[^] 升级 UEditor 到1.4.3.3（20160526版本）

[#] 修复 XSS [^] 内网采集可配置，默认不采集内网（防止 SSRF）
xbzbing · Jun 6, 2016 · 3e99f13 · 3e99f13
1 parent 13f44d5
commit 3e99f13
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/UEditorController.php b/UEditorController.php
@@ -258,6 +258,8 @@ public function actionCatchImage()
         }
         foreach ($source as $imgUrl) {
             $item = new Uploader($imgUrl, $config, 'remote');
+            if ($this->allowIntranet)
+                $item->setAllowIntranet(true);
             $info = $item->getFileInfo();
             $info['thumbnail'] = $this->imageHandle($info['url']);
             $list[] = [

diff --git a/Uploader.php b/Uploader.php
@@ -20,6 +20,11 @@
  */
 class Uploader
 {
+    /**
+     * 是否允许采集内网 IP 图片
+     * 默认不允许
+     * @var bool
+     */
     private $allowIntranet = false;
     private $fileField; //文件域名
     private $file; //文件上传对象