退出清理痕迹出现问题

xiuse · 发表于 2013-11-23 09:30:32

登陆后一退出登陆，点击清除痕迹的话就会出现上图BUG

ifre · 发表于 2013-11-23 10:22:29

昨天官网升级了补丁好像也木有解决这个问题.
现在退出登录还是会报错的.官网就这样！

小林在线 · 发表于 2013-11-23 10:36:03

131122 source\class\discuz\discuz_application.php private function _xss_check()

350行左右

private function _xss_check() {
static $check = array('"', '>', '<', '\'', '(', ')', 'CONTENT-TRANSFER-ENCODING');
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
system_error('request_tainting');
}
if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
$temp = $_SERVER['REQUEST_URI'];
} elseif(empty ($_GET['formhash'])) {
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
} else {
$temp = '';
}
if(!empty($temp)) {
$temp = strtoupper(urldecode(urldecode($temp)));
foreach ($check as $str) {
if(strpos($temp, $str) !== false) {
system_error('request_tainting');
}
}
}
return true;
}

复制代码

131011 source\class\discuz\iscuz_application.php private function _xss_check()

350行左右

private function _xss_check() {
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
system_error('request_tainting');
}
return true;
}

复制代码

暂时修改回去就ok了

来自潮儿布童（孩儿帮）论坛的临时处理方案：http://bbs.chaoerbutong.com

┾音乐_新秀 · 发表于 2013-11-24 13:24:12

小林在线发表于 2013-11-23 10:36
131122 source\class\discuz\discuz_application.php private function _xss_check()

350行左右

试了不行，要把你把改好的文件让我们下载吧

seess · 发表于 2013-11-24 14:08:17

\source\class\discuz的discuz_application.php
查找
      private function _xss_check() {

            static $check = array('"', '>', '<', '\'', '(', ')', 'CONTENT-TRANSFER-ENCODING');

            if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
                     system_error('request_tainting');
            }

            if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
                     $temp = $_SERVER['REQUEST_URI'];
            } elseif(empty ($_GET['formhash'])) {
                     $temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
            } else {
                     $temp = '';
            }

            if(!empty($temp)) {
                     $temp = strtoupper(urldecode(urldecode($temp)));
                     foreach ($check as $str) {
                              if(strpos($temp, $str) !== false) {
                                    system_error('request_tainting');
                              }
                     }
            }

            return true;
      }

替换为：
      private function _xss_check() {
            $temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
            if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
                     system_error('request_tainting');
            }
            return true;
      }

		自动登录	找回密码
密码			立即注册

[求助] 退出清理痕迹出现问题

本帖子中包含更多资源