From 092411cd2dfb1cd1650483b73502ee1e5c80b984 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=81=E5=91=A8=E9=83=A8=E8=90=BD?= Date: Mon, 6 Jan 2020 18:05:28 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20UCenter=E5=88=9B?= =?UTF-8?q?=E5=A7=8B=E4=BA=BA=E5=AF=86=E7=A0=81=E7=88=86=E7=A0=B4=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- upload/uc_server/control/admin/setting.php | 7 +++- upload/uc_server/control/app.php | 34 +++++++++++++++++++ upload/uc_server/install/uc.sql | 1 + upload/uc_server/view/default/admin_app.htm | 1 + .../uc_server/view/default/admin_setting.htm | 10 ++++++ .../uc_server/view/default/templates.lang.php | 4 ++- 6 files changed, 55 insertions(+), 2 deletions(-) diff --git a/upload/uc_server/control/admin/setting.php b/upload/uc_server/control/admin/setting.php index 88b05f223..8d95f12ba 100644 --- a/upload/uc_server/control/admin/setting.php +++ b/upload/uc_server/control/admin/setting.php @@ -15,7 +15,8 @@ class control extends adminbase { 'dateformat', 'timeoffset', 'timeformat', 'extra', 'maildefault', 'mailsend', 'mailserver', 'mailport', 'mailauth', 'mailfrom', 'mailauth_username', 'mailauth_password', 'maildelimiter', 'mailusername', 'mailsilent', 'pmcenter', 'privatepmthreadlimit', 'chatpmthreadlimit', - 'chatpmmemberlimit', 'pmfloodctrl', 'sendpmseccode', 'pmsendregdays', 'login_failedtime'); + 'chatpmmemberlimit', 'pmfloodctrl', 'sendpmseccode', 'pmsendregdays', 'login_failedtime', + 'addappbyurl'); function __construct() { $this->control(); @@ -45,6 +46,7 @@ class control extends adminbase { $pmcenter = getgpc('pmcenter', 'P'); $sendpmseccode = getgpc('sendpmseccode', 'P'); $login_failedtime = getgpc('login_failedtime', 'P'); + $addappbyurl = getgpc('addappbyurl', 'P'); $dateformat = str_replace(array('yyyy', 'mm', 'dd'), array('y', 'n', 'j'), strtolower($dateformat)); $timeformat = $timeformat == 1 ? 'H:i' : 'h:i A'; $timeoffset = in_array($timeoffset, array('-12', '-11', '-10', '-9', '-8', '-7', '-6', '-5', '-4', '-3.5', '-3', '-2', '-1', '0', '1', '2', '3', '3.5', '4', '4.5', '5', '5.5', '5.75', '6', '6.5', '7', '8', '9', '9.5', '10', '11', '12')) ? $timeoffset : 8; @@ -61,6 +63,7 @@ class control extends adminbase { $this->set_setting('pmcenter', $pmcenter); $this->set_setting('sendpmseccode', $sendpmseccode ? 1 : 0); $this->set_setting('login_failedtime', intval($login_failedtime) > 0 ? intval($login_failedtime) : 0); + $this->set_setting('addappbyurl', $addappbyurl); $updated = true; $this->updatecache(); @@ -86,9 +89,11 @@ class control extends adminbase { $this->view->assign('pmfloodctrl', $settings['pmfloodctrl']); $pmcenterchecked = array($settings['pmcenter'] => 'checked="checked"'); $pmcenterchecked['display'] = $settings['pmcenter'] ? '' : 'style="display:none"'; + $addappbyurlchecked = array($settings['addappbyurl'] => 'checked="checked"'); $this->view->assign('pmcenter', $pmcenterchecked); $sendpmseccodechecked = array($settings['sendpmseccode'] => 'checked="checked"'); $this->view->assign('sendpmseccode', $sendpmseccodechecked); + $this->view->assign('addappbyurl', $addappbyurlchecked); $timeoffset = intval($settings['timeoffset'] / 3600); $checkarray = array($timeoffset < 0 ? '0'.substr($timeoffset, 1) : $timeoffset => 'selected="selected"'); $this->view->assign('checkarray', $checkarray); diff --git a/upload/uc_server/control/app.php b/upload/uc_server/control/app.php index a829d70f5..bfc1c87d8 100644 --- a/upload/uc_server/control/app.php +++ b/upload/uc_server/control/app.php @@ -18,6 +18,7 @@ class appcontrol extends base { function appcontrol() { parent::__construct(); $this->load('app'); + $this->load('user'); } function onls() { @@ -46,10 +47,16 @@ class appcontrol extends base { $apifilename = $apifilename ? $apifilename : 'uc.php'; + if(!$this->settings['addappbyurl'] || !$_ENV['user']->can_do_login('UCenterAdministrator', $this->onlineip)) { + exit('-1'); + } + if(md5(md5($ucfounderpw).UC_FOUNDERSALT) == UC_FOUNDERPW || (strlen($ucfounderpw) == 32 && $ucfounderpw == md5(UC_FOUNDERPW))) { @ob_start(); $return = ''; + $this->_writelog('login', 'succeed_by_url_add_app'); + $app = $this->db->fetch_first("SELECT * FROM ".UC_DBTABLEPRE."applications WHERE url='$appurl' AND type='$apptype'"); if(empty($app)) { @@ -72,6 +79,8 @@ class appcontrol extends base { "); $appid = $this->db->insert_id(); + $this->_writelog('app_add', "appid=$appid; appname=$appname; by=url_add"); + $_ENV['app']->alter_app_table($appid, 'ADD'); $return = "$authkey|$appid|".UC_DBHOST.'|'.UC_DBNAME.'|'.UC_DBUSER.'|'.UC_DBPW.'|'.UC_DBCHARSET.'|'.UC_DBTABLEPRE.'|'.UC_CHARSET; $this->load('cache'); @@ -89,6 +98,11 @@ class appcontrol extends base { @ob_end_clean(); exit($return); } else { + $pwlen = strlen($ucfounderpw); + $this->_writelog('login', 'error_by_url_add_app: user=UCenterAdministrator; password='.($pwlen > 2 ? preg_replace("/^(.{".round($pwlen / 4)."})(.+?)(.{".round($pwlen / 6)."})$/s", "\\1***\\3", $ucfounderpw) : $ucfounderpw)); + + $_ENV['user']->loginfailed('UCenterAdministrator', $this->onlineip); + exit('-1'); } } @@ -135,6 +149,26 @@ class appcontrol extends base { } return $arr; } + + function _writelog($action, $extra = '') { + $log = dhtmlspecialchars('UCenterAdministrator'."\t".$this->onlineip."\t".$this->time."\t$action\t$extra"); + $logfile = UC_ROOT.'./data/logs/'.gmdate('Ym', $this->time).'.php'; + if(@filesize($logfile) > 2048000) { + PHP_VERSION < '4.2.0' && mt_srand((double)microtime() * 1000000); + $hash = ''; + $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; + for($i = 0; $i < 4; $i++) { + $hash .= $chars[mt_rand(0, 61)]; + } + @rename($logfile, UC_ROOT.'./data/logs/'.gmdate('Ym', $this->time).'_'.$hash.'.php'); + } + if($fp = @fopen($logfile, 'a')) { + @flock($fp, 2); + @fwrite($fp, "\t".str_replace(array('', ' \ No newline at end of file diff --git a/upload/uc_server/install/uc.sql b/upload/uc_server/install/uc.sql index d1d7a7a12..a60975cc4 100644 --- a/upload/uc_server/install/uc.sql +++ b/upload/uc_server/install/uc.sql @@ -102,6 +102,7 @@ REPLACE INTO uc_settings(k, v) VALUES ('pmfloodctrl','15'); REPLACE INTO uc_settings(k, v) VALUES ('pmcenter','1'); REPLACE INTO uc_settings(k, v) VALUES ('sendpmseccode','1'); REPLACE INTO uc_settings(k, v) VALUES ('pmsendregdays','0'); +REPLACE INTO uc_settings(k, v) VALUES ('addappbyurl','0'); REPLACE INTO uc_settings(k, v) VALUES ('maildefault', 'username@21cn.com'); REPLACE INTO uc_settings(k, v) VALUES ('mailsend', '1'); REPLACE INTO uc_settings(k, v) VALUES ('mailserver', 'smtp.21cn.com'); diff --git a/upload/uc_server/view/default/admin_app.htm b/upload/uc_server/view/default/admin_app.htm index ea9ed873b..99b512559 100644 --- a/upload/uc_server/view/default/admin_app.htm +++ b/upload/uc_server/view/default/admin_app.htm @@ -62,6 +62,7 @@ window.onload = testlink;

{lang app_add}{lang app_list_return}

+

{lang app_not_add_tips}

diff --git a/upload/uc_server/view/default/admin_setting.htm b/upload/uc_server/view/default/admin_setting.htm index 7e61f414c..5e446a16f 100644 --- a/upload/uc_server/view/default/admin_setting.htm +++ b/upload/uc_server/view/default/admin_setting.htm @@ -137,6 +137,16 @@ + + + + + + +
{lang setting_sendpmseccode_comment}
{lang setting_addappbyurl}:
+ + + {lang setting_addappbyurl_comment}
diff --git a/upload/uc_server/view/default/templates.lang.php b/upload/uc_server/view/default/templates.lang.php index 4a1acb051..82ec27e4c 100644 --- a/upload/uc_server/view/default/templates.lang.php +++ b/upload/uc_server/view/default/templates.lang.php @@ -187,7 +187,7 @@ $languages = array( 'app_api_filename_comment' => '应用接口文件名称,不含路径,默认为uc.php', 'app_code' => '应用的 UCenter 配置信息', 'app_code_comment' => '当应用的 UCenter 配置信息丢失时可复制左侧的代码到应用的配置文件中', - + 'app_not_add_tips' => '不能通过 URL 添加应用的可能原因:1. 通过 URL 添加应用开关被关闭;2. 连续多次错误输入 UCenter 创始人密码', 'tag_tips' => '设置当前应用获取其他应用标签数据的比例以及扩展数据模板。模板中“{xxx}”表示标签数据的索引,代表相应的数据。', 'tag_global_template' => '全局模板', @@ -300,6 +300,8 @@ $languages = array( 'setting_chatpmmemberlimit_comment' => '同一会话最多能有多少用户参与设置,建议在 30 - 100 范围内取值,0为不限制', 'setting_pmfloodctrl' => '发短消息灌水预防', 'setting_pmfloodctrl_comment' => '两次发短消息间隔小于此时间,单位秒,0 为不限制,此举为了限制通过机器批量发广告', + 'setting_addappbyurl' => '启用通过 URL 添加应用功能', + 'setting_addappbyurl_comment' => '是否启用通过 URL 添加应用功能,建议只有必须通过 URL 添加应用时开启', 'setting_user_failedtime' => '允许用户登录失败次数', 'setting_user_failedtime_comment' => '用户登录失败超过设置的数据,将在15分钟内无法登录,0为不限制次数', -- Gitee From 37ed1d0e47b145fd9d4171eea918e0614da83a99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=81=E5=91=A8=E9=83=A8=E8=90=BD?= Date: Mon, 6 Jan 2020 19:43:14 +0800 Subject: [PATCH 2/4] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20UCenter=E5=88=9B?= =?UTF-8?q?=E5=A7=8B=E4=BA=BA=E5=AF=86=E7=A0=81=E7=88=86=E7=A0=B4=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- upload/uc_server/control/app.php | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/upload/uc_server/control/app.php b/upload/uc_server/control/app.php index bfc1c87d8..5effb77b0 100644 --- a/upload/uc_server/control/app.php +++ b/upload/uc_server/control/app.php @@ -154,18 +154,18 @@ class appcontrol extends base { $log = dhtmlspecialchars('UCenterAdministrator'."\t".$this->onlineip."\t".$this->time."\t$action\t$extra"); $logfile = UC_ROOT.'./data/logs/'.gmdate('Ym', $this->time).'.php'; if(@filesize($logfile) > 2048000) { - PHP_VERSION < '4.2.0' && mt_srand((double)microtime() * 1000000); - $hash = ''; - $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; - for($i = 0; $i < 4; $i++) { - $hash .= $chars[mt_rand(0, 61)]; - } - @rename($logfile, UC_ROOT.'./data/logs/'.gmdate('Ym', $this->time).'_'.$hash.'.php'); + PHP_VERSION < '4.2.0' && mt_srand((double)microtime() * 1000000); + $hash = ''; + $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz'; + for($i = 0; $i < 4; $i++) { + $hash .= $chars[mt_rand(0, 61)]; + } + @rename($logfile, UC_ROOT.'./data/logs/'.gmdate('Ym', $this->time).'_'.$hash.'.php'); } if($fp = @fopen($logfile, 'a')) { - @flock($fp, 2); - @fwrite($fp, "\t".str_replace(array('', '\t".str_replace(array('', ' Date: Mon, 6 Jan 2020 22:10:27 +0800 Subject: [PATCH 3/4] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20UCenter=E5=88=9B?= =?UTF-8?q?=E5=A7=8B=E4=BA=BA=E5=AF=86=E7=A0=81=E7=88=86=E7=A0=B4=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- upload/uc_server/control/app.php | 1 + 1 file changed, 1 insertion(+) diff --git a/upload/uc_server/control/app.php b/upload/uc_server/control/app.php index 5effb77b0..874d4ba75 100644 --- a/upload/uc_server/control/app.php +++ b/upload/uc_server/control/app.php @@ -93,6 +93,7 @@ class appcontrol extends base { $_ENV['note']->add('updateapps', '', $this->serialize($notedata, 1)); $_ENV['note']->send(); } else { + $this->_writelog('app_queryinfo', "appid=$app[appid]; by=url_add"); $return = "$app[authkey]|$app[appid]|".UC_DBHOST.'|'.UC_DBNAME.'|'.UC_DBUSER.'|'.UC_DBPW.'|'.UC_DBCHARSET.'|'.UC_DBTABLEPRE.'|'.UC_CHARSET; } @ob_end_clean(); -- Gitee From 8c0f4d132673dd7218875ff5c102ab0fa512c6b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=80=81=E5=91=A8=E9=83=A8=E8=90=BD?= Date: Mon, 6 Jan 2020 22:32:54 +0800 Subject: [PATCH 4/4] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20UCenter=E5=88=9B?= =?UTF-8?q?=E5=A7=8B=E4=BA=BA=E5=AF=86=E7=A0=81=E7=88=86=E7=A0=B4=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- upload/install/include/install_lang.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/upload/install/include/install_lang.php b/upload/install/include/install_lang.php index 2edff7556..500dd6442 100644 --- a/upload/install/include/install_lang.php +++ b/upload/install/include/install_lang.php @@ -124,7 +124,7 @@ $lang = array( 'uc_url_invalid' => 'URL 格式错误', 'uc_url_unreachable' => 'UCenter 的 URL 地址可能填写错误,请检查', 'uc_ip_invalid' => '无法解析该域名,请填写站点的 IP', - 'uc_admin_invalid' => 'UCenter 创始人密码错误,请重新填写', + 'uc_admin_invalid' => 'UCenter 创始人密码校验未通过, 可能原因有:
1. UCenter 创始人密码不正确
2. 多次错误输入密码导致创始人用户和 IP 地址被锁定
3. UCenter 后台 “ 通过 URL 添加应用功能 ” 未开启', 'uc_data_invalid' => '通信失败,请检查 UCenter 的URL 地址是否正确 ', 'uc_dbcharset_incorrect' => 'UCenter 数据库字符集与当前应用字符集不一致', 'uc_api_add_app_error' => '向 UCenter 添加应用错误', -- Gitee