lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-05 07:20:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

format_comment() add filter_src()

Browse Source
This commit is contained in:
xiaomlove
2025-10-17 22:00:39 +07:00
parent 08dbf79ec9
commit 39f85fd001
3 changed files with 55 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
include/globalfunctions.php
View File

@@ -1368,9 +1368,36 @@ function has_role_work_seeding($uid)
return $result;
}
function filter_src($src)
{
$path = parse_url($src, PHP_URL_PATH);
if (empty($path)) {
return $src;
}
$guessScriptFilename = sprintf("%s/%s", $_SERVER['DOCUMENT_ROOT'], trim($path, '/'));
if (!file_exists($guessScriptFilename)) {
return $src;
}
//log danger, deny directly
if (is_danger_url($src)) {
$msg = "[DANGER_URL]: $src";
do_log($msg, "alert");
write_log($msg, "mod");
return "";
}
//only allow these
$allowScriptPattern = "/(forums|details|offers)\.php/i";
$match = preg_match($allowScriptPattern, $src);
if ($match <= 0) {
do_log("[NOT_ALLOW_SRC]: $src");
return "";
}
return $src;
}
function is_danger_url($url): bool
{
$dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|take.*)\.php/i";
$dangerScriptsPattern = "/(logout|login|ajax|announce|scrape|adduser|modtask|docleanup|freeleech|take.*)\.php/i";
$match = preg_match($dangerScriptsPattern, $url);
if ($match > 0) {
return true;