From 388672247eb2584b6403c6fda0135619dc308543 Mon Sep 17 00:00:00 2001 From: Devil Date: Sat, 15 May 2021 23:49:49 +0800 Subject: [PATCH] =?UTF-8?q?=E6=96=87=E4=BB=B6=E4=B8=8B=E8=BD=BD=E5=AE=89?= =?UTF-8?q?=E5=85=A8=E4=BC=98=E5=8C=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/index/controller/Qrcode.php | 7 +++---- extend/base/Qrcode.php | 12 +++++++++++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/application/index/controller/Qrcode.php b/application/index/controller/Qrcode.php index dbcce7825..7e2373cc8 100755 --- a/application/index/controller/Qrcode.php +++ b/application/index/controller/Qrcode.php @@ -56,13 +56,12 @@ class QrCode extends Common public function Download() { $params = input(); - if(empty($params['url'])) + $ret = (new \base\Qrcode())->Download($params); + if(!empty($ret) && isset($ret['code']) && $ret['code'] != 0) { - $this->assign('msg', 'url参数为空'); + $this->assign('msg', $ret['msg']); return $this->fetch('public/tips_error'); } - - (new \base\Qrcode())->Download($params); } } ?> \ No newline at end of file diff --git a/extend/base/Qrcode.php b/extend/base/Qrcode.php index 135ae962c..803d298d0 100644 --- a/extend/base/Qrcode.php +++ b/extend/base/Qrcode.php @@ -180,7 +180,17 @@ class Qrcode public function Download($params = []) { // 图片地址 - $url = base64_decode(urldecode($params['url'])); + $url = empty($params['url']) ? '' : base64_decode(urldecode($params['url'])); + if(empty($url)) + { + return DataReturn('url地址有误', -1); + } + + // 域名验证、仅支持下载当前域名下的文件 + if(GetUrlHost(__MY_HOST__) != GetUrlHost($url)) + { + return DataReturn('url地址非法', -1); + } // 随机文件名 $filename = empty($params['filename']) ? date('YmdHis').GetNumberCode().'.png' : $params['filename'].'.png'; -- GitLab