diff --git a/README.md b/README.md index 9b7841e1..3f7bca2f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@
- +
@@ -13,7 +13,7 @@ CRMEB开源商城系统PHP版 - + @@ -45,7 +45,7 @@ CRMEB开源商城系统PHP版 ### 📋 更新说明 -点击查看更新记录 +点击查看更新记录 ### 用心做开源,我们也很需要你的鼓励!右上角Star🌟,等你点亮! diff --git a/crmeb/app/Request.php b/crmeb/app/Request.php index 97d1c1fb..5bc702b5 100644 --- a/crmeb/app/Request.php +++ b/crmeb/app/Request.php @@ -34,7 +34,7 @@ class Request extends \think\Request * @var array */ protected $except = ['menu_path', 'api_url', 'unique_auth', - 'description', 'custom_form', 'content', 'tableField', 'url', 'customCode']; + 'description', 'custom_form', 'content', 'tableField', 'url', 'customCode', 'value', 'refund_reason_wap_img']; /** * 获取请求的数据 @@ -83,8 +83,8 @@ class Request extends \think\Request $result = []; foreach ($array as $key => $value) { if (is_array($value)) { - // 如果值是数组,递归调用 filterArrayValues - $result[$key] = $this->filterArrayValues($value); + // 如果值是数组,并且不在不过滤变量名里面,递归调用 filterArrayValues,否则直接赋值 + $result[$key] = in_array($key, $this->except) ? $value : $this->filterArrayValues($value); } else { if (in_array($key, $this->except) || is_int($value) || is_null($value)) { $result[$key] = $value; diff --git a/crmeb/app/adminapi/controller/v1/setting/SystemConfig.php b/crmeb/app/adminapi/controller/v1/setting/SystemConfig.php index 6ccc7cd8..0d39b91c 100644 --- a/crmeb/app/adminapi/controller/v1/setting/SystemConfig.php +++ b/crmeb/app/adminapi/controller/v1/setting/SystemConfig.php @@ -376,6 +376,9 @@ class SystemConfig extends AuthController if (isset($post['refund_time_available'])) { if (!ctype_digit($post['refund_time_available'])) return app('json')->fail('售后期限必须为大于0的整数'); } + if (isset($post['param_filter_data'])) { + $post['param_filter_data'] = base64_encode($post['param_filter_data']); + } if (isset($post['sms_save_type']) && sys_config('sms_account', '') != '') return app('json')->success(100001); foreach ($post as $k => $v) { $config_one = $this->services->getOne(['menu_name' => $k]); diff --git a/crmeb/app/common.php b/crmeb/app/common.php index 6004251f..cffc96d0 100644 --- a/crmeb/app/common.php +++ b/crmeb/app/common.php @@ -623,29 +623,7 @@ if (!function_exists('filter_str')) { */ function filter_str($str) { - $rules = [ - '/\.\./', // 禁用包含 ../ 的参数 - '/\<\?/', // 禁止 php 脚本出现 - '/\bor\b.*=.*/i', // 匹配 'or 1=1',防止 SQL 注入(注意边界词 \b 和不区分大小写 i 修饰符) - '/(select[\s\S]*?)(from|limit)/i', // 防止 SQL 注入 - '/(union[\s\S]*?select)/i', // 防止 SQL 注入 - '/(having|updatexml|extractvalue)/i', // 防止 SQL 注入 - '/sleep\((\s*)(\d*)(\s*)\)/i', // 防止 SQL 盲注 - '/benchmark\((.*)\,(.*)\)/i', // 防止 SQL 盲注 - '/base64_decode\(/i', // 防止 SQL 变种注入 - '/(?:from\W+information_schema\W)/i', // 注意这里的 (?:...) 是不合法的,应该是 (?:...) 表示非捕获组,但通常我们不需要这个 - '/(?:current_|user|database|schema|connection_id)\s*\(/i', // 防止 SQL 注入(注意去掉了不必要的 (?:...)) - '/(?:etc\/\W*passwd)/i', // 防止窥探 Linux 用户信息 - '/into(\s+)(?:dump|out)file\s*/i', // 禁用 MySQL 导出函数 - '/group\s+by.+\(/i', // 防止 SQL 注入 - '/(?:define|eval|file_get_contents|include|require|require_once|shell_exec|phpinfo|system|passthru|preg_\w+|execute|echo|print|print_r|var_dump|(fp)open|alert|showmodaldialog)\(/i', // 禁用 webshell 相关某些函数 - '/(gopher|doc|php|glob|file|phar|zlib|ftp|ldap|dict|ogg|data)\:\/\//i', // 防止一些协议攻击(注意协议后的三个斜杠) - '/\$_(GET|POST|COOKIE|FILES|SESSION|ENV|GLOBALS|SERVER)\[/i', // 禁用一些内置变量,注意 PHP 变量名通常是大写的 - '/<(iframe|script|body|img|layer|div|meta|style|base|object|input)/i', // 防止 XSS 标签植入 - '/(onmouseover|onerror|onload|onclick)\=/i', // 防止 XSS 事件植入 - '/\|\|.*?(?:ls|pwd|whoami|ll|ifconfig|ipconfig|&&|chmod|cd|mkdir|rmdir|cp|mv)/i', // 防止执行 shell(注意去掉了不合适的 ifconfog) - '/\sand\s+.*=.*/i' // 匹配 and 1=1 - ]; + $rules = preg_split('/\r\n|\r|\n/', base64_decode(sys_config('param_filter_data'))); if (filter_var($str, FILTER_VALIDATE_URL)) { $url = parse_url($str); if (!isset($url['scheme'])) return $str; diff --git a/crmeb/app/services/system/config/SystemConfigServices.php b/crmeb/app/services/system/config/SystemConfigServices.php index d69deacd..0092e5fe 100644 --- a/crmeb/app/services/system/config/SystemConfigServices.php +++ b/crmeb/app/services/system/config/SystemConfigServices.php @@ -475,6 +475,9 @@ class SystemConfigServices extends BaseServices public function createTextareaForm(array $data) { $data['value'] = json_decode($data['value'], true) ?: ''; + if ($data['menu_name'] == 'param_filter_data') { + $data['value'] = base64_decode($data['value']); + } $formbuider[] = $this->builder->textarea($data['menu_name'], $data['info'], $data['value'])->placeholder($data['desc'])->appendRule('suffix', [ 'type' => 'div', 'class' => 'tips-info', diff --git a/crmeb/public/install/crmeb.sql b/crmeb/public/install/crmeb.sql index d3c8061e..6c008051 100644 --- a/crmeb/public/install/crmeb.sql +++ b/crmeb/public/install/crmeb.sql @@ -33810,7 +33810,8 @@ INSERT INTO `eb_system_config` (`id`, `menu_name`, `type`, `input_type`, `config (470, 'elec_invoice_cate', 'text', 'input', 18, '', 1, '', 100, 0, '\"0\"', '电子发票分类', '电子发票的商品分类', 0, 0), (471, 'elec_invoice_tax_rate', 'text', 'input', 18, '', 1, '', 100, 0, '\"0\"', '电子发票税率', '请填写电子发票的税率,填写0-100直接的整数,如:13%的税率请填写13', 0, 0), (472, 'elec_invoice_cate_name', 'text', 'input', 18, '', 1, '', 100, 0, '\"\"', '发票分类名称', '电子发票分类对应的名称,用于回显', 0, 0), -(473, 'get_remote_login_url', 'text', 'input', 135, '', 1, '', 100, 0, '\"\"', '远程登录地址', '内嵌商城跳转h5页面链接携带(remote_token=远程用户生成的token)参数时,可自动登录商城,若remote_token为空的时候,本系统认定在外部系统中未登录,会跳转此地址进行登录', 0, 1); +(473, 'get_remote_login_url', 'text', 'input', 135, '', 1, '', 100, 0, '\"\"', '远程登录地址', '内嵌商城跳转h5页面链接携带(remote_token=远程用户生成的token)参数时,可自动登录商城,若remote_token为空的时候,本系统认定在外部系统中未登录,会跳转此地址进行登录', 0, 1), +(474, 'param_filter_data', 'textarea', 'input', 136, '', 1, '', 100, 5, '\"L1wuXC4vCi9cPFw\\/LwovXGJvclxiLio9LiovaQovKHNlbGVjdFtcc1xTXSo\\/KShmcm9tfGxpbWl0KS9pCi8odW5pb25bXHNcU10qP3NlbGVjdCkvaQovKGhhdmluZ3x1cGRhdGV4bWx8ZXh0cmFjdHZhbHVlKS9pCi9zbGVlcFwoKFxzKikoXGQqKShccyopXCkvaQovYmVuY2htYXJrXCgoLiopXCwoLiopXCkvaQovYmFzZTY0X2RlY29kZVwoL2kKLyg\\/OmZyb21cVytpbmZvcm1hdGlvbl9zY2hlbWFcVykvaQovKD86Y3VycmVudF98dXNlcnxkYXRhYmFzZXxzY2hlbWF8Y29ubmVjdGlvbl9pZClccypcKC9pCi8oPzpldGNcL1xXKnBhc3N3ZCkvaQovaW50byhccyspKD86ZHVtcHxvdXQpZmlsZVxzKi9pCi9ncm91cFxzK2J5LitcKC9pCi8oPzpkZWZpbmV8ZXZhbHxmaWxlX2dldF9jb250ZW50c3xpbmNsdWRlfHJlcXVpcmV8cmVxdWlyZV9vbmNlfHNoZWxsX2V4ZWN8cGhwaW5mb3xzeXN0ZW18cGFzc3RocnV8cHJlZ19cdyt8ZXhlY3V0ZXxlY2hvfHByaW50fHByaW50X3J8dmFyX2R1bXB8KGZwKW9wZW58YWxlcnR8c2hvd21vZGFsZGlhbG9nKVwoL2kKLyhnb3BoZXJ8ZG9jfHBocHxnbG9ifGZpbGV8cGhhcnx6bGlifGZ0cHxsZGFwfGRpY3R8b2dnfGRhdGEpXDpcL1wvL2kKL1wkXyhHRVR8UE9TVHxDT09LSUV8RklMRVN8U0VTU0lPTnxFTlZ8R0xPQkFMU3xTRVJWRVIpXFsvaQovPChpZnJhbWV8c2NyaXB0fGJvZHl8aW1nfGxheWVyfGRpdnxtZXRhfHN0eWxlfGJhc2V8b2JqZWN0fGlucHV0KS9pCi8ob25tb3VzZW92ZXJ8b25lcnJvcnxvbmxvYWR8b25jbGljaylcPS9pCi9cfFx8Lio\\/KD86bHN8cHdkfHdob2FtaXxsbHxpZmNvbmZpZ3xpcGNvbmZpZ3wmJnxjaG1vZHxjZHxta2RpcnxybWRpcnxjcHxtdikvaQovXHNhbmRccysuKj0uKi9p\"', '系统参数过滤', '系统参数过滤,过滤掉不需要的参数,多个参数用回车换行分隔', 0, 1); -- -------------------------------------------------------- @@ -33911,7 +33912,8 @@ INSERT INTO `eb_system_config_tab` (`id`, `pid`, `title`, `eng_title`, `status`, (132, 7, '小程序配置', 'routine_config', 1, 0, '', 3, 0, 1007), (133, 7, '消息推送配置', 'routine_encoding', 1, 0, '', 3, 0, 1007), (134, 129, '模块配置', 'model_config', 0, 0, '', 0, 0, 23), -(135, 129, '远程登录配置', 'remote_login', 1, 0, '', 0, 0, 23); +(135, 129, '远程登录配置', 'remote_login', 1, 0, '', 0, 0, 23), +(136, 129, '参数过滤配置', 'param_filter_config', 1, 0, '', 0, 0, 23); -- -------------------------------------------------------- @@ -34640,8 +34642,7 @@ INSERT INTO `eb_system_file_info` (`id`, `name`, `path`, `full_path`, `type`, `c (561, 'listener', '/app', '/app/listener', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '事件'), (562, 'admin', '/app/listener', '/app/listener/admin', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '后台相关事件'), (563, 'AdminLoginListener.php', '/app/listener/admin', '/app/listener/admin/AdminLoginListener.php', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '管理员登录事件'), -(564, 'crontab', '/app/listener', '/app/listener/crontab', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '定时任务事件'), -(565, 'SystemCrontabListener.php', '/app/listener/crontab', '/app/listener/crontab/SystemCrontabListener.php', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '定时任务执行事件'), +(564, 'crontab', '/app/listener', '/app/listener/crontab', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '定时任务事件') (566, 'filetree.txt', '/app/listener', '/app/listener/filetree.txt', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', ''), (567, 'http', '/app/listener', '/app/listener/http', 'dir', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '请求事件'), (568, 'HttpEndListener.php', '/app/listener/http', '/app/listener/http/HttpEndListener.php', 'file', '2023-04-27 09:38:48', '2023-04-27 09:38:48', '请求日志记录事件'), diff --git a/readme/pic/618.jpg b/readme/pic/618.jpg deleted file mode 100644 index 1d7e577e..00000000 Binary files a/readme/pic/618.jpg and /dev/null differ diff --git a/readme/pic/联系我们.jpg b/readme/pic/联系我们.jpg deleted file mode 100644 index da43f2d4..00000000 Binary files a/readme/pic/联系我们.jpg and /dev/null differ diff --git a/readme/宝塔快速安装说明.docx b/readme/宝塔快速安装说明.docx new file mode 100644 index 00000000..32fc8fd3 Binary files /dev/null and b/readme/宝塔快速安装说明.docx differ diff --git a/安装必读.docx b/安装必读.docx index f6337374..8c1bdb6b 100644 Binary files a/安装必读.docx and b/安装必读.docx differ