1，关闭应用中心上传本地插件功能。

2，所有配置功能都加入token验证。
3，其他细节。

application/admin/controller/Addon.php

@@ -245,7 +245,7 @@ class Addon extends Base
         if(!$validate->check($param)){
             return $this->error($validate->getError());
         }
-
+        echo 'closed';exit;
         $file = $this->request->file('file');
         $addonTmpDir = RUNTIME_PATH . 'addons' . DS;
         if (!is_dir($addonTmpDir)) {

application/admin/controller/System.php

@@ -148,6 +148,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['view'] = $config['view'];
             $config_new['path'] = $config['path'];
             $config_new['rewrite'] = $config['rewrite'];
@@ -255,6 +262,13 @@ class System extends Base
     {
         if (Request()->isPost()){
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['upload'] = $config['upload'];
 
             $config_old = config('maccms');
@@ -281,6 +295,12 @@ class System extends Base
         if (Request()->isPost()) {
             $config = input();
 
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['gbook'] = $config['gbook'];
             $config_new['comment'] = $config['comment'];
 
@@ -303,6 +323,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['weixin'] = $config['weixin'];
 
             $config_old = config('maccms');
@@ -324,6 +351,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['pay'] = $config['pay'];
 
             $config_old = config('maccms');
@@ -350,6 +384,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['connect'] = $config['connect'];
 
             $config_old = config('maccms');
@@ -371,6 +412,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['email'] = $config['email'];
 
             $config_old = config('maccms');
@@ -395,6 +443,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['sms'] = $config['sms'];
 
             $config_old = config('maccms');
@@ -419,6 +474,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['api'] = $config['api'];
 
             $config_new['api']['vod']['auth'] = mac_replace_text($config_new['api']['vod']['auth'], 2);
@@ -482,6 +544,12 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['collect'] = $config['collect'];
             if (empty($config_new['collect']['vod']['inrule'])) {
                 $config_new['collect']['vod']['inrule'] = ['a'];

application/admin/view/addon/index.html

@@ -4,7 +4,6 @@
     <div class="layui-tab layui-tab-brief" lay-filter="tabs">
         <ul class="layui-tab-title">
             <li class="layui-this btn-local" data-href="{:url('downloaded')}">{:lang('local_app')}</li>
-            <li class=""><a href="{:url('add')}">{:lang('local_setup')}</a></li>
         </ul>
         <div class="layui-tab-content">
             <div class="layui-tab-item layui-show">

application/admin/view/index/index.html

@@ -50,17 +50,14 @@
 				 <li class="layui-nav-item layui-hide-xs">
 					<a href="javascript:void(0);">{:lang('opt')}&nbsp;&nbsp;</a>
 					<dl class="layui-nav-child">
-						<dd><a href="__ROOT__/" target="_blank">{:lang('admin/index/index/menu_index')}</a></dd>
+                        <dd><a href="{:url('index/clear')}" class="j-ajax" refresh="yes">{:lang('admin/index/index/menu_cache_clear')}</a></dd>
 						<dd><a href="javascript:void(0);" id="lockScreen">{:lang('admin/index/index/menu_lock')}</a></dd>
 						<dd><a href="{:url('index/logout')}">{:lang('admin/index/index/menu_logout')}</a></dd>
 					</dl>
 				</li>
 				<li class="layui-nav-item layui-hide-xs">
-                <a href="javascript:void(0);" >{:lang('admin/index/index/menu_cache')}&nbsp;&nbsp;</a>
-                <dl class="layui-nav-child">
-                    <dd><a href="{:url('index/clear')}" class="j-ajax" refresh="yes">{:lang('admin/index/index/menu_cache_clear')}</a></dd>
-                </dl>
-            </li>
+                    <a href="__ROOT__/" target="_blank">{:lang('admin/index/index/menu_index')}</a>
+                </li>
 			</ul>
 		</div>
 	</div>

application/admin/view/system/configapi.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
         <form class="layui-form layui-form-pane" action="">
+            <input type="hidden" name="__token__" value="{$Request.token}" />
             <div class="layui-tab" lay-filter="tb1">
                 <ul class="layui-tab-title">
                     <li class="layui-this" lay-id="configapi_1">{:lang('admin/system/configapi/vod')}</li>

application/admin/view/system/configcollect.html

@@ -5,6 +5,7 @@
 </style>
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab" lay-filter="tb1">
             <ul class="layui-tab-title">
                 <li class="layui-this" lay-id="configcollect_1">{:lang('admin/system/configcollect/vod')}</li>

application/admin/view/system/configcomment.html

@@ -5,6 +5,7 @@
     <div class="showpic" style="display:none;"><img class="showpic_img" width="120" height="160"></div>
 
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">{:lang('admin/system/configcomment/title')}</li>

application/admin/view/system/configconnect.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">{:lang('admin/system/configconnect/title')}</li>

application/admin/view/system/configemail.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab" lay-filter="tb1">
             <ul class="layui-tab-title">
                 <li class="layui-this" lay-id="configemail_1">{:lang('admin/system/configemail/title')}</li>

application/admin/view/system/configpay.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab" lay-filter="tb1">
             <ul class="layui-tab-title">
                 <li class="layui-this" lay-id="configpay_1">{:lang('admin/system/configpay/title')}</li>

application/admin/view/system/configsms.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">{:lang('admin/system/configsms/title')}</li>

application/admin/view/system/configupload.html

@@ -5,6 +5,7 @@
     <div class="showpic" style="display:none;"><img class="showpic_img" width="120" height="160"></div>
 
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">{:lang('admin/system/configupload/title')}</li>

application/admin/view/system/configurl.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab" lay-filter="tb1">
             <ul class="layui-tab-title">
                 <li class="layui-this" lay-id="configurl_1">{:lang('admin/system/configurl/view')}</li>

application/admin/view/system/configweixin.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">{:lang('admin/system/configweixin/title')}</li>

application/admin/view/template/info.html

@@ -14,7 +14,7 @@
             </div>
         </div>
         <div class="layui-form-item">
-            <label class="layui-form-label">{:lang('file_time')}：</label>
+            <label class="layui-form-label">{:lang('file_name')}：</label>
             <div class="layui-input-block">
                 <input type="text" class="layui-input" value="{$fname}" placeholder="{:lang('admin/template/name_tip')}" id="fname" name="fname" {if condition="$fname neq ''"}readonly="readonly"{/if}>
             </div>

application/extra/version.php

@@ -1,9 +1,9 @@
 <?php
 return array (
-    'name' => '苹果CMS',
+    'name' => '苹果CMS内容管理系统',
     'copyright' => 'MacCMS',
     'url' => '//github.com/magicblack',
-    'code' => '2020.1000.1053',
+    'code' => '2020.1000.1054',
     'license' => '免费版',
 );
 ?>