From 17644ac77a630daa83024026c71c60d8e6c30f99 Mon Sep 17 00:00:00 2001
From: xiaoz
Date: Mon, 15 Jan 2024 11:24:22 +0800
Subject: [PATCH 1/5] 0.9.34
---
controller/admin.php | 11 +++++++++++
controller/api.php | 2 +-
controller/index.php | 4 ++++
controller/init.php | 10 ++++++++++
4 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/controller/admin.php b/controller/admin.php
index 1ec6fdb..0afc081 100755
--- a/controller/admin.php
+++ b/controller/admin.php
@@ -23,6 +23,12 @@ check_auth($site_setting['user'],$site_setting['password']);
$version = new_get_version();
$page = empty($_GET['page']) ? 'index' : $_GET['page'];
+// 正则判断page,只能允许字符+数字和下划线组合
+$pattern = "/^[a-zA-Z0-9_\/]+$/";
+if ( !preg_match($pattern,$page) ) {
+ exit('非法请求!');
+}
+
//如果是后台首页,则判断是否是手机访问,并决定是否跳转到手机版页面
if( $page == 'index' ) {
@@ -323,6 +329,11 @@ function check_auth($user,$password){
}
}
+// 判断$page文件是否存在,不存在,则终止执行
+$full_page_path = 'templates/admin/'.$page;
+if( !file_exists($full_page_path) ) {
+ exit("file does not exist!");
+}
// 载入前台首页模板
require('templates/admin/'.$page);
\ No newline at end of file
diff --git a/controller/api.php b/controller/api.php
index 058e554..1dbbf18 100755
--- a/controller/api.php
+++ b/controller/api.php
@@ -667,4 +667,4 @@ function global_search() {
function upload_backup(){
global $api;
$api->general_upload('data/backup/',['db3']);
-}
\ No newline at end of file
+}
diff --git a/controller/index.php b/controller/index.php
index d733e93..f78470e 100755
--- a/controller/index.php
+++ b/controller/index.php
@@ -9,6 +9,8 @@ $site = unserialize($site);
// 获取链接数量,默认为30
$link_num = empty( $site['link_num'] ) ? 30 : intval($site['link_num']);
+
+
//如果已经登录,获取所有分类和链接
// 载入辅助函数
require('functions/helper.php');
@@ -77,6 +79,8 @@ if( is_login() ){
}
//如果没有登录,只获取公有链接
else{
+ // 检查分类是否全私有,如果是,则跳转到登录界面
+ check_all_cat();
//查询分类目录
$categorys = [];
//查询一级分类目录,分类fid为0的都是一级分类
diff --git a/controller/init.php b/controller/init.php
index b1395ce..893c48b 100644
--- a/controller/init.php
+++ b/controller/init.php
@@ -66,6 +66,16 @@ function init($data){
if( empty($data['username']) || empty($data['password']) ) {
err_msg(-2000,'用户名或密码不能为空!');
}
+ // 正则验证用户名
+ $u_patt = '/^[0-9a-z]{3,32}$/';
+ if( !preg_match($u_patt,$data['username']) ) {
+ err_msg(-2000,'用户名格式不正确!');
+ }
+ // 正则验证密码
+ $p_patt = '/^[0-9a-zA-Z!@#%^*.()]{6,16}$/';
+ if( !preg_match($p_patt,$data['password']) ) {
+ err_msg(-2000,'密码格式不正确!');
+ }
$config_file = "data/config.php";
//检查配置文件是否存在,存在则不允许设置
if( file_exists($config_file) ) {
From cfc01ae62a6f0a691ba096bec506a9aca167562f Mon Sep 17 00:00:00 2001
From: xiaoz
Date: Mon, 15 Jan 2024 11:25:03 +0800
Subject: [PATCH 2/5] 0.9.34
---
class/Api.php | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/class/Api.php b/class/Api.php
index 7e793b7..2066e95 100644
--- a/class/Api.php
+++ b/class/Api.php
@@ -1,7 +1,7 @@
* blog:xiaoz.me
*/
@@ -339,6 +339,18 @@ class Api {
//过滤$filename
$filename = str_replace('../','',$filename);
$filename = str_replace('./','',$filename);
+ // 获取文件名称的后缀
+ $suffix = explode('.',$filename);
+ // 如果没有后缀,则不合法,通过数组长度判断后缀
+ if( count($suffix) < 2 ) {
+ $this->err_msg(-2000,'文件不合法!');
+ }
+ // 获取文件后缀
+ $suffix = strtolower(end($suffix));
+ if( ( $suffix != 'html' ) && ( $suffix != 'htm' ) ) {
+ $this->err_msg(-2000,'文件不合法!');
+ }
+
$this->auth($token);
//检查文件是否存在
if ( !file_exists($filename) ) {
From 7c95405e866e441a5945fc7f5c5efb05d586f9b3 Mon Sep 17 00:00:00 2001
From: xiaoz
Date: Mon, 15 Jan 2024 11:26:24 +0800
Subject: [PATCH 3/5] 0.9.34
---
templates/admin/add_link.php | 1 +
templates/admin/index.php | 43 ++++++++++++++++++++++++++-
templates/admin/link_list.php | 13 ++++++++
templates/admin/setting/subscribe.php | 4 +--
templates/admin/setting/theme.php | 29 +++++++++++++-----
templates/admin/static/style.css | 14 +++++++++
6 files changed, 93 insertions(+), 11 deletions(-)
diff --git a/templates/admin/add_link.php b/templates/admin/add_link.php
index e39a910..f8eb7e8 100755
--- a/templates/admin/add_link.php
+++ b/templates/admin/add_link.php
@@ -9,6 +9,7 @@
1. 权重越大,排序越靠前
2. 识别功能可以自动获取链接标题和描述信息,但不确保一定成功
+
3. 仅 5iux/heimdall/tushan2/webstack 支持自定义图标,其余主题均自动获取链接图标。
diff --git a/templates/admin/index.php b/templates/admin/index.php
index bc78793..68f6657 100755
--- a/templates/admin/index.php
+++ b/templates/admin/index.php
@@ -17,7 +17,7 @@
(有可用更新)
-
+
+
+
+
+
+
+
交流群
@@ -108,4 +135,18 @@
check_weak_password();
get_sql_update_list();
get_latest_version();
+ app_info();
+ // 获取app_info
+ function app_info(){
+ //alert("dsdfd");
+ let api_url = "/index.php?c=api&method=app_info";
+ console.log(api_url);
+ $.get(api_url,function(data,status){
+ data = data.data;
+ $("#php_version").html(data.php_version);
+ $("#cat_num").html(data.cat_num);
+ $("#link_num").html(data.link_num);
+ });
+ }
+
diff --git a/templates/admin/link_list.php b/templates/admin/link_list.php
index a409f1e..0a2c800 100755
--- a/templates/admin/link_list.php
+++ b/templates/admin/link_list.php
@@ -4,6 +4,19 @@
+
+
+
+
+
+ - 仅 5iux/heimdall/tushan2/webstack 支持自定义图标,其余主题均自动获取链接图标。
+ - 分类的私有属性优先级高于链接的私有属性
+ - 权重数字越大,排序越靠前
+
+
+
+
+
diff --git a/templates/admin/setting/theme.php b/templates/admin/setting/theme.php
index 3e9d50c..7207a6d 100644
--- a/templates/admin/setting/theme.php
+++ b/templates/admin/setting/theme.php
@@ -24,11 +24,20 @@
?>