4 jaren geleden · cd7dbfed64
--- a/application/admin/controller/Database.php
+++ b/application/admin/controller/Database.php
@@ -248,7 +248,10 @@ class Database extends Base
 
				             if(!empty($sql)){
			
 
				                 $sql = str_replace('{pre}',config('database.prefix'),$sql);
			
 
				                 //查询语句返回结果集
			
 
				-                if(strtolower(substr($sql,0,6))=="select"){
			
 
				+                if(
			
 
				+                    strtolower(substr($sql,0,6))=="select" || 
			
 
				+                    stripos($sql, ' outfile') !== false
			
 
				+                ){
			
 
				 
			
 
				                 }
			
 
				                 else{
			
--- a/application/admin/controller/Template.php
+++ b/application/admin/controller/Template.php
@@ -174,7 +174,7 @@ class Template extends Base
 
				             }
			
 
				         }
			
 
				 
			
 
				-        $filter = '<\?|php|eval|server|assert|get|post|request|cookie|session|input|env|config|call|global|dump|print|phpinfo|fputs|fopen|global|chr|strtr|pack|system|gzuncompress|shell|base64|file|proc|preg|call|ini|{:';
			
 
				+        $filter = '<\?|php|eval|server|assert|get|post|request|cookie|session|input|env|config|call|global|dump|print|phpinfo|fputs|fopen|global|chr|strtr|pack|system|gzuncompress|shell|base64|file|proc|preg|call|ini|{:|{$|{~|{-|{+|{/';
			
 
				         $this->assign('filter',$filter);
			
 
				 
			
 
				         if (Request()->isPost()) {
			
--- a/application/common/model/Annex.php
+++ b/application/common/model/Annex.php
@@ -80,6 +80,9 @@ class Annex extends Base {
 
				 
			
 
				         $path = './';
			
 
				         foreach($list['list'] as $k=>$v){
			
 
				+            if (stripos($v['annex_file'], '../') !== false) {
			
 
				+                continue;
			
 
				+            }
			
 
				             $pic = $path.$v['annex_file'];
			
 
				             if(file_exists($pic) && (substr($pic,0,8) == "./upload") || count( explode("./",$pic) ) ==1){
			
 
				                 unlink($pic);
			
--- a/application/common/model/User.php
+++ b/application/common/model/User.php
@@ -350,6 +350,9 @@ class User extends Base
 
				             if (empty($data['openid']) || empty($data['col'])) {
			
 
				                 return ['code' => 1001, 'msg' => lang('model/user/input_require')];
			
 
				             }
			
 
				+            if (!in_array($data['col'], ['user_openid_qq', 'user_openid_weixin'])) {
			
 
				+                return ['code' => 1002, 'msg' => lang('param_err') . ': col'];
			
 
				+            }
			
 
				             $where[$data['col']] = $data['openid'];
			
 
				         }
			
 
				         $where['user_status'] = ['eq', 1];