From 0a164777fee1fddaa2ba319d4dd27516df206cb1 Mon Sep 17 00:00:00 2001
From: Karson <karsonzhang@163.com>
Date: Sun, 23 Aug 2020 12:30:26 +0800
Subject: [PATCH] 新增搜索字段安全检测 修复find_in_set多值时无法查询的BUG 移除冗余查询代码
---
application/admin/lang/zh-cn.php | 5 ++++-
application/common/controller/Backend.php | 15 +++++++++------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/application/admin/lang/zh-cn.php b/application/admin/lang/zh-cn.php
index 56e3a58..ca7802b 100755
--- a/application/admin/lang/zh-cn.php
+++ b/application/admin/lang/zh-cn.php
@@ -96,6 +96,9 @@ return [
'End time' => '结束时间',
'Create time' => '创建时间',
'Update time' => '更新时间',
+ 'Createtime' => '创建时间',
+ 'Updatetime' => '更新时间',
+ 'Deletetime' => '删除时间',
'Flag' => '标志',
'Drag to sort' => '拖动进行排序',
'Redirect now' => '立即跳转',
@@ -164,7 +167,7 @@ return [
'An unexpected error occurred' => '发生了一个意外错误,程序猿正在紧急处理中',
'This page will be re-directed in %s seconds' => '页面将在 %s 秒后自动跳转',
'Click to uncheck all' => '点击取消全部',
- 'Multiple selection mode: %s checked' => '跨页选择模式,已选 %s 项',
+ 'Multiple selection mode: %s checked' => '跨页选择模式,已选 %s 项',
//菜单
'Dashboard' => '控制台',
'General' => '常规管理',
diff --git a/application/common/controller/Backend.php b/application/common/controller/Backend.php
index adaa594..6e3b4da 100644
--- a/application/common/controller/Backend.php
+++ b/application/common/controller/Backend.php
@@ -266,7 +266,6 @@ class Backend extends Controller
$tableName = '';
if ($relationSearch) {
if (!empty($this->model)) {
- $name = \think\Loader::parseName(basename(str_replace('\\', '/', get_class($this->model))));
$name = $this->model->getTable();
$tableName = $name . '.';
}
@@ -290,6 +289,9 @@ class Backend extends Controller
$where[] = [implode("|", $searcharr), "LIKE", "%{$search}%"];
}
foreach ($filter as $k => $v) {
+ if (!preg_match('/^[a-zA-Z0-9_\-\.]+$/', $k)) {
+ continue;
+ }
$sym = isset($op[$k]) ? $op[$k] : '=';
if (stripos($k, ".") === false) {
$k = $tableName . $k;
@@ -327,7 +329,12 @@ class Backend extends Controller
case 'FINDIN':
case 'FINDINSET':
case 'FIND_IN_SET':
- $where[] = "FIND_IN_SET('{$v}', " . ($relationSearch ? $k : '`' . str_replace('.', '`.`', $k) . '`') . ")";
+ $v = is_array($v) ? $v : explode(',', str_replace(' ', ',', $v));
+ foreach ($v as $index => $item) {
+ $item = str_replace([' ', ',', "'"], '', $item);
+ $item = addslashes(htmlentities(strip_tags($item)));
+ $where[] = "FIND_IN_SET('{$item}', `" . ($relationSearch ? str_replace('.', '`.`', $k) : $k) . "`)";
+ }
break;
case 'IN':
case 'IN(...)':
@@ -368,10 +375,6 @@ class Backend extends Controller
}
$where[] = [$k, str_replace('RANGE', 'BETWEEN', $sym) . ' time', $arr];
break;
- case 'LIKE':
- case 'LIKE %...%':
- $where[] = [$k, 'LIKE', "%{$v}%"];
- break;
case 'NULL':
case 'IS NULL':
case 'NOT NULL':
--
libgit2 0.24.0