Skip to content

Commit

Permalink
删了$_POST不规范用法#675,修复XSS漏洞
Browse files Browse the repository at this point in the history
  • Loading branch information
simplewindorg committed Oct 14, 2020
1 parent d632bbf commit 27e1fbe
Showing 1 changed file with 25 additions and 25 deletions.
50 changes: 25 additions & 25 deletions vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php
Original file line number Diff line number Diff line change
Expand Up @@ -127,24 +127,24 @@ public function add()
public function addPost()
{
if ($this->request->isPost()) {
if (!empty($_POST['role_id']) && is_array($_POST['role_id'])) {
$role_ids = $_POST['role_id'];
unset($_POST['role_id']);
$result = $this->validate($this->request->param(), 'User');
$roleIds = $this->request->param('role_id/a');
if (!empty($roleIds) && is_array($roleIds)) {
$data = $this->request->param();
$result = $this->validate($data, 'User');
if ($result !== true) {
$this->error($result);
} else {
$_POST['user_pass'] = cmf_password($_POST['user_pass']);
$result = DB::name('user')->insertGetId($_POST);
if ($result !== false) {
$data['user_pass'] = cmf_password($data['user_pass']);
$userId = DB::name('user')->strict(false)->insertGetId($data);
if ($userId !== false) {
//$role_user_model=M("RoleUser");
foreach ($role_ids as $role_id) {
if (cmf_get_current_admin_id() != 1 && $role_id == 1) {
foreach ($roleIds as $roleId) {
if (cmf_get_current_admin_id() != 1 && $roleId == 1) {
$this->error("为了网站的安全,非网站创建者不可创建超级管理员!");
}
Db::name('RoleUser')->insert(["role_id" => $role_id, "user_id" => $result]);
Db::name('RoleUser')->insert(["role_id" => $roleId, "user_id" => $userId]);
}
$this->success("添加成功!", url("user/index"));
$this->success("添加成功!", url("User/index"));
} else {
$this->error("添加失败!");
}
Expand Down Expand Up @@ -204,29 +204,29 @@ public function edit()
public function editPost()
{
if ($this->request->isPost()) {
if (!empty($_POST['role_id']) && is_array($_POST['role_id'])) {
if (empty($_POST['user_pass'])) {
unset($_POST['user_pass']);
$roleIds = $this->request->param('role_id/a');
if (!empty($roleIds) && is_array($roleIds)) {
$data = $this->request->param();
if (empty($data['user_pass'])) {
unset($data['user_pass']);
} else {
$_POST['user_pass'] = cmf_password($_POST['user_pass']);
$data['user_pass'] = cmf_password($data['user_pass']);
}
$role_ids = $this->request->param('role_id/a');
unset($_POST['role_id']);
$result = $this->validate($this->request->param(), 'User.edit');
$result = $this->validate($data, 'User.edit');

if ($result !== true) {
// 验证失败 输出错误信息
$this->error($result);
} else {
$result = DB::name('user')->update($_POST);
$userId = $this->request->param('id', 0, 'intval');
$result = DB::name('user')->strict(false)->where('id', $userId)->update($data);
if ($result !== false) {
$uid = $this->request->param('id', 0, 'intval');
DB::name("RoleUser")->where("user_id", $uid)->delete();
foreach ($role_ids as $role_id) {
if (cmf_get_current_admin_id() != 1 && $role_id == 1) {
DB::name("RoleUser")->where("user_id", $userId)->delete();
foreach ($roleIds as $roleId) {
if (cmf_get_current_admin_id() != 1 && $roleId == 1) {
$this->error("为了网站的安全,非网站创建者不可创建超级管理员!");
}
DB::name("RoleUser")->insert(["role_id" => $role_id, "user_id" => $uid]);
DB::name("RoleUser")->insert(["role_id" => $roleId, "user_id" => $userId]);
}
$this->success("保存成功!");
} else {
Expand Down Expand Up @@ -373,4 +373,4 @@ public function cancelBan()
$this->error('数据传入失败!');
}
}
}
}

0 comments on commit 27e1fbe

Please sign in to comment.