800
Subject: [PATCH] fix bug

---
 data/update.log |  5 ++++-
 index.php       | 13 +++++++++++--
 version.txt     |  2 +-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/data/update.log b/data/update.log
index 7cf5307..4083a65 100755
--- a/data/update.log
+++ b/data/update.log
@@ -34,4 +34,7 @@ CREATE INDEX on_options_key_IDX ON on_options ("key");
 1. 修复一处登录漏洞
 
 20220221
-1. 修复默认主题字体图标不显示
\ No newline at end of file
+1. 修复默认主题字体图标不显示
+
+20220225
+1. 修复一处安全漏洞
\ No newline at end of file
diff --git a/index.php b/index.php
index 531be54..82716bb 100755
--- a/index.php
+++ b/index.php
@@ -2,7 +2,6 @@
 /**
  * name:入口文件
  */
-
 error_reporting(E_ALL^E_NOTICE^E_WARNING^E_DEPRECATED);
 //获取控制器
 $c = @$_GET['c'];
@@ -43,5 +42,15 @@ if((!isset($c)) || ($c == '')){
 }
 
 else{
-	include_once("./controller/".$c.'.php');
+	//对请求参数进行过滤，同时检查文件是否存在
+	$c = str_replace('../','',$c);
+	$c = str_replace('./','',$c);
+	//控制器文件
+	$controller_file = "./controller/".$c.'.php';
+	if( file_exists($controller_file) ) {
+		include_once($controller_file);
+	} else{
+		exit('Controller not exist!');
+	}
+	
 }
\ No newline at end of file
diff --git a/version.txt b/version.txt
index 388361e..4f936b1 100755
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-v0.9.14-20220221
\ No newline at end of file
+v0.9.15-20220225
\ No newline at end of file