Permalink
Browse files

改进控制器获取

  • Loading branch information...
liu21st committed Dec 9, 2018
1 parent 7be580f commit b797d72352e6b4eb0e11b6bc2a2ef25907b7756f
Showing with 5 additions and 0 deletions.
  1. +5 −0 library/think/App.php
@@ -551,6 +551,11 @@ public static function module($result, $config, $convert = null)
// 获取控制器名
$controller = strip_tags($result[1] ?: $config['default_controller']);
if (!preg_match('/^[A-Za-z](\w)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}
$controller = $convert ? strtolower($controller) : $controller;
// 获取操作名

10 comments on commit b797d72

@cxword

This comment has been minimized.

Copy link

cxword replied Dec 11, 2018

ok

@CaryGuo

This comment has been minimized.

Copy link

CaryGuo replied Dec 11, 2018

开源软件的尴尬就在这里,自己发现了漏洞,却在发布后被攻击者利用了

@tangchao1992

This comment has been minimized.

Copy link

tangchao1992 replied Dec 11, 2018

5.0.7按这个添加代码后, 报404了

@zhouxiaoqiao2

This comment has been minimized.

Copy link

zhouxiaoqiao2 replied Dec 11, 2018

5.0.7按这个添加代码后, 报404了

@zhouxiaoqiao2

This comment has been minimized.

Copy link

zhouxiaoqiao2 replied Dec 11, 2018

5.0.按这个添加代码后, 报404了

@mackyliu

This comment has been minimized.

Copy link

mackyliu replied Dec 11, 2018

同样404

@F4NNIU

This comment has been minimized.

Copy link

F4NNIU replied Dec 11, 2018

开源软件的尴尬就在这里,自己发现了漏洞,却在发布后被攻击者利用了

一定要多多关注安全更新。

不开源的漏洞更加无法想象。

@usheweb

This comment has been minimized.

Copy link

usheweb replied Dec 11, 2018

多级控制器 这个正则表达式是不对的,改一下正则表达式
if (!preg_match('/^[A-Za-z][\w\.]*$/', $controller)) { throw new HttpException(404, 'controller not exists:' . $controller); }

@liu21st

This comment has been minimized.

Copy link
Member

liu21st replied Dec 11, 2018

最新的代码提交 修正过多级控制器的问题

@goosman-lei

This comment has been minimized.

Copy link

goosman-lei replied Dec 12, 2018

preg_match('/^[A-Za-z](\w)*$/', $controller)

这个正则表达式, 确实存在问题.

  1. (\w)这个捕获分组是没有意义的

  2. 这里应该采用占用优先匹配, 来提高效率. 避免回溯.

下面这种方式, 会更好一些.

preg_match('/^[A-Za-z]\w*+$/', $controller)
Please sign in to comment.