http://blog.sixi.ml/plus/15.htmlHYAPP:465202 用途:防止小型空间提供商提供给其它人的空间,别人做的网站存在漏洞,导致旁注,使站点挂! 文件名:t_hook t_bottom_box.hook 请在 View\admin\footer.html开头中增加{hook t_bottom_box} if (pathinfo($_SERVER['SCRIPT_FILENAME'], PATHINFO_BASENAME) != 'index.php') {
ref_check();
}
function ref_check() {
$referer_url = isset($_SERVER['HTTP_REFERER']) ? filter_var($_SERVER['HTTP_REFERER'], FILTER_VALIDATE_URL) : NULL;
//如果POST提交没有任何来源,则直接拒绝
if ($_SERVER['REQUEST_METHOD'] === 'POST' && empty($referer_url)) {
header('HTTP/1.0 403 Forbidden');
echo '<h1>Forbidden</h1>';
exit();
}
//只验证POST提交,不验证GET提交
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$referer_host = parse_url($referer_url, PHP_URL_HOST);
$referer_path = parse_url($referer_url, PHP_URL_PATH);
if (substr($referer_path, -1) === '/') {
$referer_path .= 'index.php';
}
$referer_path = dirname($referer_path);
$admin_url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
$admin_host = $INDEX_PATH!/admin
$admin_path = $INDEX_PATH!
if (substr($admin_path, -1) === '/') {
$admin_path .= 'index.php';
}
$admin_path = dirname($admin_path);
if (REF_CHECK_DEBUG) {
echo "Ref URL: {$referer_url}<br />\r\n";
echo "Ref Host: {$referer_host}<br />\r\n";
echo "Ref Path: {$referer_path}<br />\r\n";
echo "Admin Host: {$admin_host}<br />\r\n";
echo "Admin Path: {$admin_path}<br />\r\n";
}
//如果来源地址和后台地址不符,则拒绝
if ($admin_host != $referer_host ||
$admin_path != $referer_path) {
header('HTTP/1.0 403 Forbidden');
echo '<h1>Forbidden</h1>';
exit();
}
}
}
暂时只支持官方模板,如果需要其他模板支持,请在模板的f.html (footer.html\footer.php……)中加入{hook t_bottom_box}
BUG反馈: http://blog.sixi.ml/plus/15.html
|