近日,DISCUZ论坛升级了20131122版本,该版本有对安全进行提升,但是提升后存在部分BUG,致使论坛使用出现这样那样的错误,部分插件不能正常工作,我个人的解决方案为:
找到文件:source/class/discuz/discuz_application.php ,中间大约350行左右,有_xss_check()这个函数,将其进行更换回原来的版本,解决问题:文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
新内容:文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
private function _xss_check() {
static $check = array('"', '>', '<', '\'', '(', ')', 'CONTENT-TRANSFER-ENCODING');
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
system_error('request_tainting');
}
if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
$temp = $_SERVER['REQUEST_URI'];
} elseif(empty ($_GET['formhash'])) {
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
} else {
$temp = '';
}
if(!empty($temp)) {
$temp = strtoupper(urldecode(urldecode($temp)));
foreach ($check as $str) {
if(strpos($temp, $str) !== false) {
system_error('request_tainting');
}
}
}
文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
替换为,旧版的:文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
private function _xss_check() {
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
system_error('request_tainting');
}
return true;
}
文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
这样能解决很多问题,目前这样替换,还没遇到其他的问题,正式的等官方更新吧,应该最近会出处理对策的!文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html 文章源自陈学虎-https://chenxuehu.com/article/2013/11/1384.html
评论