Skip to content

Commit

Permalink
改进控制器获取
Browse files Browse the repository at this point in the history
  • Loading branch information
@liu21st
liu21st committed Dec 9, 2018
1 parent 7be580f commit b797d72
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions library/think/App.php
View file
Expand Up @@ -551,6 +551,11 @@ public static function module($result, $config, $convert = null)

// 获取控制器名
$controller = strip_tags($result[1] ?: $config['default_controller']);

if (!preg_match('/^[A-Za-z](\w)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}

$controller = $convert ? strtolower($controller) : $controller;

// 获取操作名
Expand Down

13 comments on commit b797d72

@cxword
Copy link

@cxword cxword commented on b797d72 Dec 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

@CaryGuo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

开源软件的尴尬就在这里,自己发现了漏洞,却在发布后被攻击者利用了

@tangchao1992
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5.0.7按这个添加代码后, 报404了

@zhouxiaoqiao2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5.0.7按这个添加代码后, 报404了

@zhouxiaoqiao2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5.0.按这个添加代码后, 报404了

@mackyliu
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

同样404

@F4NNIU
Copy link
Member

@F4NNIU F4NNIU commented on b797d72 Dec 11, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

开源软件的尴尬就在这里,自己发现了漏洞,却在发布后被攻击者利用了

一定要多多关注安全更新。

不开源的漏洞更加无法想象。

@usheweb
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

多级控制器 这个正则表达式是不对的,改一下正则表达式
if (!preg_match('/^[A-Za-z][\w\.]*$/', $controller)) { throw new HttpException(404, 'controller not exists:' . $controller); }

@liu21st
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

最新的代码提交 修正过多级控制器的问题

@goosman-lei
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

preg_match('/^[A-Za-z](\w)*$/', $controller)

这个正则表达式, 确实存在问题.

  1. (\w)这个捕获分组是没有意义的

  2. 这里应该采用占用优先匹配, 来提高效率. 避免回溯.

下面这种方式, 会更好一些.

preg_match('/^[A-Za-z]\w*+$/', $controller)

@zsp00
Copy link

@zsp00 zsp00 commented on b797d72 Mar 13, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

被这个漏洞给投诉了

@F4NNIU
Copy link
Member

@F4NNIU F4NNIU commented on b797d72 Mar 13, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

被这个漏洞给投诉了

ThinkPHP 修复后你没有更新吗?
多多关注开源社区。

@ocre
Copy link

@ocre ocre commented on b797d72 May 24, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这两天公司网站服务器被埋了挖矿脚本,我们追溯发现很可能就是这个漏洞被利用了。

Please sign in to comment.