【补丁名称】
图片地址过滤问题和URLRewrite问题补丁
【重要度】
重要,涉及安全问题
【版本涉及】
图片地址过滤问题:MolyX所有版本(2.1.4、2.5.0、2.6.0等)
URLRewrite问题:2.6.1
【补丁安装说明】
涉及文件:
includes/functions.php
includes/functions_codeparse.php
使用2.6.1的朋友请下载附件,解压后覆盖原论坛文件,然后参考后文重新修改rewrite规则
曾经修改过2.6.1这些文件或者使用2.5.0与2.1.4的朋友可以参考下面的手动修改说明修改
【补丁修正说明】
当后台打开了IMG标签支持动态地址后可以通过写入login.php?do=logout来使访问该页面的会员自动登出
URL静态化打开后精华功能无效
【手动修改说明】
includes/functions_codeparse.php文件
找到
代码:
}
return '<img src="'.$url.'" border="0" onclick="javascript:window.open(this.src);" alt="" style="CURSOR: pointer" onload="javascript:if(this.width>screen.width-500)this.style.width=screen.width-500;" />';
替换为
代码:
} else {
if (preg_match("/login\.php/i", $url)) {
return $default;
}
}
return '<img src="'.$url.'" border="0" onclick="javascript:window.open(this.src);" alt="" style="CURSOR: pointer" onload="javascript:if(this.width>screen.width-500)this.style.width=screen.width-500;" />';
includes/functions.php文件
将从
代码:
function rewritestatus($buffer)
{
到
代码:
return $buffer;
}
之间的代码
替换为
代码:
function rewritestatus($buffer)
{
$buffer = preg_replace("/forumdisplay.php[?]f=([0-9]+)(?:&|&)st=([0-9]+)(?:&|&)pp=([0-9]+)/i", "forum-\\1-\\2-\\3.html", $buffer);
$buffer = preg_replace("/forumdisplay.php[?]f=([0-9]+)(?:&|&)filter=quintessence(?:&|&)pp=([0-9]+)/i", "forum-\\1-q-\\2.html", $buffer);
$buffer = preg_replace("/forumdisplay.php[?]f=([0-9]+)(?:&|&)filter=quintessence/i", "forum-\\1-q.html", $buffer);
$buffer = preg_replace("/forumdisplay.php[?]f=([0-9]+)(?:&|&)pp=([0-9]+)/i", "forum-\\1-\\2.html", $buffer);
$buffer = preg_replace("/forumdisplay.php[?]f=([0-9]+)(?:&|&)st=([0-9]+)/i", "forum-\\1-0-\\2.html", $buffer);
$buffer = preg_replace("/forumdisplay.php[?]f=([0-9]+)/i", "forum-\\1.html", $buffer);
$buffer = preg_replace("/profile.php[?]u=([0-9]+)/i", "user-\\1.html", $buffer);
$buffer = preg_replace("/showthread.php[?]t=([0-9]+)(?:&|&)pp=([0-9]+)/i","thread-\\1-\\2.html", $buffer);
$buffer = preg_replace("/showthread.php[?]t=([0-9]+)/i", "thread-\\1.html", $buffer);
$buffer = preg_replace("/index.php[?]f([0-9]+)-([0-9]+).html/i", "f-\\1-\\2.html?", $buffer );
$buffer = preg_replace("/index.php[?]f([0-9]+).html/i", "f-\\1-0.html?", $buffer );
$buffer = preg_replace("/index.php[?]t([0-9]+)-([0-9]+).html/i", "t-\\1-\\2.html?", $buffer );
$buffer = preg_replace("/index.php[?]t([0-9]+).html/i" , "t-\\1-0.html?", $buffer );
$buffer = preg_replace("/html(?:&|&)extra=[^'\" >\/]*/i", "html", $buffer);
return $buffer;
}
【URLRewrite规则修改】
直接在httpd.conf中写入规则的话,将规则修改为
代码:
RewriteRule ^(.*)/forum-([0-9]+)-([0-9]+)-([0-9]+)\.html(.*)$ $1/forumdisplay.php?f=$2&st=$4&pp=$3&$5
RewriteRule ^(.*)/forum-([0-9]+)-([0-9]+)\.html(.*)$ $1/forumdisplay.php?f=$2&pp=$3&$4
RewriteRule ^(.*)/forum-([0-9]+)-q-([0-9]+)\.html(.*)$ $1/forumdisplay.php?f=$2&filter=quintessence&pp=$3&$4
RewriteRule ^(.*)/forum-([0-9]+)-q\.html(.*)$ $1/forumdisplay.php?f=$2&filter=quintessence&$3
RewriteRule ^(.*)/forum-([0-9]+)\.html(.*)$ $1/forumdisplay.php?f=$2&$3
RewriteRule ^(.*)/thread-([0-9]+)-([0-9]+)\.html(.*)$ $1/showthread.php?t=$2&pp=$3&$4
RewriteRule ^(.*)/thread-([0-9]+)\.html(.*)$ $1/showthread.php?t=$2&$3
RewriteRule ^(.*)/user-([0-9]+)\.html $1/profile.php?u=$2[L]
RewriteRule ^(.*)/archive/f-([0-9]+)-([0-9]+)\.html $1/index.php?f$2-$3.html[L]
RewriteRule ^(.*)/archive/t-([0-9]+)-([0-9]+)\.html $1/index.php?t$2-$3.html[L]
使用.htaccess设置规则,将规则修改为
代码:
RewriteRule forum-([0-9]+)-([0-9]+)-([0-9]+)\.html forumdisplay.php?f=$1&st=$3&pp=$2&$4
RewriteRule forum-([0-9]+)-([0-9]+)\.html forumdisplay.php?f=$1&pp=$2&$3
RewriteRule forum-([0-9]+)-q-([0-9]+)\.html forumdisplay.php?f=$1&filter=quintessence&pp=$2
RewriteRule forum-([0-9]+)-q\.html forumdisplay.php?f=$1&filter=quintessence
RewriteRule forum-([0-9]+)\.html forumdisplay.php?f=$1
RewriteRule thread-([0-9]+)-([0-9]+)\.html showthread.php?t=$1&pp=$2&$3
RewriteRule thread-([0-9]+)\.html showthread.php?t=$1&$2
RewriteRule user-([0-9]+)\.html profile.php?u=$1
RewriteRule archive/f-([0-9]+)-([0-9]+)\.html archive/index.php?f$1-$2.html
RewriteRule archive/t-([0-9]+)-([0-9]+)\.html archive/index.php?t$1-$2.html
IIS下使用,将httpd.ini内容替换为
代码:
[ISAPI_Rewrite]
# 3600 = 1 hour
CacheClockRate 3600
RepeatLimit 32
# Protect httpd.ini and httpd.parse.errors files
# from accessing through HTTP
RewriteRule ^(.*)/forum-([0-9]+)-([0-9]+)-([0-9]+)\.html(.*)$ $1/forumdisplay\.php\?f=$2&st=$3&pp=$4&$5
RewriteRule ^(.*)/forum-([0-9]+)-([0-9]+)\.html(.*)$ $1/forumdisplay\.php\?f=$2&pp=$3&$4
RewriteRule ^(.*)/forum-([0-9]+)-q\.html(.*)$ $1/forumdisplay\.php\?f=$2&filter=quintessence&$3
RewriteRule ^(.*)/forum-([0-9]+)-q-([0-9]+)\.html(.*)$ $1/forumdisplay\.php\?f=$2&filter=quintessence&pp=$3&$4
RewriteRule ^(.*)/forum-([0-9]+)\.html(.*)$ $1/forumdisplay\.php\?f=$2&$3
RewriteRule ^(.*)/thread-([0-9]+)-([0-9]+)\.html(.*)$ $1/showthread\.php\?t=$2&pp=$3&$4
RewriteRule ^(.*)/thread-([0-9]+)\.html(.*)$ $1/showthread\.php\?t=$2&$3
RewriteRule ^(.*)/user-([0-9]+)\.html(.*)$ $1/profile\.php\?u=$2
RewriteRule ^(.*)/archive/f-([0-9]+)-([0-9]+)\.html\?$ $1/archive/index\.php\?f$2-$3.html
RewriteRule ^(.*)/archive/t-([0-9]+)-([0-9]+)\.html\?$ $1/archive/index\.php\?t$2-$3.html