From 5eb8fc817227e508f87f97bd1b9c2af4dc26e31c Mon Sep 17 00:00:00 2001 From: ifwlzs <49548316+ifwlzs@users.noreply.github.com> Date: Mon, 4 Oct 2021 18:57:06 +0800 Subject: [PATCH 1/6] Update readme.md --- readme.md | 333 +++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 240 insertions(+), 93 deletions(-) diff --git a/readme.md b/readme.md index 80b2778..5e50b51 100644 --- a/readme.md +++ b/readme.md @@ -1,136 +1,283 @@ # NOTICE: the release is used as archive. + # 注意:release只是用来存档的。 + Please read the descriptions of settings before raising an issue. -请将设置中所有的设置项的说明都读一遍,有些问题就不用问了。 + +> 请将设置中所有的设置项的说明都读一遍,有些问题就不用问了。 + +--- # Deploy to Heroku -Official: https://heroku.com -Demo: https://herooneindex.herokuapp.com/ -How to Install: +### Official + +​ https://heroku.com + +### Demo + +​ https://herooneindex.herokuapp.com/ + +### How to Install + > ~~Click the button [![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy) to Deploy a new app~~(`"We couldn't deploy your app because the source code violates the Salesforce Acceptable Use and External-Facing Services Policy."`) +> > Fork this project, create a heroku app, then turn to Deploy tab, deploy via connect to your github fork. +--- # Deploy to Glitch -Official: https://glitch.com/ -Demo: https://onemanager.glitch.me/ -How to Install: New Project -> Import form Github -> paste "https://github.com/qkqpttgf/OneManager-php", after done, Show -> In a New Window. +### Official +​ https://glitch.com/ + +### Demo + +​ https://onemanager.glitch.me/ + +### How to Install + +​ New Project -> Import form Github -> paste "https://github.com/qkqpttgf/OneManager-php", after done, Show -> In a New Window. + +--- # Deploy to Vercel -Official: https://vercel.com/ -Demo: null -Notice: -> 1, you must wait 30-50s to make sure deploy READY after change config; -> 2, Vercel limit 100 deploy every day. -How to Install: https://scfonedrive.github.io/Vercel/Deploy.html . +### Official +​ https://vercel.com/ + +### Demo + +​ null + +### Notice + +> 1. you must wait 30-50s to make sure deploy READY after change config; +> +> 2. Vercel limit 100 deploy every day. + +### How to Install + +​ https://scfonedrive.github.io/Vercel/Deploy.html . + +--- # Deploy to Tencent Serverless Cloud Function (SCF 腾讯无服务器云函数) -Official: https://cloud.tencent.com/product/scf -DEMO: 无 -注意:SCF新增限制,环境变量整体最大4KB,所以最多添加4个盘。 -How to Install: -1,进入函数服务,上方选择地区,然后点击新建。 -2,输入函数名称,选择模板函数,在模糊搜索中输入onedrive,大小写随意,选择那个【获取onedrive信息.....】,点下一步,在代码界面不用动,直接点完成。 -3,点击触发管理,创建触发器,触发方式改成API网关触发,底下勾选启用集成响应,提交。 -4,在触发管理中可以看到一个 访问路径,访问它,开始安装。 +### Official -(重点:勾选集成响应) - -添加网盘时,SCF可能会反应不过来,不跳转到微软,导致添加失败,请不要删除这个盘,再添加一次相同标签的盘就可以了。 +​ https://cloud.tencent.com/product/scf + +### DEMO + +​ 暂无 + +### 注意事项 + +​ SCF新增限制,环境变量整体最大4KB,所以最多添加4个盘。 + +### How to Install + +1. 进入函数服务,上方选择地区,然后点击新建。 + +2. 输入函数名称,选择模板函数,在模糊搜索中输入onedrive,大小写随意,选择那个【获取onedrive信息.....】,点下一步,在代码界面不用动,直接点完成。 + +3. 点击触发管理,创建触发器,触发方式改成API网关触发,底下勾选启用集成响应,提交。 + +4. 在触发管理中可以看到一个 访问路径,访问它,开始安装。 + + (重点:**勾选集成响应**) + +> **添加网盘时,SCF可能会反应不过来,不跳转到微软,导致添加失败,请不要删除这个盘,再添加一次相同标签的盘就可以了。** + +---- # Deploy to Huawei cloud Function Graph (FG 华为云函数工作流) -Official: https://console.huaweicloud.com/functiongraph/ -DEMO: 无 -注意:FG中,环境变量整体大小为2KB,所以最多添加2个盘(一个onedrive一个aliyundrive)。 -How to Install: - 1,在函数列表,点右边创建函数 - 2,输入名称,选择运行时语言为PHP7.3,点上传ZIP文件,选择文件,然后点右边的创建函数(这里的ZIP文件不能直接用从Github上下载的ZIP文件,要将它解压后,去掉外层文件夹后,再压缩为ZIP。) - 3,创建触发器:选API网关,安全认证选None,后端超时(毫秒)将5000改成30000,上面创建分组一下,其它的点点点 - 4,访问触发器给的url,开始安装 - 5,在触发器界面点触发器名称,跳到API网关管理,右边更多URL,可以添加自定义域名,自定义域名后发现还是要 xxxx.com/函数名 来访问,点上方的编辑,第1页不用改,点下一步,请求Path改成/,注意匹配模式是前缀匹配,Method为ANY,然后不用点下一步了,点立即完成,然后去发布生效 +### Official +​ https://console.huaweicloud.com/functiongraph/ + +### DEMO + +​ 暂无 + +### 注意事项 + +​ FG中,环境变量整体大小为2KB,所以最多添加2个盘(一个onedrive一个aliyundrive)。 + +### How to Install + +1. 在函数列表,点右边创建函数 +2. 输入名称,选择运行时语言为PHP7.3,点上传ZIP文件,选择文件,然后点右边的创建函数(这里的ZIP文件不能直接用从Github上下载的ZIP文件,要将它解压后,去掉外层文件夹后,再压缩为ZIP。) +3. 创建触发器:选API网关,安全认证选None,后端超时(毫秒)将5000改成30000,上面创建分组一下,其它的点点点 +4. 访问触发器给的url,开始安装 +5. 在【触发器界面】点【触发器名称】,跳到API网关管理,右边【更多URL】,可以添加自定义域名,自定义域名后发现还是要 xxxx.com/函数名 来访问,点上方的【编辑】,第1页不用改,点【下一步】,**请求Path改成/**,注意匹配模式是前缀匹配,Method为ANY,然后不用点下一步了,点【立即完成】,然后去【发布】生效 + +---- # Deploy to Aliyun Function Compute (FC 阿里云函数计算) -Official: https://fc.console.aliyun.com/ -DEMO: 无 -How to Install: - 1,新建函数 -- HTTP函数 - 2,运行环境选择php7.2 - 3,触发器认证方式选择anonymous,请求方式里面,点一下GET,再点一下POST,最终框框里面有这2个 - 4,上传代码 - 5,触发器中点进去,找到配置自定义域名,点击前往,创建,路径中填 /* ,其它下拉选择。 - 6,访问你的域名,开始安装 +### Official: +​ https://fc.console.aliyun.com/ + +### DEMO + +​ 无 + +### How to Install + +1. 新建函数 -- HTTP函数 +2. 运行环境选择php7.2 +3. 触发器认证方式选择anonymous,请求方式里面,点一下GET,再点一下POST,最终框框里面有这2个 +4. 上传代码 +5. 触发器中点进去,找到配置自定义域名,点击前往,创建,路径中填 /* ,其它下拉选择。 +6. 访问你的域名,开始安装 + +--- # Deploy to Baidu Cloud Function Compute (CFC 百度云函数计算) -Official: https://console.bce.baidu.com/cfc/#/cfc/functions -DEMO: 无 -自定义域名需要另外使用API网关,并备案。 -How to Install: - 1,在函数列表,点创建函数 - 2,创建方式改为空白函数,点下一步 - 3,输入名称,选择运行时为PHP7.2,点下一步 - 4,触发器:下拉选择HTTP触发器,URL路径填 /{filepath+} ,HTTP方法全选,身份验证:不验证,点提交 - 5,进入代码编辑页,编辑类型改上传函数ZIP包,选择文件(这里的ZIP文件不能直接用从Github上下载的ZIP文件,要将它解压后,去掉外层文件夹后,再压缩为ZIP。),开始上传 - 6,点击右边触发器,复制并访问提供的url,开始安装 +### Official + +​ https://console.bce.baidu.com/cfc/#/cfc/functions + +### DEMO + +​ 暂无 + +### 注意事项 + +​ **自定义域名需要另外使用API网关,并备案。** + +### How to Install + +1. 在函数列表,点创建函数 +2. 创建方式改为空白函数,点下一步 + 3. 输入名称,选择运行时为PHP7.2,点下一步 + 4. 触发器:下拉选择HTTP触发器,URL路径填 /{filepath+} ,HTTP方法全选,身份验证:不验证,点提交 + 5. 进入代码编辑页,编辑类型改上传函数ZIP包,选择文件(这里的ZIP文件不能直接用从Github上下载的ZIP文件,要将它解压后,去掉外层文件夹后,再压缩为ZIP。),开始上传 + 6. 点击右边触发器,复制并访问提供的url,开始安装 + +--- # Deploy to Virtual Private Server (VPS 或空间) -DEMO: 无 -How to Install: - 1.Start web service on your server (httpd or other), make sure you can visit it. - 启动web服务器,确保你能访问到。 - 2.Make the rewrite works, the rule is in .htaccess file, make sure any query redirect to index.php. - 开启伪静态(重写)功能,规则在.htaccess文件中,ngnix从里面复制,我们的目的是不管访问什么都让index.php来处理。 - 3.Upload code. - 上传好代码。 - 4.Change the file .data/config.php can be read&write (666 is suggested). - 使web身份可读写代码中的.data/config.php文件,推荐chmod 666 .data/config.php。 - 5.View the website in chrome or other. - 在浏览器中访问。 +### DEMO + +暂无 + +### How to Install + +1. Start web service on your server (httpd or other), make sure you can visit it. + + >启动web服务器,确保你能访问到。 + +2. Make the rewrite works, the rule is in .htaccess file, make sure any query redirect to index.php. + + >开启伪静态(重写)功能,规则在.htaccess文件中,ngnix从里面复制,我们的目的是不管访问什么都让index.php来处理。 + +3. Upload code. + + >上传好代码。 + +4. Change the file .data/config.php can be read&write (666 is suggested). + + >使web身份可读写代码中的.data/config.php文件,推荐chmod 666 .data/config.php。 + +5. View the website in chrome or other. + + >在浏览器中访问。 + +---- # Features 特性 -When downloading files, the program produce a direct url, visitor download files from MS OFFICE via the direct url, the server expend a few bandwidth in produce. -下载时,由程序解析出直链,浏览器直接从微软Onedrive服务器下载文件,服务器只消耗与微软通信的少量流量。 -When uploading files, the program produce a direct url, visitor upload files to MS OFFICE via the direct url, the server expend a few bandwidth in produce. -上传时,由程序生成上传url,浏览器直接向微软Onedrive的这个url上传文件,服务器只消耗与微软通信的少量流量。 -The XXX_path in setting is the path in Onedrive, not in url, program will find the path in Onedrive. -设置中的 XXX_path 是Onedrive里面的路径,并不是你url里面的,程序会去你Onedrive里面找这个路径。 -LOGO ICON: put your 'favicon.ico' in the path you showed, make sure xxxxx.com/favicon.ico can be visited. -网站图标:将favicon.ico文件放在你要展示的目录中,确保 xxxxx.com/favicon.ico 可以访问到。 -Program will show content of 'readme.md' & 'head.md'. -可以在文件列表显示head.md跟readme.md文件的内容。 -guest up path, is a folder that the guest can upload files, but can not be list (exclude admin). -游客上传目录(也叫图床目录),是指定一个目录,让游客可以上传文件,不限格式,不限大小。这个目录里面的内容不列清单(除非管理登录)。 -If there is 'index.html' file, program will only show the content of 'index.html', not list the files. -如果目录中有index.html文件,只会输出显示html文件,不显示程序框架。 -Click 'EditTime' or 'Size', the list will sort by time or size, Click 'File' can resume sort. -点击“时间”、“大小”,可以排序显示,点“文件”恢复原样。 -# Functional files 功能性文件 -### favicon.ico -put it in the showing home folder of FIRST disk (maybe not root of onedrive). 放在第一个盘的显示目录(不一定是onedrive根目录)。 -### index.html -show content of index.html as html. 将index.html以静态网页显示出来。 -### head.md readme.md -it will showed at top or bottom as markdown. 以MD语法显示在顶部或底部。 -### head.omf foot.omf -it will showed at top or bottom as html (javascript works!). 以html显示在顶部或底部(可以跑js)。 +​ When downloading files, the program produce a direct url, visitor download files from MS OFFICE via the direct url, the server expend a few bandwidth in produce. + +> 下载时,由程序解析出直链,浏览器直接从微软Onedrive服务器下载文件,服务器只消耗与微软通信的少量流量。 + +​ When uploading files, the program produce a direct url, visitor upload files to MS OFFICE via the direct url, the server expend a few bandwidth in produce. + +> 上传时,由程序生成上传url,浏览器直接向微软Onedrive的这个url上传文件,服务器只消耗与微软通信的少量流量。 + +​ The XXX_path in setting is the path in Onedrive, not in url, program will find the path in Onedrive. + +> 设置中的 XXX_path 是Onedrive里面的路径,并不是你url里面的,程序会去你Onedrive里面找这个路径。 + +​ LOGO ICON: put your 'favicon.ico' in the path you showed, make sure xxxxx.com/favicon.ico can be visited. + +> 网站图标:将favicon.ico文件放在你要展示的目录中,确保 xxxxx.com/favicon.ico 可以访问到。 + +​ Program will show content of 'readme.md' & 'head.md'. + +> 可以在文件列表显示head.md跟readme.md文件的内容。 + +​ guest up path, is a folder that the guest can upload files, but can not be list (exclude admin). + +> 游客上传目录(也叫图床目录),是指定一个目录,让游客可以上传文件,不限格式,不限大小。这个目录里面的内容不列清单(除非管理登录)。 + +​ If there is 'index.html' file, program will only show the content of 'index.html', not list the files. + +> 如果目录中有index.html文件,只会输出显示html文件,不显示程序框架。 + +​ Click 'EditTime' or 'Size', the list will sort by time or size, Click 'File' can resume sort. + +> 点击“时间”、“大小”,可以排序显示,点“文件”恢复原样。 + +---- + +# Functional files 功能性文件 + +### favicon.ico + +put it in the showing home folder of FIRST disk (maybe not root of onedrive). + +> 放在第一个盘的显示目录(不一定是onedrive根目录)。 + +### index.html + +show content of index.html as html. + +> 将index.html以静态网页显示出来。 + +### head.md + +### readme.md + +it will showed at top or bottom as markdown. + +> 以MD语法显示在顶部或底部。 + +### head.omf + +### foot.omf + +it will showed at top or bottom as html (javascript works!). + +> 以html显示在顶部或底部(可以跑js)。 + +---- + +# A cup of coffee -# A cup of coffee https://paypal.me/qkqpttgf -# Chat -QQ Group: 212088653 (请看完上面的中英双语再加群,谢谢!) -Telegram Group: https://t.me/joinchat/I_RVc0bqxuxlT-d0cO7ozw +----- + +# Chat + + **请看完上面的中英双语再加群,谢谢!** + +### QQ Group: + +212088653 + +### Telegram Group + +https://t.me/joinchat/I_RVc0bqxuxlT-d0cO7ozw From 9205015782e90c22d22a7414cce9b1a5a0edad2b Mon Sep 17 00:00:00 2001 From: root Date: Wed, 6 Oct 2021 08:01:31 +0000 Subject: [PATCH 2/6] fix CSRF, try fix %20 --- common.php | 138 +++++++++++++++++++++++++---------- index.php | 2 +- platform/AliyunFC.php | 14 +++- platform/BaiduCFC.php | 1 + platform/HuaweiFG_env.php | 1 + platform/HuaweiFG_file.php | 1 + platform/TencentSCF_env.php | 3 +- platform/TencentSCF_file.php | 3 +- theme/classic.html | 23 ++++-- 9 files changed, 135 insertions(+), 51 deletions(-) diff --git a/common.php b/common.php index 121e18d..f12a28b 100644 --- a/common.php +++ b/common.php @@ -182,11 +182,15 @@ function main($path) if (isset($_POST['password1'])) { $compareresult = compareadminsha1($_POST['password1'], $_POST['timestamp'], getConfig('admin')); if ($compareresult=='') { - return adminform('admin', adminpass2cookie('admin', getConfig('admin')), $url); + $timestamp = time()+7*24*60*60; + $randnum = rand(10, 99999); + $admincookie = adminpass2cookie('admin', getConfig('admin'), $timestamp, $randnum); + $adminlocalstorage = adminpass2storage('admin', getConfig('admin'), $timestamp, $randnum); + return adminform('admin', $admincookie, $adminlocalstorage, $url); } else return adminform($compareresult); } else return adminform(); } - if ( isset($_COOKIE['admin'])&&compareadminmd5($_COOKIE['admin'], 'admin', getConfig('admin')) ) { + if ( isset($_COOKIE['admin'])&&compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin']) ) { $_SERVER['admin']=1; $_SERVER['needUpdate'] = needUpdate(); } else { @@ -394,6 +398,7 @@ function main($path) $url = $files['url']; if ( strtolower(splitlast($files['name'], '.')[1])=='html' ) return output($files['content']['body'], $files['content']['stat']); else { + if (isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) && strtotime($files['time'])==strtotime($_SERVER['HTTP_IF_MODIFIED_SINCE'])) return output('', 304); $fileConduitSize = getConfig('fileConduitSize', $_SERVER['disktag']); $fileConduitCacheTime = getConfig('fileConduitCacheTime', $_SERVER['disktag']); if (!!$fileConduitSize || !!$fileConduitCacheTime) { @@ -401,10 +406,27 @@ function main($path) else $fileConduitSize = 1024*1024; if ($fileConduitCacheTime>1) $fileConduitCacheTime *= 3600; else $fileConduitCacheTime = 3600; + /*if ($_SERVER['HTTP_RANGE']!='') { + $header['Range'] = $_SERVER['HTTP_RANGE']; + $response = curl('GET', $files['url'], '', $header, 1); + //return output($header['Range'] . json_encode($response['returnhead'])); + return output( + $response['body'], + $response['stat'], + //$response['returnhead'], + ['Content-Type' => $files['mime'], 'Cache-Control' => 'max-age=' . $fileConduitCacheTime], + false + ); + }*/ if ($files['size']<$fileConduitSize) return output( base64_encode(file_get_contents($files['url'])), 200, - ['Content-Type' => $files['mime'], 'Cache-Control' => 'max-age=' . $fileConduitCacheTime], + [ + 'Content-Type' => $files['mime'], + 'Cache-Control' => 'max-age=' . $fileConduitCacheTime, + //'Cache-Control' => 'max-age=0', + 'Last-Modified' => gmdate('D, d M Y H:i:s T', strtotime($files['time'])) + ], true ); } @@ -482,20 +504,31 @@ function isreferhost() { return false; } -function adminpass2cookie($name, $pass) +function adminpass2cookie($name, $pass, $timestamp) { - $timestamp = time()+7*24*60*60; return md5($name . ':' . md5($pass) . '@' . $timestamp) . "(" . $timestamp . ")"; } -function compareadminmd5($admincookie, $name, $pass) +function adminpass2storage($name, $pass, $timestamp, $rand) { + return md5($timestamp . '/' . $pass . '^' . $name . '*' . $rand) . "(" . $rand . ")"; +} +function compareadminmd5($name, $pass, $cookie, $storage = 'default') { - $c = splitfirst($admincookie, '('); + $c = splitfirst($cookie, '('); $c_md5 = $c[0]; $c_time = substr($c[1], 0, -1); if (!is_numeric($c_time)) return false; if (time() > $c_time) return false; - if (md5($name . ':' . md5($pass) . '@' . $c_time) == $c_md5) return true; - else return false; + if ($storage == 'default') { + if (md5($name . ':' . md5($pass) . '@' . $c_time) == $c_md5) return true; + else return false; + } else { + $s = splitfirst($storage, '('); + $s_md5 = $s[0]; + $s_rand = substr($s[1], 0, -1); + if (md5($c_time . '/' . $pass . '^' . $name . '*' . $s_rand) == $s_md5) return true; + else return false; + } + return false; } function compareadminsha1($adminsha1, $timestamp, $pass) @@ -720,6 +753,7 @@ function curl($method, $url, $data = '', $headers = [], $returnheader = 0, $loca //$response['body'] = curl_exec($ch); if ($returnheader) { list($returnhead, $response['body']) = explode("\r\n\r\n", curl_exec($ch)); + //echo "HEAD:" . $returnhead; foreach (explode("\r\n", $returnhead) as $head) { $tmp = explode(': ', $head); $heads[$tmp[0]] = $tmp[1]; @@ -971,15 +1005,19 @@ function time_format($ISO) return date('Y-m-d H:i:s',strtotime($ISO . " UTC")); } -function adminform($name = '', $pass = '', $path = '') +function adminform($name = '', $pass = '', $storage = '', $path = '') { $html = '' . getconstStr('AdminLogin') . ''; if ($name=='admin'&&$pass!='') { $html .= ' - ' . getconstStr('LoginSuccess') . ''; + ' . getconstStr('LoginSuccess') . ' + + '; $statusCode = 201; date_default_timezone_set('UTC'); - $_SERVER['Set-Cookie'] = $name . '=' . $pass . '; path=/; expires=' . date(DATE_COOKIE, strtotime('+7day')); + $_SERVER['Set-Cookie'] = $name . '=' . $pass . '; path=' . $_SERVER['base_path'] . '; expires=' . date(DATE_COOKIE, strtotime('+7day')); return output($html, $statusCode); } $statusCode = 401; @@ -1028,7 +1066,18 @@ function adminoperate($path) $tmpget = $_GET; $tmppost = $_POST; $tmparr['statusCode'] = 0; + + if (isset($tmpget['RefreshCache'])) { + //$path1 = path_format($_SERVER['list_path'] . path_format($path)); + //if ($path1!='/'&&substr($path1, -1)=='/') $path1=substr($path1, 0, -1); + savecache('path_' . $path1 . '/?password', '', $_SERVER['disktag'], 1); + savecache('customTheme', '', '', 1); + return message(' + ', getconstStr('RefreshCache'), 202); + } + if ( (isset($tmpget['rename_newname'])&&$tmpget['rename_newname']!=$tmpget['rename_oldname'] && $tmpget['rename_newname']!='') || (isset($tmppost['rename_newname'])&&$tmppost['rename_newname']!=$tmppost['rename_oldname'] && $tmppost['rename_newname']!='') ) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; if (isset($tmppost['rename_newname'])) $VAR = 'tmppost'; else $VAR = 'tmpget'; // rename 重命名 @@ -1038,6 +1087,7 @@ function adminoperate($path) return $drive->Rename($file, ${$VAR}['rename_newname']); } if (isset($tmpget['delete_name']) || isset($tmppost['delete_name'])) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; if (isset($tmppost['delete_name'])) $VAR = 'tmppost'; else $VAR = 'tmpget'; // delete 删除 @@ -1047,6 +1097,7 @@ function adminoperate($path) return $drive->Delete($file); } if ( (isset($tmpget['operate_action'])&&$tmpget['operate_action']==getconstStr('Encrypt')) || (isset($tmppost['operate_action'])&&$tmppost['operate_action']==getconstStr('Encrypt')) ) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; if (isset($tmppost['operate_action'])) $VAR = 'tmppost'; else $VAR = 'tmpget'; // encrypt 加密 @@ -1058,6 +1109,7 @@ function adminoperate($path) return $drive->Encrypt($folder, getConfig('passfile'), ${$VAR}['encrypt_newpass']); } if (isset($tmpget['move_folder']) || isset($tmppost['move_folder'])) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; if (isset($tmppost['move_folder'])) $VAR = 'tmppost'; else $VAR = 'tmpget'; // move 移动 @@ -1082,6 +1134,7 @@ function adminoperate($path) } } if (isset($tmpget['copy_name']) || isset($tmppost['copy_name'])) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; if (isset($tmppost['copy_name'])) $VAR = 'tmppost'; else $VAR = 'tmpget'; // copy 复制 @@ -1091,6 +1144,7 @@ function adminoperate($path) return $drive->Copy($file); } if (isset($tmppost['editfile'])) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; // edit 编辑 $file['path'] = $path1; $file['name'] = ''; @@ -1098,6 +1152,7 @@ function adminoperate($path) return $drive->Edit($file, $tmppost['editfile']); } if (isset($tmpget['create_name']) || isset($tmppost['create_name'])) { + if (!compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) return ['statusCode'=>403]; if (isset($tmppost['create_name'])) $VAR = 'tmppost'; else $VAR = 'tmpget'; // create 新建 @@ -1106,14 +1161,6 @@ function adminoperate($path) $parent['id'] = ${$VAR}['create_fileid']; return $drive->Create($parent, ${$VAR}['create_type'], ${$VAR}['create_name'], ${$VAR}['create_text']); } - if (isset($tmpget['RefreshCache'])) { - //$path1 = path_format($_SERVER['list_path'] . path_format($path)); - //if ($path1!='/'&&substr($path1, -1)=='/') $path1=substr($path1, 0, -1); - savecache('path_' . $path1 . '/?password', '', $_SERVER['disktag'], 1); - savecache('customTheme', '', '', 1); - return message(' - ', getconstStr('RefreshCache'), 202); - } return $tmparr; } @@ -1174,7 +1221,7 @@ function EnvOpt($needUpdate = 0) $envs = substr(json_encode(array_keys ($EnvConfigs)), 1, -1); $html = 'OneManager '.getconstStr('Setup').''; - if (isset($_POST['updateProgram'])&&$_POST['updateProgram']==getconstStr('updateProgram')) { + if (isset($_POST['updateProgram'])&&$_POST['updateProgram']==getconstStr('updateProgram')) if (compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) { $response = setConfigResponse(OnekeyUpate($_POST['auth'], $_POST['project'], $_POST['branch'])); if (api_error($response)) { $html = api_error_msg($response); @@ -1186,8 +1233,8 @@ function EnvOpt($needUpdate = 0) $title = getconstStr('Setup'); return message($html, $title, 202, 1); } - } - if (isset($_POST['submit1'])) { + } else return message('please login again', 'Need login', 403); + if (isset($_POST['submit1'])) if (compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) { $_SERVER['disk_oprating'] = ''; foreach ($_POST as $k => $v) { if (isShowedEnv($k) || $k=='disktag_del' || $k=='disktag_add' || $k=='disktag_rename' || $k=='disktag_copy') { @@ -1237,8 +1284,8 @@ function EnvOpt($needUpdate = 0) $title = getconstStr('Setup'); return message($html, $title, 200, 1); } - } - if (isset($_POST['config_b'])) { + } else return message('please login again', 'Need login', 403); + if (isset($_POST['config_b'])) if (compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) { if (!$_POST['pass']) return output("{\"Error\": \"No admin pass\"}", 403); if (!is_numeric($_POST['timestamp'])) return output("{\"Error\": \"Error time\"}", 403); if (abs(time() - $_POST['timestamp']/1000) > 5*60) return output("{\"Error\": \"Timeout\"}", 403); @@ -1295,8 +1342,8 @@ function EnvOpt($needUpdate = 0) } else { return output("{\"Error\": \"Admin pass error\"}", 403); } - } - if (isset($_POST['changePass'])) { + } else return message('please login again', 'Need login', 403); + if (isset($_POST['changePass'])) if (compareadminmd5('admin', getConfig('admin'), $_COOKIE['admin'], $_POST['_admin'])) { if (!is_numeric($_POST['timestamp'])) return message("Error time" . getconstStr('Back') . "", "Error", 403); if (abs(time() - $_POST['timestamp']/1000) > 5*60) return message("Timeout" . getconstStr('Back') . "", "Error", 403); if ($_POST['newPass1']==''||$_POST['newPass2']=='') return message("Empty new pass" . getconstStr('Back') . "", "Error", 403); @@ -1313,7 +1360,7 @@ function EnvOpt($needUpdate = 0) } else { return message("Old pass error" . getconstStr('Back') . "", "Error", 403); } - } + } else return message('please login again', 'Need login', 403); if (isset($_GET['preview'])) { $preurl = $_SERVER['PHP_SELF'] . '?preview'; @@ -1360,7 +1407,8 @@ output: if ($_GET['setup']==='platform') { $frame .= ' - '; + + '; foreach ($EnvConfigs as $key => $val) if (isCommonEnv($key) && isShowedEnv($key)) { $frame .= ' @@ -1420,6 +1468,7 @@ output: @@ -1464,6 +1515,7 @@ output: $frame .= ' + '; foreach ($EnvConfigs as $key => $val) if (isInnerEnv($key) && isShowedEnv($key)) { $frame .= ' @@ -1536,6 +1588,7 @@ output:
+ @@ -1431,12 +1480,14 @@ output:
+
+
+ '; $num = 0; foreach ($disktags as $disktag) { @@ -1641,6 +1694,7 @@ output: } else { $frame .= ' + @@ -1691,6 +1745,7 @@ output:
+ @@ -1708,6 +1763,7 @@ output:
' . getconstStr('OldPassword') . ':

+ @@ -1846,6 +1902,12 @@ output:
' . getconstStr('AdminPassword') . ':

'; $html .= $frame; + $html .= ''; return message($html, getconstStr('Setup')); } @@ -1859,11 +1921,12 @@ function render_list($path = '', $files = []) //$htmlcontent = fetch_files(spurlencode(path_format(urldecode($path) . '/index.html'), '/'))['content']; $htmlcontent = get_content(spurlencode(path_format(urldecode($path) . '/index.html'), '/'))['content']; return output($htmlcontent['body'], $htmlcontent['stat']); - } - $path = str_replace('%20','%2520',$path); + }//echo $path . "
\n"; + //$path = str_replace('%20','%2520',$path); $path = str_replace('+','%2B',$path); $path = str_replace('&','&',path_format(urldecode($path))) ; - $path = str_replace('%20',' ',$path); + //echo $path . "
\n"; + //$path = str_replace('%20',' ',$path); $path = str_replace('#','%23',$path); $p_path=''; if ($path !== '/') { @@ -2233,8 +2296,8 @@ function render_list($path = '', $files = []) $html = str_replace('', '', $html); $html = str_replace('', '', $html); } - $html = str_replace('', encode_str_replace(path_format($_SERVER['base_disk_path'] . '/' . str_replace('&', '&', $path))), $html); - $html = str_replace('', encode_str_replace(path_format($_SERVER['base_disk_path'] . '/' . str_replace('&', '&', $path))), $html); + $html = str_replace('', encode_str_replace(path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); + $html = str_replace('', (path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); $ext = strtolower(substr($path, strrpos($path, '.') + 1)); if (in_array($ext, $exts['img'])) $ext = 'img'; @@ -2261,11 +2324,12 @@ function render_list($path = '', $files = []) $html = str_replace('', '', $html); } //while (strpos($html, '')) $html = str_replace('', $files['url'], $html); - while (strpos($html, '')) $html = str_replace('', encode_str_replace(path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); - while (strpos($html, '')) $html = str_replace('', encode_str_replace(path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); + while (strpos($html, '')) $html = str_replace('', (path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); + //echo $path . "
\n"; + while (strpos($html, '')) $html = str_replace('', (path_format($_SERVER['base_disk_path'] . '/' . str_replace('&', '&', $path))), $html); while (strpos($html, '')) $html = str_replace('', $files['name'], $html); while (strpos($html, '')) $html = str_replace('', urlencode($files['url']), $html); - //while (strpos($html, '')) $html = str_replace('', urlencode(path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); + //while (strpos($html, '')) $html = str_replace('', urlencode($_SERVER['host'] . path_format($_SERVER['base_disk_path'] . '/' . $path)), $html); $html = str_replace('', getconstStr('ClicktoEdit'), $html); $html = str_replace('', getconstStr('CancelEdit'), $html); $html = str_replace('', getconstStr('Save'), $html); diff --git a/index.php b/index.php index 1c78c03..56fecf2 100644 --- a/index.php +++ b/index.php @@ -108,7 +108,7 @@ function handler($event, $context) $re = main($path); - return new RingCentral\Psr7\Response($re['statusCode'], $re['headers'], $re['body']); + return new RingCentral\Psr7\Response($re['statusCode'], $re['headers'], $re['isBase64Encoded']?base64_decode($re['body']):$re['body']); } elseif ($_SERVER['_APP_SHARE_DIR']=='/var/share/CFF/processrouter') { // Huawei FG diff --git a/platform/AliyunFC.php b/platform/AliyunFC.php index 184879d..02dba5b 100644 --- a/platform/AliyunFC.php +++ b/platform/AliyunFC.php @@ -37,13 +37,20 @@ function GetPathSetting($event, $context) $_SERVER['region'] = $context['region']; $_SERVER['service_name'] = $context['service']['name']; $_SERVER['function_name'] = $context['function']['name']; - $path = urldecode($event['path']); + //$path = str_replace('%5D', ']', str_replace('%5B', '[', $event['path']));//%5B + //$path = $event['path']; + $path = $event['requestURI']; + if (strpos($path, '?')) $path = substr($path, 0, strpos($path, '?')); $tmp = urldecode($event['requestURI']); if (strpos($tmp, '?')) $tmp = substr($tmp, 0, strpos($tmp, '?')); if ($path=='/'||$path=='') { $_SERVER['base_path'] = $tmp; } else { - $_SERVER['base_path'] = substr($tmp, 0, strlen($tmp)-strlen($path)+1); + while ($tmp!=urldecode($tmp)) $tmp = urldecode($tmp); + $tmp1 = urldecode($event['path']); + while ($tmp1!=urldecode($tmp1)) $tmp1 = urldecode($tmp1); + $_SERVER['base_path'] = substr($tmp, 0, strlen($tmp)-strlen($tmp1)+1); + //$_SERVER['base_path'] = substr($tmp, 0, strlen(urldecode($event['path']))); } $_SERVER['base_path'] = spurlencode($_SERVER['base_path'], '/'); @@ -63,7 +70,8 @@ function GetPathSetting($event, $context) $_SERVER['referhost'] = explode('/', $event['headers']['Referer'][0])[2]; $_SERVER['HTTP_IF_MODIFIED_SINCE'] = $event['headers']['If-Modified-Since'][0]; $_SERVER['FC_SERVER_PATH'] = '/var/fc/runtime/php7.2'; - return spurlencode($path, '/'); + return $path; + //return spurlencode($path, '/'); } function getConfig($str, $disktag = '') diff --git a/platform/BaiduCFC.php b/platform/BaiduCFC.php index e9fbcbb..c8ba09e 100644 --- a/platform/BaiduCFC.php +++ b/platform/BaiduCFC.php @@ -50,6 +50,7 @@ function GetPathSetting($event, $context) $_SERVER['host'] = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST']; $_SERVER['referhost'] = explode('/', $event['headers']['Referer'])[2]; $_SERVER['HTTP_TRANSLATE'] = $event['headers']['translate'];//'f' + $_SERVER['HTTP_IF_MODIFIED_SINCE'] = $event['headers']['If-Modified-Since']; $_SERVER['BCE_CFC_RUNTIME_NAME'] = 'php7'; return $path; } diff --git a/platform/HuaweiFG_env.php b/platform/HuaweiFG_env.php index 1b09178..45387c4 100644 --- a/platform/HuaweiFG_env.php +++ b/platform/HuaweiFG_env.php @@ -71,6 +71,7 @@ function GetPathSetting($event, $context) $_SERVER['host'] = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST']; $_SERVER['referhost'] = explode('/', $event['headers']['referer'])[2]; $_SERVER['HTTP_TRANSLATE'] = $event['headers']['translate'];//'f' + $_SERVER['HTTP_IF_MODIFIED_SINCE'] = $event['headers']['if-modified-since']; $_SERVER['_APP_SHARE_DIR'] = '/var/share/CFF/processrouter'; return $path; } diff --git a/platform/HuaweiFG_file.php b/platform/HuaweiFG_file.php index a615736..8304222 100644 --- a/platform/HuaweiFG_file.php +++ b/platform/HuaweiFG_file.php @@ -71,6 +71,7 @@ function GetPathSetting($event, $context) $_SERVER['host'] = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST']; $_SERVER['referhost'] = explode('/', $event['headers']['referer'])[2]; $_SERVER['HTTP_TRANSLATE'] = $event['headers']['translate'];//'f' + $_SERVER['HTTP_IF_MODIFIED_SINCE'] = $event['headers']['if-modified-since']; $_SERVER['_APP_SHARE_DIR'] = '/var/share/CFF/processrouter'; return $path; } diff --git a/platform/TencentSCF_env.php b/platform/TencentSCF_env.php index 5bcc2df..6210d6b 100644 --- a/platform/TencentSCF_env.php +++ b/platform/TencentSCF_env.php @@ -56,7 +56,8 @@ function GetPathSetting($event, $context) //$_SERVER['REQUEST_SCHEME'] = $event['headers']['x-forwarded-proto']; $_SERVER['host'] = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST']; $_SERVER['referhost'] = explode('/', $event['headers']['referer'])[2]; - $_SERVER['HTTP_TRANSLATE']==$event['headers']['translate'];//'f' + $_SERVER['HTTP_TRANSLATE'] = $event['headers']['translate'];//'f' + $_SERVER['HTTP_IF_MODIFIED_SINCE'] = $event['headers']['if-modified-since']; $_SERVER['USER'] = 'qcloud'; return $path; } diff --git a/platform/TencentSCF_file.php b/platform/TencentSCF_file.php index 1a0f256..27acaa1 100644 --- a/platform/TencentSCF_file.php +++ b/platform/TencentSCF_file.php @@ -56,7 +56,8 @@ function GetPathSetting($event, $context) //$_SERVER['REQUEST_SCHEME'] = $event['headers']['x-forwarded-proto']; $_SERVER['host'] = $_SERVER['REQUEST_SCHEME'] . '://' . $_SERVER['HTTP_HOST']; $_SERVER['referhost'] = explode('/', $event['headers']['referer'])[2]; - $_SERVER['HTTP_TRANSLATE']==$event['headers']['translate'];//'f' + $_SERVER['HTTP_TRANSLATE'] = $event['headers']['translate'];//'f' + $_SERVER['HTTP_IF_MODIFIED_SINCE'] = $event['headers']['if-modified-since']; $_SERVER['USER'] = 'qcloud'; return $path; } diff --git a/theme/classic.html b/theme/classic.html index 1a41e31..dc64c56 100644 --- a/theme/classic.html +++ b/theme/classic.html @@ -94,12 +94,12 @@   - + -->
@@ -202,6 +202,7 @@
+     @@ -209,6 +210,12 @@ +
@@ -988,7 +995,7 @@ delete uploading[upbigfilename]; } } - xhr1.send('upbigfilename='+ upbigfilename +'&filesize='+ file.size +'&filelastModified='+ file.lastModified +'&filemd5='+ filemd5); + xhr1.send('upbigfilename='+ upbigfilename +'&filesize='+ file.size +'&filelastModified='+ file.lastModified +'&filemd5='+ filemd5 + '&_admin=' + localStorage.getItem("admin")); } } @@ -1239,7 +1246,7 @@ getuplink(i); }*/ } - xhr1.send('upbigfilename='+ upbigfilename +'&filesize='+ file.size +'&filelastModified='+ file.lastModified + '&filesha1=' + filesha1 + '&chunksize=' + chunksize); + xhr1.send('upbigfilename='+ upbigfilename +'&filesize='+ file.size +'&filelastModified='+ file.lastModified + '&filesha1=' + filesha1 + '&chunksize=' + chunksize + '&_admin=' + localStorage.getItem("admin")); } } } @@ -1325,7 +1332,7 @@ } delete uploading[filename]; } - xhr1.send('uploadid=' + uploadid + '&fileid=' + fileid + '&etag=' + JSON.stringify(res['ETag'])); + xhr1.send('uploadid=' + uploadid + '&fileid=' + fileid + '&etag=' + JSON.stringify(res['ETag']) + '&_admin=' + localStorage.getItem("admin")); } else { var binary = this.result; var xhr = new XMLHttpRequest(); @@ -1396,7 +1403,7 @@ } delete uploading[filename]; } - xhr1.send('uploadid=' + uploadid + '&fileid=' + fileid + '&etag=' + JSON.stringify(res['ETag'])); + xhr1.send('uploadid=' + uploadid + '&fileid=' + fileid + '&etag=' + JSON.stringify(res['ETag']) + '&_admin=' + localStorage.getItem("admin")); // uploadbuttonshow(); } else { readblob(asize); @@ -1439,7 +1446,7 @@ var expd = new Date(); expd.setTime(expd.getTime()+1000); var expires = "expires="+expd.toGMTString(); - document.cookie = "admin=; path=/; "+expires; + document.cookie = "admin=; path=; "+expires; location.href = location.href; } /*for some mobile browser*/ @@ -1533,7 +1540,7 @@ document.getElementById(str+'_div').style.display='none'; document.getElementById('mask').style.display='none'; } - xhr.send(serializeForm(str+'_form')); + xhr.send(serializeForm(str+'_form') + '&_admin=' + localStorage.getItem("admin")); return false; } function addelement(html) { From 0a0162abe2d7fb29e1c61af1a80212f3c62e37c7 Mon Sep 17 00:00:00 2001 From: qkqpttgf <45693631+qkqpttgf@users.noreply.github.com> Date: Wed, 6 Oct 2021 16:32:23 +0800 Subject: [PATCH 3/6] fix & --- common.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/common.php b/common.php index f12a28b..a09d7d4 100644 --- a/common.php +++ b/common.php @@ -1921,11 +1921,11 @@ function render_list($path = '', $files = []) //$htmlcontent = fetch_files(spurlencode(path_format(urldecode($path) . '/index.html'), '/'))['content']; $htmlcontent = get_content(spurlencode(path_format(urldecode($path) . '/index.html'), '/'))['content']; return output($htmlcontent['body'], $htmlcontent['stat']); - }//echo $path . "
\n"; + } //$path = str_replace('%20','%2520',$path); $path = str_replace('+','%2B',$path); - $path = str_replace('&','&',path_format(urldecode($path))) ; - //echo $path . "
\n"; + $path = path_format(urldecode($path)); + //$path = str_replace('&','&', $path) ; //$path = str_replace('%20',' ',$path); $path = str_replace('#','%23',$path); $p_path=''; From cb478ccf662fa10523a72d78c9d6c4a529e57c5d Mon Sep 17 00:00:00 2001 From: qkqpttgf <45693631+qkqpttgf@users.noreply.github.com> Date: Wed, 6 Oct 2021 19:28:05 +0800 Subject: [PATCH 4/6] operate by id --- disk/Onedrive.php | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/disk/Onedrive.php b/disk/Onedrive.php index 3ffaa72..aa61f35 100644 --- a/disk/Onedrive.php +++ b/disk/Onedrive.php @@ -1,4 +1,7 @@ disktag))) { - // https://docs.microsoft.com/en-us/graph/api/driveitem-get?view=graph-rest-1.0 - // https://docs.microsoft.com/zh-cn/graph/api/driveitem-put-content?view=graph-rest-1.0&tabs=http - // https://developer.microsoft.com/zh-cn/graph/graph-explorer $pos = splitlast($path, '/'); $parentpath = $pos[0]; if ($parentpath=='') $parentpath = '/'; @@ -350,7 +350,8 @@ class Onedrive { $filename = spurlencode($file['name']); $filename = path_format($file['path'] . '/' . $filename); //echo $filename; - $result = $this->MSAPI('DELETE', $filename); + if ($file['id']) $result = $this->MSAPI('DELETE', "/items/" . $file['id']); + else $result = $this->MSAPI('DELETE', $filename); if ($result['stat']!=204) $r_body = json_encode($this->files_format(json_decode($result['body'], true))); return output($r_body, $result['stat']); //return output($result['body'], $result['stat']); @@ -358,7 +359,7 @@ class Onedrive { public function Encrypt($folder, $passfilename, $pass) { $filename = path_format($folder['path'] . '/' . urlencode($passfilename)); if ($pass==='') { - $result = $this->MSAPI('DELETE', $filename, ''); + $result = $this->MSAPI('DELETE', $filename); } else { $result = $this->MSAPI('PUT', $filename, $pass); } @@ -372,7 +373,8 @@ class Onedrive { $filename = spurlencode($file['name']); $filename = path_format($file['path'] . '/' . $filename); $data = '{"parentReference":{"path": "/drive/root:' . $folder['path'] . '"}}'; - $result = $this->MSAPI('PATCH', $filename, $data); + if ($file['id']) $result = $this->MSAPI('PATCH', "/items/" . $file['id'], $data); + else $result = $this->MSAPI('PATCH', $filename, $data); $path2 = spurlencode($folder['path'], '/'); if ($path2!='/'&&substr($path2, -1)=='/') $path2 = substr($path2, 0, -1); savecache('path_' . $path2, json_decode('{}', true), $this->disktag, 1); @@ -391,7 +393,8 @@ class Onedrive { $newname = '.' . $namearr[1] . ' (' . date("Ymd\THis\Z") . ')'; } $data = '{ "name": "' . $newname . '" }'; - $result = $this->MSAPI('copy', $filename, $data); + if ($file['id']) $result = $this->MSAPI('copy', "/items/" . $file['id'], $data); + else $result = $this->MSAPI('copy', $filename, $data); /*$num = 0; while ($result['stat']==409 && json_decode($result['body'], true)['error']['code']=='nameAlreadyExists') { $num++; @@ -1008,7 +1011,7 @@ class Onedrive { if ($path=='' or $path=='/') { $url .= $method; } else { - $url .= ':/' . $method; + $url .= '/' . $method; } $method='POST'; $headers['Content-Type'] = 'application/json'; From 0220c29dbfb04f20b69109df43e8f34c9802ca39 Mon Sep 17 00:00:00 2001 From: qkqpttgf <45693631+qkqpttgf@users.noreply.github.com> Date: Thu, 7 Oct 2021 12:39:49 +0800 Subject: [PATCH 5/6] fix cant upload --- disk/Onedrive.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/disk/Onedrive.php b/disk/Onedrive.php index aa61f35..8dd2129 100644 --- a/disk/Onedrive.php +++ b/disk/Onedrive.php @@ -1010,8 +1010,10 @@ class Onedrive { } else { if ($path=='' or $path=='/') { $url .= $method; - } else { + } elseif (substr($path, 0, 6)=="/items") { $url .= '/' . $method; + } else { + $url .= ':/' . $method; } $method='POST'; $headers['Content-Type'] = 'application/json'; From f924b116dbd10ce5d255e92b9d8db3941f02dfce Mon Sep 17 00:00:00 2001 From: qkqpttgf <45693631+qkqpttgf@users.noreply.github.com> Date: Thu, 7 Oct 2021 14:32:22 +0800 Subject: [PATCH 6/6] fix XSS in random file --- common.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common.php b/common.php index a09d7d4..6521b8d 100644 --- a/common.php +++ b/common.php @@ -389,7 +389,7 @@ function main($path) $url = proxy_replace_domain($url, $domainforproxy, $header); } return output('', 302, $header); - } else return output('No ' . $_GET['random'] . 'file', 404); + } else return output('No ' . htmlspecialchars($_GET['random']) . 'file', 404); } else return output('Hidden', 401); } // is file && not preview mode, download file