1，后台主要操作内容加入token限制，防止跨站攻击。

2，模板编辑保存禁止出现更多关键字。
3，其他细节。

application/admin/common/auth.php

@@ -271,6 +271,7 @@ return array(
         '11104' => array("show"=>0,'name' => '--应用插件状态', 'controller' => 'addon',		'action' => 'state'),
         '11105' => array("show"=>0,'name' => '--应用插件上传', 'controller' => 'addon',		'action' => 'local'),
         '11106' => array("show"=>0,'name' => '--应用插件升级', 'controller' => 'addon',		'action' => 'upgrade'),
+        '11107' => array("show"=>0,'name' => '--应用插件添加', 'controller' => 'addon',		'action' => 'add'),
     )),
 
 );

application/admin/controller/Addon.php

@@ -235,11 +235,13 @@ class Addon extends Base
         }
     }
 
-    /**
-     * 本地上传
-     */
     public function local()
     {
+        $param = input();
+        $validate = \think\Loader::validate('Token');
+        if(!$validate->check($param)){
+            return $this->error($validate->getError());
+        }
         $file = $this->request->file('file');
         $addonTmpDir = RUNTIME_PATH . 'addons' . DS;
         if (!is_dir($addonTmpDir)) {
@@ -310,6 +312,11 @@ class Addon extends Base
         }
     }
 
+    public function add()
+    {
+        return $this->fetch('admin@addon/add');
+    }
+
     /**
      * 更新插件
      */

application/admin/controller/Admin.php

@@ -45,6 +45,11 @@ class Admin extends Base
             if(!in_array('index/welcome',$param['admin_auth'])){
                 $param['admin_auth'][] = 'index/welcome';
             }
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
             $res = model('Admin')->saveData($param);
             if($res['code']>1){
                 return $this->error($res['msg']);

application/admin/controller/Base.php

@@ -25,7 +25,6 @@ class Base extends All
         }
         else {
             $res = model('Admin')->checkLogin();
-
             if ($res['code'] > 1) {
                 return $this->redirect('index/login');
             }

application/admin/controller/Collect.php

@@ -63,6 +63,11 @@ class Collect extends Base
     {
         if (Request()->isPost()) {
             $param = input('post.');
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
             $res = model('Collect')->saveData($param);
             if ($res['code'] > 1) {
                 return $this->error($res['msg']);

application/admin/controller/Database.php

@@ -239,8 +239,12 @@ class Database extends Base
     {
         if($this->request->isPost()){
             $param=input();
-            $sql = trim($param['sql']);
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
 
+            $sql = trim($param['sql']);
             if(!empty($sql)){
                 $sql = str_replace('{pre}',config('database.prefix'),$sql);
                 //查询语句返回结果集
@@ -280,6 +284,11 @@ class Database extends Base
             $tostr = $param['tostr'];
             $where = $param['where'];
 
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
             if(!empty($table) && !empty($field) && !empty($findstr) && !empty($tostr)){
                 $sql = "UPDATE ".$table." set ".$field."=Replace(".$field.",'".$findstr."','".$tostr."') where 1=1 ". $where;
                 Db::execute($sql);

application/admin/controller/System.php

@@ -3,7 +3,6 @@ namespace app\admin\controller;
 use think\Db;
 use think\Config;
 use think\Cache;
-use think\View;
 
 class System extends Base
 {
@@ -53,7 +52,7 @@ class System extends Base
         if (Request()->isPost()) {
             $config = input();
 
-            $validate = \think\Loader::validate('System');
+            $validate = \think\Loader::validate('Token');
             if(!$validate->check($config)){
                 return $this->error($validate->getError());
             }
@@ -223,6 +222,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['user'] = $config['user'];
 
             $config_old = config('maccms');
@@ -436,6 +442,12 @@ class System extends Base
         if (Request()->isPost()) {
             $config = input();
 
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             if($config['interface']['status']==1 && strlen($config['interface']['pass']) < 16){
                 return $this->error('保存失败，安全起见入库密码必须大于等于16位!');
             }
@@ -543,6 +555,12 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['play'] = $config['play'];
             $config_old = config('maccms');
             $config_new = array_merge($config_old, $config_new);
@@ -585,6 +603,13 @@ class System extends Base
     {
         if (Request()->isPost()) {
             $config = input();
+
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($config)){
+                return $this->error($validate->getError());
+            }
+            unset($config['__token__']);
+
             $config_new['seo'] = $config['seo'];
 
             $config_old = config('maccms');

application/admin/controller/Template.php

@@ -175,9 +175,21 @@ class Template extends Base
         }
 
         if (Request()->isPost()) {
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
+            $validate = \think\Loader::validate('Template');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
             $fcontent = $param['fcontent'];
-            if(strpos($fcontent,'<?')!==false || strpos($fcontent,'{php}')!==false){
-                $this->error('安全提示，模板中包含php代码禁止在后台编辑');
+            $filter = '<?|{php|eval|server|assert|get|post|request|cookie|input|session|env|config|call|global|dump|print|phpinfo|passthru|exec|system|chroot|scandir|chgrp|chown|shell_exec|proc_open|proc_get_status|ini_alter|ini_alter|ini_restore|dl|pfsockopen|openlog|syslog|readlink|symlink|popepassthru|stream_socket_server|fsocket|fsockopen';
+            $r = preg_replace($filter, "*", $fcontent);
+            if($fcontent !== $r){
+                $this->error('安全提示，模板中包含风险代码禁止在后台编辑');
                 return;
             }
             $res = @fwrite(fopen($fullname,'wb'),$fcontent);

application/admin/controller/Timming.php

@@ -23,6 +23,11 @@ class Timming extends Base
         $param = input();
         $list = config('timming');
         if (Request()->isPost()) {
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
             $param['weeks'] = join(',',$param['weeks']);
             $param['hours'] = join(',',$param['hours']);
             $list[$param['name']] = $param;

application/admin/controller/Type.php

@@ -62,6 +62,11 @@ class Type extends Base
     {
         if (Request()->isPost()) {
             $param = input('post.');
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+
             $res = model('Type')->saveData($param);
             if($res['code']>1){
                 return $this->error($res['msg']);

application/admin/controller/Voddowner.php

@@ -24,6 +24,11 @@ class VodDowner extends Base
         $param = input();
         $list = config($this->_pre);
         if (Request()->isPost()) {
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+            unset($param['__token__']);
             unset($param['flag']);
             if(is_numeric($param['from'])){
                 $param['from'] .='_';

application/admin/controller/Vodplayer.php

@@ -24,6 +24,11 @@ class VodPlayer extends Base
         $param = input();
         $list = config($this->_pre);
         if (Request()->isPost()) {
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+            unset($param['__token__']);
             unset($param['flag']);
             $code = $param['code'];
             unset($param['code']);

application/admin/controller/Vodserver.php

@@ -25,6 +25,11 @@ class VodServer extends Base
         $param = input();
         $list = config($this->_pre);
         if (Request()->isPost()) {
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+            unset($param['__token__']);
             unset($param['flag']);
             if(is_numeric($param['from'])){
                 $param['from'] .='_';

application/admin/view/addon/add.html

@@ -0,0 +1,58 @@
+{include file="../../../application/admin/view/public/head" /}
+<div class="page-container p10">
+
+    <div class="layui-tab layui-tab-brief" lay-filter="tabs">
+        <ul class="layui-tab-title">
+            <li class="btn-local" ><a href="{:url('index')}">本地应用</a></li>
+            <li class="layui-this"><a href="{:url('add')}">离线安装</a></li>
+        </ul>
+        <div class="layui-tab-content">
+            <blockquote class="layui-elem-quote layui-quote-nm">
+                提示：<br>
+                1.请确保第三方插件符合程序开发规范。
+                2.--使用前请做好安全检测避免出现安全问题。
+            </blockquote>
+            <input type="hidden" id="token" name="__token__" value="{$Request.token}" />
+            <button type="button" class="layui-btn layui-upload" id="upload1">点击上传</button>
+        </div>
+    </div>
+</div>
+
+{include file="../../../application/admin/view/public/foot" /}
+
+
+<script type="text/javascript">
+    var url='';
+    layui.use(['form','laypage', 'layer','upload','element'], function() {
+        // 操作对象
+        var form = layui.form
+            , layer = layui.layer
+            , upload = layui.upload
+            ,element = layui.element;
+
+        upload.render({
+            elem: '.layui-upload'
+            ,url: "{:url('addon/local')}?__token__=" + $('#token').val()
+            ,method: 'post'
+            ,exts:'zip'
+            ,before: function(input) {
+                layer.msg('文件上传中...', {time:3000000});
+            },done: function(res, index, upload) {
+                var obj = this.item;
+                if (res.code == 0) {
+                    layer.msg(res.msg);
+                }
+
+                setTimeout(function () {
+                    layer.closeAll();
+                    location.reload();
+                },2000);
+            }
+        });
+
+    });
+
+
+</script>
+</body>
+</html>

application/admin/view/addon/index.html

@@ -5,7 +5,7 @@
         <ul class="layui-tab-title">
             <li class="layui-this btn-local" data-href="{:url('downloaded')}">本地应用</li>
             <li class="btn-online" data-href="http://api.maccms.com/addon/index">在线商店</li>
-            <li class="layui-upload" data-href="{:url('add')}">离线安装</li>
+            <li class=""><a href="{:url('add')}">离线安装</a></li>
             <li class="">绑定账号</li>
         </ul>
         <div class="layui-tab-content">
@@ -53,24 +53,6 @@
             }
         });
 
-        upload.render({
-            elem: '.layui-upload'
-            ,url: "{:url('addon/local')}"
-            ,method: 'post'
-            ,exts:'zip'
-            ,before: function(input) {
-                layer.msg('文件上传中...', {time:3000000});
-            },done: function(res, index, upload) {
-                var obj = this.item;
-                if (res.code == 0) {
-                    layer.msg(res.msg);
-                    return false;
-                }
-                layer.closeAll();
-            }
-        });
-
-
         $(document).on('click', '.btn-disable,.btn-enable', function() {
             $.ajax({
                 type: 'get',

application/admin/view/collect/info.html

@@ -2,6 +2,7 @@
 <div class="page-container p10">
     <form class="layui-form layui-form-pane" method="post" action="">
         <input id="collect_id" name="collect_id" type="hidden" value="{$info.collect_id}">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-form-item">
             <label class="layui-form-label">资源名称：</label>
             <div class="layui-input-block  ">

application/admin/view/database/rep.html

@@ -5,6 +5,7 @@
 </style>
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">批量替换</li>

application/admin/view/database/sql.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">执行sql语句</li>

application/admin/view/index/welcome.html

@@ -37,7 +37,7 @@
             <td><?php echo date('Y-m-d'); ?></td>
         </tr>
         <tr>
-            <td colspan="2">当前版本：<span class="layui-badge">{$version.code}</span> 授权类型：<span class="layui-badge">{$version.license}</span></td>
+            <td colspan="2">当前版本：<span class="layui-badge">{$version.code}</span></td>
         </tr>
         </tbody>
     </table>

application/admin/view/system/configinterface.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">站外入库设置</li>

application/admin/view/system/configplay.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">播放器设置</li>

application/admin/view/system/configseo.html

@@ -2,6 +2,7 @@
 
 <div class="page-container">
         <form class="layui-form layui-form-pane" action="">
+            <input type="hidden" name="__token__" value="{$Request.token}" />
             <div class="layui-tab" lay-filter="tb1">
                 <ul class="layui-tab-title">
                     <li class="layui-this" lay-id="configseo_1">视频首页SEO</li>

application/admin/view/system/configuser.html

@@ -5,6 +5,7 @@
     <div class="showpic" style="display:none;"><img class="showpic_img" width="120" height="160"></div>
 
     <form class="layui-form layui-form-pane" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">会员设置</li>

application/admin/view/template/info.html

@@ -1,6 +1,7 @@
 {include file="../../../application/admin/view/public/head" /}
 <div class="page-container">
     <form class="layui-form layui-form-pane" method="post" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-form-item">
             <label class="layui-form-label">路径：</label>
             <div class="layui-input-block">

application/admin/view/timming/info.html

@@ -1,7 +1,7 @@
 {include file="../../../application/admin/view/public/head" /}
 <div class="page-container p10">
     <form class="layui-form layui-form-pane" method="post" action="">
-
+        <input type="hidden" name="__token__" value="{$Request.token}" />
                     <div class="layui-form-item">
                         <label class="layui-form-label">状态：</label>
                         <div class="layui-input-inline">

application/admin/view/type/info.html

@@ -5,6 +5,7 @@
     
     <form class="layui-form layui-form-pane" method="post" action="">
         <input type="hidden" name="type_id" value="{$info.type_id}">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <blockquote class="layui-elem-quote layui-quote-nm">
             提示信息：<br>
             1,新增加分类后，请到用户-会员组分别对每个组设置权限，否则会提示无权限访问

application/admin/view/voddowner/info.html

@@ -1,6 +1,7 @@
 {include file="../../../application/admin/view/public/head" /}
 <div class="page-container p10">
     <form class="layui-form layui-form-pane" method="post" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-form-item">
             <label class="layui-form-label">状态：</label>
             <div class="layui-input-block">

application/admin/view/vodplayer/info.html

@@ -1,6 +1,7 @@
 {include file="../../../application/admin/view/public/head" /}
 <div class="page-container p10">
     <form class="layui-form layui-form-pane" method="post" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-tab">
             <ul class="layui-tab-title">
                 <li class="layui-this">基本设置</li>

application/admin/view/vodserver/info.html

@@ -1,6 +1,7 @@
 {include file="../../../application/admin/view/public/head" /}
 <div class="page-container p10">
     <form class="layui-form layui-form-pane" method="post" action="">
+        <input type="hidden" name="__token__" value="{$Request.token}" />
         <div class="layui-form-item">
             <label class="layui-form-label">状态：</label>
             <div class="layui-input-block">

application/api/controller/Provide.php

@@ -10,7 +10,7 @@ class Provide extends Base
     public function __construct()
     {
         parent::__construct();
-        $this->_param = input('','','trim,urldecode,htmlspecialchars');
+        $this->_param = input('','','trim,urldecode');
     }
 
     public function index()

application/api/controller/Receive.php

@@ -9,21 +9,20 @@ class Receive extends Base
     public function __construct()
     {
         parent::__construct();
-        $this->_param = input('','','trim,urldecode,htmlspecialchars');
+        $this->_param = input('','','trim,urldecode');
 
         if($GLOBALS['config']['interface']['status'] != 1){
             echo json_encode(['code'=>3001,'msg'=>'接口关闭err'],JSON_UNESCAPED_UNICODE);
             exit;
         }
-        if($GLOBALS['config']['interface']['pass'] != $this->_param['pass']){
-            echo json_encode(['code'=>3002,'msg'=>'非法使用err'],JSON_UNESCAPED_UNICODE);
-            exit;
-        }
         if( strlen($GLOBALS['config']['interface']['pass']) <16){
             echo json_encode(['code'=>3003,'msg'=>'安全起见入库密码必须大于等于16位'],JSON_UNESCAPED_UNICODE);
             exit;
         }
-
+        if($GLOBALS['config']['interface']['pass'] != $this->_param['pass']){
+            echo json_encode(['code'=>3002,'msg'=>'非法使用err'],JSON_UNESCAPED_UNICODE);
+            exit;
+        }
     }
 
     public function index()

application/api/controller/Timming.php

@@ -11,7 +11,7 @@ class Timming extends Base
 
     public function index()
     {
-        $param = input('','','trim,urldecode,htmlspecialchars');;
+        $param = input('','','trim,urldecode');;
         $name = $param['name'];
         if(empty($name)){
             //return $this->error('参数错误!');

application/common/controller/All.php

@@ -517,7 +517,7 @@ class All extends Controller
             $this->assign('player_js','<div class="MacPlayer" style="z-index:99999;width:100%;height:100%;margin:0px;padding:0px;"><iframe id="player_if" name="player_if" src="'.$dy_play.'" style="z-index:9;width:100%;height:100%;" border="0" marginWidth="0" frameSpacing="0" marginHeight="0" frameBorder="0" scrolling="no" allowfullscreen="allowfullscreen" mozallowfullscreen="mozallowfullscreen" msallowfullscreen="msallowfullscreen" oallowfullscreen="oallowfullscreen" webkitallowfullscreen="webkitallowfullscreen" ></iframe></div>');
         }
         else {
-            $this->assign('player_data', '<script type="text/javascript">var player_data=' . json_encode($player_info) . '</script>');
+            $this->assign('player_data', '<script type="text/javascript">var player_x10d26=' . json_encode($player_info) . '</script>');
             $this->assign('player_js', '<script type="text/javascript" src="' . MAC_PATH . 'static/js/playerconfig.js?t='.$this->_tsp.'"></script><script type="text/javascript" src="' . MAC_PATH . 'static/js/player.js?t='.$this->_tsp.'"></script>');
         }
         $this->label_comment();

application/common/model/Admin.php

@@ -146,7 +146,7 @@ class Admin extends Base {
 
         cookie('admin_id',$row['admin_id']);
         cookie('admin_name',$row['admin_name']);
-        cookie('admin_check',md5($random .'-'. $row['admin_name'] .'-'.$row['admin_id'] .'-'.$_SERVER['SERVER_ADDR'] ) );
+        cookie('admin_check',md5($random .'-'. $row['admin_name'] .'-'.$row['admin_id'] .'-'.request()->ip() ) );
 
         return ['code'=>1,'msg'=>'登录成功'];
     }
@@ -185,8 +185,8 @@ class Admin extends Base {
         }
         $info = $info->toArray();
 
-        $login_check = md5($info['admin_random'] .'-'. $info['admin_name'] .'-'.$info['admin_id'] .'-'.$_SERVER['SERVER_ADDR']) ;
-        if($login_check != $admin_check){
+        $login_check = md5($info['admin_random'] .'-'. $info['admin_name'] .'-'.$info['admin_id'] .'-'.request()->ip() ) ;
+        if($login_check !== $admin_check){
             return ['code'=>1003,'msg'=>'未登录'];
         }
         return ['code'=>1,'msg'=>'已登录','info'=>$info];

application/common/model/User.php

@@ -389,7 +389,7 @@ class User extends Base
         cookie('user_name', $row['user_name'],['expire'=>2592000] );
         cookie('group_id', $group['group_id'],['expire'=>2592000] );
         cookie('group_name', $group['group_name'],['expire'=>2592000] );
-        cookie('user_check', md5($random . '-' .$row['user_name'] . '-' . $row['user_id'] .'-'.$_SERVER['SERVER_ADDR'] ),['expire'=>2592000] );
+        cookie('user_check', md5($random . '-' .$row['user_name'] . '-' . $row['user_id'] .'-'.request()->ip() ),['expire'=>2592000] );
         cookie('user_portrait', mac_get_user_portrait($row['user_id']),['expire'=>2592000] );
 
         return ['code' => 1, 'msg' => '登录成功'];
@@ -419,8 +419,8 @@ class User extends Base
             return ['code' => 1002, 'msg' => '未登录'];
         }
         $info = $info->toArray();
-        $login_check = md5($info['user_random'] . '-' . $info['user_name']. '-' . $info['user_id'] .'-'.$_SERVER['SERVER_ADDR'] );
-        if($login_check != $user_check) {
+        $login_check = md5($info['user_random'] . '-' . $info['user_name']. '-' . $info['user_id'] .'-'.request()->ip() );
+        if($login_check !== $user_check) {
             return ['code' => 1003, 'msg' => '未登录'];
         }
 

application/common/validate/Template.php

@@ -0,0 +1,17 @@
+<?php
+namespace app\common\validate;
+use think\Validate;
+
+class Template extends Validate
+{
+    protected $rule =   [
+        'fname'=>'require',
+        'fpath'=>'require',
+    ];
+
+    protected $message  =   [
+        'fname.require' => '名称必须',
+        'fpath.require'   => '路径必须',
+    ];
+
+}

application/common/validate/Token.php

@@ -0,0 +1,16 @@
+<?php
+namespace app\common\validate;
+use think\Validate;
+
+class Token extends Validate
+{
+    protected $rule =   [
+        '__token__'  =>  'require|token',
+    ];
+
+    protected $message  =   [
+        '__token__.require' => '非法提交',
+        '__token__.token'   => '请不要重复提交表单'
+    ];
+
+}

application/extra/version.php

@@ -3,7 +3,7 @@ return array (
     'name' => '苹果CMS',
     'copyright' => 'MacCMS.LA',
     'url' => '//www.maccms.la/',
-    'code' => '2020.1000.1037',
+    'code' => '2020.1000.1038',
     'license' => '免费版',
 );
 ?>