1，修复播放器导入跨站攻击的问题。

2，更新语言包。
3，其他细节。

application/admin/controller/Base.php

@@ -16,8 +16,7 @@ class Base extends All
         parent::__construct();
 
         //判断用户登录状态
-
-        if(in_array($this->_cl,['Index']) && in_array($this->_ac,['login','logout'])) {
+        if(in_array($this->_cl,['Index']) && in_array($this->_ac,['login'])) {
 
         }
         elseif(ENTRANCE=='api' && in_array($this->_cl,['Timming']) && in_array($this->_ac,['index'])){
@@ -25,7 +24,6 @@ class Base extends All
         }
         else {
             $res = model('Admin')->checkLogin();
-
             if ($res['code'] > 1) {
                 return $this->redirect('index/login');
             }

application/admin/controller/Vodplayer.php

@@ -125,36 +125,49 @@ class VodPlayer extends Base
 
     public function import()
     {
-        $file = $this->request->file('file');
-        $info = $file->rule('uniqid')->validate(['size' => 10240000, 'ext' => 'txt']);
-        if ($info) {
-            $data = json_decode(base64_decode(file_get_contents($info->getpathName())), true);
-            @unlink($info->getpathName());
-            if($data){
-
-                if(empty($data['status']) || empty($data['from']) || empty($data['sort']) ){
-                    return $this->error(lang('format_err'));
-                }
-                $code = $data['code'];
-                unset($data['code']);
-
-                $list = config($this->_pre);
-                $list[$data['from']] = $data;
-                $res = mac_arr2file( APP_PATH .'extra/'.$this->_pre.'.php', $list);
-                if($res===false){
-                    return $this->error(lang('write_err_config'));
-                }
-
-                $res = fwrite(fopen('./static/player/' . $data['from'].'.js','wb'),$code);
-                if($res===false){
-                    return $this->error(lang('wirte_err_codefile'));
+        if (request()->isPost()) {
+            $param = input();
+            $validate = \think\Loader::validate('Token');
+            if(!$validate->check($param)){
+                return $this->error($validate->getError());
+            }
+            unset($param['__token__']);
+            $file = $this->request->file('file');
+            $info = $file->rule('uniqid')->validate(['size' => 10240000, 'ext' => 'txt']);
+            if ($info) {
+                $data = json_decode(base64_decode(file_get_contents($info->getpathName())), true);
+                @unlink($info->getpathName());
+                if ($data) {
+                    if (empty($data['status']) || empty($data['from']) || empty($data['sort'])) {
+                        return $this->error(lang('format_err'));
+                    }
+                    if (strpos($data['from'], '.') !== false || strpos($data['from'], '/') !== false || strpos($data['from'], '\\') !== false) {
+                        $this->error(lang('param_err'));
+                        return;
+                    }
+                    $code = $data['code'];
+                    unset($data['code']);
+
+                    $list = config($this->_pre);
+                    $list[$data['from']] = $data;
+                    $res = mac_arr2file(APP_PATH . 'extra/' . $this->_pre . '.php', $list);
+                    if ($res === false) {
+                        return $this->error(lang('write_err_config'));
+                    }
+
+                    $res = fwrite(fopen('./static/player/' . $data['from'] . '.js', 'wb'), $code);
+                    if ($res === false) {
+                        return $this->error(lang('wirte_err_codefile'));
+                    }
                 }
-
+                return $this->success(lang('import_ok'));
+            } else {
+                return $this->error($file->getError());
             }
-            return $this->success(lang('import_err'));
         }
         else{
-            return $this->error($file->getError());
+            return $this->fetch('admin@vodplayer/import');
         }
     }
+
 }

application/admin/view/addon/add.html

@@ -3,17 +3,15 @@
 
     <div class="layui-tab layui-tab-brief" lay-filter="tabs">
         <ul class="layui-tab-title">
-            <li class="btn-local" ><a href="{:url('index')}">本地应用</a></li>
-            <li class="layui-this"><a href="{:url('add')}">离线安装</a></li>
+            <li class="btn-local" ><a href="{:url('index')}">{:lang('local_app')}</a></li>
+            <li class="layui-this"><a href="{:url('add')}">{:lang('local_setup')}</a></li>
         </ul>
         <div class="layui-tab-content">
             <blockquote class="layui-elem-quote layui-quote-nm">
-                提示：<br>
-                1.请确保第三方插件符合程序开发规范。
-                2.--使用前请做好安全检测避免出现安全问题。
+                {:lang('admin/addon/add_tip')}
             </blockquote>
             <input type="hidden" id="token" name="__token__" value="{$Request.token}" />
-            <button type="button" class="layui-btn layui-upload" id="upload1">点击上传</button>
+            <button type="button" class="layui-btn layui-upload" id="upload1">{:lang('upload')}</button>
         </div>
     </div>
 </div>
@@ -36,7 +34,7 @@
             ,method: 'post'
             ,exts:'zip'
             ,before: function(input) {
-                layer.msg('文件上传中...', {time:3000000});
+                layer.msg("{:lang('upload_ing')}", {time:3000000});
             },done: function(res, index, upload) {
                 var obj = this.item;
                 if (res.code == 0) {

application/admin/view/index/index.html

@@ -48,7 +48,7 @@
            </ul>
 			<ul class="layui-nav layui-layout-right" lay-filter="">
 				 <li class="layui-nav-item layui-hide-xs">
-					<a href="javascript:void(0);">{$Think.cookie.admin_name}&nbsp;&nbsp;</a>
+					<a href="javascript:void(0);">{:lang('opt')}&nbsp;&nbsp;</a>
 					<dl class="layui-nav-child">
 						<dd><a href="__ROOT__/" target="_blank">{:lang('admin/index/index/menu_index')}</a></dd>
 						<dd><a href="javascript:void(0);" id="lockScreen">{:lang('admin/index/index/menu_lock')}</a></dd>

application/admin/view/vodplayer/import.html

@@ -0,0 +1,54 @@
+{include file="../../../application/admin/view/public/head" /}
+<div class="page-container p10">
+
+    <div class="layui-tab layui-tab-brief" lay-filter="tabs">
+        <ul class="layui-tab-title">
+            <li class="btn-local" ><a href="{:url('index')}">{:lang('return')}</a></li>
+            <li class="layui-this"><a href="{:url('add')}">{:lang('import')}</a></li>
+        </ul>
+
+        <div class="layui-tab-content">
+            <blockquote class="layui-elem-quote layui-quote-nm">
+                {:lang('admin/vodplayer/import_tip')}
+            </blockquote>
+            <input type="hidden" id="token" name="__token__" value="{$Request.token}" />
+            <button type="button" class="layui-btn layui-upload" id="upload1">{:lang('upload')}</button>
+        </div>
+    </div>
+</div>
+
+{include file="../../../application/admin/view/public/foot" /}
+
+
+<script type="text/javascript">
+    var url='';
+    layui.use(['form','laypage', 'layer','upload','element'], function() {
+        // 操作对象
+        var form = layui.form
+            , layer = layui.layer
+            , upload = layui.upload
+            ,element = layui.element;
+
+        upload.render({
+            elem: '.layui-upload'
+            ,url: "{:url('vodplayer/import')}?__token__=" + $('#token').val()
+            ,method: 'post'
+            ,exts:'txt'
+            ,before: function(input) {
+                layer.msg("{:lang('upload_ing')}", {time:3000000});
+            },done: function(res, index, upload) {
+                var obj = this.item;
+                layer.msg(res.msg);
+                setTimeout(function () {
+                    layer.closeAll();
+                    location.reload();
+                },2000);
+            }
+        });
+
+    });
+
+
+</script>
+</body>
+</html>

application/admin/view/vodplayer/index.html

@@ -4,7 +4,7 @@
 
         <div class="layui-btn-group">
             <a data-href="{:url('info')}" class="layui-btn layui-btn-primary j-iframe"><i class="layui-icon">&#xe654;</i>{:lang('add')}</a>
-            <a data-href="{:url('import')}" class="layui-btn layui-btn-primary layui-upload" ><i class="layui-icon">&#xe654;</i>{:lang('import')}</a>
+            <a href="{:url('import')}" class="layui-btn layui-btn-primary" ><i class="layui-icon">&#xe654;</i>{:lang('import')}</a>
             <a data-href="{:url('index/select')}?tab=vod&col=status&tpl=select_state&url=vodplayer/field" data-width="470" data-height="100" data-checkbox="1" class="layui-btn layui-btn-primary j-select"><i class="layui-icon">&#xe620;</i>{:lang('status')}</a>
             <a data-href="{:url('index/select')}?tab=vod&col=ps&tpl=select_state&url=vodplayer/field" data-width="470" data-height="100" data-checkbox="1" class="layui-btn layui-btn-primary j-select"><i class="layui-icon">&#xe620;</i>{:lang('status_parse')}</a>
         </div>
@@ -56,29 +56,12 @@
 {include file="../../../application/admin/view/public/foot" /}
 
 <script type="text/javascript">
-    layui.use(['form','laypage', 'layer','upload'], function() {
+    layui.use(['form','laypage', 'layer'], function() {
         // 操作对象
         var form = layui.form
                 , layer = layui.layer
-                , $ = layui.jquery
-                , upload = layui.upload;
+                , $ = layui.jquery;
 
-        upload.render({
-            elem: '.layui-upload'
-            ,url: "{:url('vodplayer/import')}"
-            ,method: 'post'
-            ,exts:'txt'
-            ,before: function(input) {
-                layer.msg("{:lang('upload_ing')}", {time:3000000});
-            },done: function(res, index, upload) {
-                var obj = this.item;
-                if (res.code == 0) {
-                    layer.msg(res.msg);
-                    return false;
-                }
-                location.reload();
-            }
-        });
 
     });
 </script>

application/common/model/Admin.php

@@ -146,15 +146,21 @@ class Admin extends Base {
             return ['code'=>1004,'msg'=>lang('model/admin/update_login_err')];
         }
 
-        cookie('admin_id',$row['admin_id']);
-        cookie('admin_name',$row['admin_name']);
-        cookie('admin_check',md5($random .'-'. $row['admin_name'] .'-'.$row['admin_id'] .'-'.request()->ip() ) );
+        session('admin_auth','1');
+        session('admin_id',$row['admin_id']);
+        session('admin_name',$row['admin_name']);
+
+        //cookie('admin_id',$row['admin_id']);
+        //cookie('admin_name',$row['admin_name']);
+        //cookie('admin_check',md5($random .'-'. $row['admin_name'] .'-'.$row['admin_id'] .'-'.request()->ip() ) );
 
         return ['code'=>1,'msg'=>lang('model/admin/login_ok')];
     }
 
     public function logout()
     {
+        session('admin_auth',null);
+        session('admin_name',null);
         cookie('admin_id',null);
         cookie('admin_name',null);
         cookie('admin_check',null);
@@ -163,6 +169,31 @@ class Admin extends Base {
     }
 
     public function checkLogin()
+    {
+        if(!session('admin_auth')){
+            return ['code'=>1009,'msg'=>lang('model/admin/not_login')];
+        }
+        $admin_id = session('admin_id');
+        $admin_name = session('admin_name');
+
+        if(empty($admin_id) || empty($admin_name)){
+            return ['code'=>1001, 'msg'=>lang('model/admin/not_login')];
+        }
+
+        $where = [];
+        $where['admin_id'] = $admin_id;
+        $where['admin_name'] = $admin_name;
+        $where['admin_status'] =1 ;
+
+        $info = $this->where($where)->find();
+        if(empty($info)){
+            return ['code'=>1002,'msg'=>lang('model/admin/not_login')];
+        }
+        $info = $info->toArray();
+        return ['code'=>1,'msg'=>lang('model/admin/haved_login'),'info'=>$info];
+    }
+
+    public function checkLogin2()
     {
         $admin_id = cookie('admin_id');
         $admin_name = cookie('admin_name');
@@ -190,5 +221,4 @@ class Admin extends Base {
         return ['code'=>1,'msg'=>lang('model/admin/haved_login'),'info'=>$info];
     }
 
-
 }

application/extra/version.php

@@ -3,7 +3,7 @@ return array (
     'name' => '苹果CMS',
     'copyright' => 'MacCMS',
     'url' => '//github.com/magicblack',
-    'code' => '2020.1000.1052',
+    'code' => '2020.1000.1053',
     'license' => '免费版',
 );
 ?>

application/lang/zh-cn.php

@@ -8,6 +8,7 @@
 *last update 0917
 */
 return [
+    'lang_ver'=>'1053+',
     'hello'  => '欢迎使用',
     'maccms_name'=>'苹果CMS-v10',
     'maccms_copyright'=>'© MacCMS All Rights Reserved.',
@@ -63,7 +64,7 @@ return [
     'keyword'=>'关键字',
     'description'=>'描述',
     'data_name'=>'数据名称',
-
+    'return'=>'返回',
     'integral_recharge'=>'积分充值',
     'registration_promotion'=>'注册推广',
     'visit_promotion'=>'访问推广',
@@ -250,7 +251,7 @@ return [
     'pic'=>'图片',
     'pic_thumb'=>'缩略图',
     'pic_slide'=>'海报图',
-
+    'upload'=>'上传',
     'upload_pic'=>'上传图片',
     'blurb'=>'简介',
     'content'=>'详情',
@@ -1327,6 +1328,10 @@ return [
     'admin/addon/name_empty_err'=>'插件名称不能为空',
     'admin/addon/haved_err'=>'已经存在插件',
     'admin/addon/path_err'=>'非法目录请求',
+    'admin/addon/add_tip'=>'提示：<br>
+                1.请确保第三方插件符合程序开发规范。
+                2.--使用前请做好安全检测避免出现安全问题。',
+
 
     'admin/admin/title'=>'管理员管理',
     'admin/admin/del_cur_err'=>'禁止删除当前登录账号',
@@ -1357,6 +1362,9 @@ return [
     'admin/vodplayer/api_url_tip'=>'独立接口地址，权重高于全局播放器设置的接口',
     'admin/vodplayer/sort_tip'=>'数值越大排列越靠前',
     'admin/vodplayer/code_empty'=>'请输入编码',
+    'admin/vodplayer/import_tip'=>'提示：<br>
+                       1.请确保导入文件格式正确。',
+
 
     'admin/timming/title'=>'定时任务管理',
     'admin/timming/unique_id'=>'唯一标识英文',

application/lang/zh-tw.php

@@ -8,6 +8,7 @@
 *last update 0917
 */
 return [
+    'lang_ver'=>'1053+',
     'hello'  => '歡迎使用',
     'maccms_name'=>'蘋果CMS-v10',
     'maccms_copyright'=>'© MacCMS All Rights Reserved.',
@@ -63,7 +64,7 @@ return [
     'keyword'=>'關鍵字',
     'description'=>'描述',
     'data_name'=>'數據名稱',
-
+    'return'=>'返回',
     'integral_recharge'=>'積分充值',
     'registration_promotion'=>'註冊推廣',
     'visit_promotion'=>'訪問推廣',
@@ -250,7 +251,7 @@ return [
     'pic'=>'圖片',
     'pic_thumb'=>'縮略圖',
     'pic_slide'=>'海報圖',
-
+    'upload'=>'上傳',
     'upload_pic'=>'上傳圖片',
     'blurb'=>'簡介',
     'content'=>'詳情',
@@ -645,6 +646,7 @@ return [
     'model/user/update_login_err'=>'更新登錄信息失敗',
     'model/user/update_expire_err'=>'更新會員組過期信息失敗',
     'model/user/update_expire_ok'=>'更新過期信息成功',
+    'model/user/login_ok'=>'登錄成功',
     'model/user/logout_ok'=>'退出成功',
     'model/user/not_login'=>'未登錄',
     'model/user/haved_login'=>'已登錄',
@@ -1326,6 +1328,10 @@ return [
     'admin/addon/name_empty_err'=>'插件名稱不能為空',
     'admin/addon/haved_err'=>'已經存在插件',
     'admin/addon/path_err'=>'非法目錄請求',
+    'admin/addon/add_tip'=>'提示：<br>
+                1.請確保第三方插件符合程序開發規範。
+                2.--使用前請做好安全檢測避免出現安全問題。',
+
 
     'admin/admin/title'=>'管理員管理',
     'admin/admin/del_cur_err'=>'禁止刪除當前登錄賬號',
@@ -1356,6 +1362,9 @@ return [
     'admin/vodplayer/api_url_tip'=>'獨立接口地址，權重高於全局播放器設置的接口',
     'admin/vodplayer/sort_tip'=>'數值越大排列越靠前',
     'admin/vodplayer/code_empty'=>'請輸入編碼',
+    'admin/vodplayer/import_tip'=>'提示：<br>
+                       1.請確保導入文件格式正確。',
+
 
     'admin/timming/title'=>'定時任務管理',
     'admin/timming/unique_id'=>'唯壹標識英文',