We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
使用 LeanCloud 统计访问量,发现可以访问 API 实现恶意篡改访问量。
import requests print(requests.put( 'https://n7i9euyn.api.lncldglobal.com/1.1/classes/Counter/xxx', json={"time": 200}, headers={ 'x-lc-id': 'xxx', 'x-lc-key': 'xxx' } ).json())
URL 的参数在请求返回中: ID 和 Key 在请求头中:
我已成功在我的博客和 您的博客 测试以上代码篡改访问量成功。
The text was updated successfully, but these errors were encountered:
安全域名只对 JavaScript SDK 有效
后续计划通过类似于 hexo-leancloud-counter-security 来解决这个问题
Sorry, something went wrong.
另外可以参考 https://leaferx.online/2018/02/11/lc-security/ 前半部分
去设置 beforeUpdate 参数校验,我的博客已经加上去了
beforeUpdate
补充一点:需要修改 LeanCloud 数据库权限,仅保留 find 和 update 即可
find
update
No branches or pull requests
请确认
问题描述
使用 LeanCloud 统计访问量,发现可以访问 API 实现恶意篡改访问量。
示例
URL 的参数在请求返回中:
ID 和 Key 在请求头中:
我已成功在我的博客和 您的博客 测试以上代码篡改访问量成功。
尝试的解决方案
The text was updated successfully, but these errors were encountered: