lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 12:07:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '1.9' into php8

Browse Source
This commit is contained in:
xiaomlove
2025-10-31 19:36:13 +07:00
parent c6d99f369f e37f40f20f
commit 2787ec40f4
4 changed files with 23 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Models/Attachment.php
+1 -1
View File
@@ -4,5 +4,5 @@ namespace App\Models;
class Attachment extends NexusModel class Attachment extends NexusModel
{ {
const IMG_EXTENSIONS = ['jpeg', 'jpg', 'png', 'gif', 'webp', 'bmp', 'tif', 'tiff', 'heic'];
} }
include/constants.php
+2 -2
View File
@@ -1,6 +1,6 @@
<?php <?php
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10'); defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.11');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-30'); defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-31');
defined('IN_TRACKER') || define('IN_TRACKER', false); defined('IN_TRACKER') || define('IN_TRACKER', false);
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP"); defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org"); defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
include/globalfunctions.php
+19 -21
View File
@@ -1378,35 +1378,33 @@ function filter_src($src)
if (empty($path)) { if (empty($path)) {
return $src; return $src;
} }
$host = parse_url($src, PHP_URL_HOST);
if (!empty($host) && $host != $_SERVER['HTTP_HOST']) {
return $src;
}
$guessScriptFilename = sprintf("%s/%s", $_SERVER['DOCUMENT_ROOT'], trim($path, '/')); $guessScriptFilename = sprintf("%s/%s", $_SERVER['DOCUMENT_ROOT'], trim($path, '/'));
if (!file_exists($guessScriptFilename)) { if (!file_exists($guessScriptFilename)) {
return $src; return $src;
} }
//only allow these
$imgExtensions = implode("|", \App\Models\Attachment::IMG_EXTENSIONS);
$allowSuffixPattern = "/\.($imgExtensions)/i";
if (preg_match($allowSuffixPattern, $path)) {
return $src;
}
$allowScriptPattern = "/(forums|details|offers)\.php/i";
if (preg_match($allowScriptPattern, $path)) {
return $src;
}
//log danger, deny directly //log danger, deny directly
if (is_danger_url($src)) { $dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
$msg = "[DANGER_URL]: $src"; if (preg_match($dangerScriptsPattern, $path)) {
$msg = sprintf( "[DANGER_URL]: $src [%s]", nexus()->getRequestId());
do_log($msg, "alert"); do_log($msg, "alert");
write_log($msg, "mod"); write_log($msg, "mod");
return "";
} }
//only allow these do_log("[NOT_ALLOW_SRC]: $src with path: $path");
$allowScriptPattern = "/(forums|details|offers)\.php/i"; return "";
$match = preg_match($allowScriptPattern, $src);
if ($match <= 0) {
do_log("[NOT_ALLOW_SRC]: $src");
return "";
}
return $src;
}
function is_danger_url($url): bool
{
$dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
$match = preg_match($dangerScriptsPattern, $url);
if ($match > 0) {
return true;
}
return false;
} }
//here must retrieve the real time info, no cache!!! //here must retrieve the real time info, no cache!!!
public/attachment.php
+1 -1
View File
@@ -35,7 +35,7 @@ if ($Attach->enable_attachment())
$ext_l = strrpos($origfilename, "."); $ext_l = strrpos($origfilename, ".");
$ext = strtolower(substr($origfilename, $ext_l+1, strlen($origfilename)-($ext_l+1))); $ext = strtolower(substr($origfilename, $ext_l+1, strlen($origfilename)-($ext_l+1)));
$banned_ext = array('exe', 'com', 'bat', 'msi'); $banned_ext = array('exe', 'com', 'bat', 'msi');
$img_ext = array('jpeg', 'jpg', 'png', 'gif', 'webp', 'bmp', 'tif', 'tiff', 'heic'); $img_ext = \App\Models\Attachment::IMG_EXTENSIONS;
if (!$file || $filesize == 0 || $file["name"] == "") // nothing received if (!$file || $filesize == 0 || $file["name"] == "") // nothing received
{ {