Merge pull request #45 from helloxz/dev

漏洞修复
helloxz · Feb 25, 2022 · 1800cfe · 1800cfe
2 parents ae3ca1b + 851713c
commit 1800cfe
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/data/update.log b/data/update.log
@@ -34,4 +34,7 @@ CREATE INDEX on_options_key_IDX ON on_options ("key");
 1. 修复一处登录漏洞
 
 20220221
-1. 修复默认主题字体图标不显示
+1. 修复默认主题字体图标不显示
+
+20220225
+1. 修复一处安全漏洞
diff --git a/index.php b/index.php
@@ -2,7 +2,6 @@
 /**
  * name:入口文件
  */
-
 error_reporting(E_ALL^E_NOTICE^E_WARNING^E_DEPRECATED);
 //获取控制器
 $c = @$_GET['c'];
@@ -43,5 +42,15 @@
 }
 
 else{
-	include_once("./controller/".$c.'.php');
+	//对请求参数进行过滤，同时检查文件是否存在
+	$c = str_replace('../','',$c);
+	$c = str_replace('./','',$c);
+	//控制器文件
+	$controller_file = "./controller/".$c.'.php';
+	if( file_exists($controller_file) ) {
+		include_once($controller_file);
+	} else{
+		exit('Controller not exist!');
+	}
+
 }
diff --git a/version.txt b/version.txt
@@ -1 +1 @@
-v0.9.14-20220221
+v0.9.15-20220225