遊客站內搜尋的錯誤[含1張圖]

IT_man · 發表於 2015-3-23 16:24:33

tid=3528& 本帖最後由 IT_man 於 2015-3-23 16:27 編輯

遊客站內搜尋時出現 error message :

102505fovgvzt1w3i1biot.jpg.thumb.jpg

sol:
\source\class\discuz的discuz_application.php 約第350行
查找

private function _xss_check() {
4 Z+ W, p: d9 C8 w
$ q$ G7 \0 |' _6 F8 f0 e
static $check = array('"', '>', '<', '\'', '(', ')', 'CONTENT-TRANSFER-ENCODING');0 ^3 O" W1 ^% g, N3 @$ }
- I9 `* p8 K2 i8 W; ^! x4 E
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
2 [7 r9 \1 t2 \1 v: u% P3 Q2 R
system_error('request_tainting');
% V" W$ t' b! a6 d( b
}' T0 a/ @# X& P! g& r
7 b8 u$ L7 K/ F- N
if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
0 Y6 J/ [) D! j) S; B
$temp = $_SERVER['REQUEST_URI'];
+ Z& Q8 P+ f9 A8 g8 r
} elseif(empty ($_GET['formhash'])) {
; q& I& P0 |! c+ F+ S- W% o7 x
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');! _" r9 s8 ^( P, M
} else {
+ x( k! I) \! p* \4 j( [
$temp = '';
6 x$ F, n, w. G$ t: i% Z
}
7 \# V7 q7 e- d; z9 R9 V
. a5 ?: i- {% v4 z7 g! r6 u0 x. i
if(!empty($temp)) {+ M+ Y% h1 @; k+ {4 m+ h( U; ]
$temp = strtoupper(urldecode(urldecode($temp)));. ]" F3 ^% B4 V$ C. Z3 H
foreach ($check as $str) {
+ O. T# D0 w0 H
if(strpos($temp, $str) !== false) {
" t1 ^5 @. i2 Z7 ?3 S
system_error('request_tainting');/ n u# }2 a$ U: W/ e9 P" B9 Z% [
}/ K- {2 ~' m" Z; ?6 m; @
}' |+ }, q! C5 \: J" f `
}$ g5 M+ c5 ~- U+ x9 x
1 t7 y( r5 V: K+ ]; A+ r
return true;: S& I- ]4 K, ]8 s0 k2 C0 [
}

複製代碼

替换为：

private function _xss_check() {
% u3 v) x5 E$ @1 v
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
- {- h: [$ k k1 d9 L7 [
if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
! N" p/ m; P2 t# z6 e8 y
system_error('request_tainting');% A3 ] ]; s/ x1 w! p
}$ w# p7 Q% j8 |: V R
return true;
. L4 y" c, u5 ?7 l2 [
}

複製代碼

后台更新缓存 ===>ok
但有些 discuz代碼內容在搜索結果內顯示,曝露在外,是不正常(會員搜索無此問題) ,研究中

		自動登錄	找回密碼
密碼			立即註冊

[Discuz X3.2] 遊客站內搜尋的錯誤[含1張圖]