故障描述:
# N% e& W6 X* E% B
退出登录时出现”您当前的访问请求当中含有非法字符,已经被系统拒绝“错误。
. c" a0 X) s- H2 w解决方法:
- w, r @: D1 \打开 sourceclassdiscuzdiscuz_application.php 文件
- s( z/ O6 T7 i' x找到
2 }( T: H9 F! l* Y: e1 M1 N
private function _xss_check() {
7 t5 N+ s$ _& ~- V2 A
/ Y5 a; \% y, J# } static $check = array('"', '>', '<', ''', '(', ')', 'CONTENT-TRANSFER-ENCODING');
9 M9 x+ V3 f1 N" O3 {( V
5 i3 R* { s2 _, t3 Z if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
0 `! D7 R- o4 i! B
system_error('request_tainting');
0 a- j( r1 o$ \) M3 ~ L% q
}
! B1 [& _6 K( A. \0 |
1 A+ |6 ^- s% y) z0 s" i% h if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
6 I7 T( c8 [9 b- s9 O$ J( f7 K $temp = $_SERVER['REQUEST_URI'];
" X, D# h8 {( ` a' v1 Z$ _ } elseif(empty ($_GET['formhash'])) {
/ q" e# ^- V( j
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
* b5 \% @) q% m) N% [1 z } else {
4 d2 f4 W5 X2 W( Q% x: P7 ]
$temp = '';
/ _1 |7 g8 ^; {; {6 v( W* H1 L& h
}
, m" P+ H4 l- C- _, F( P1 V* w$ g' O; Z+ |
if(!empty($temp)) {
) k x9 S7 [2 ^ $temp = strtoupper(urldecode(urldecode($temp)));
( O" x: E$ ^; }! Z( G0 |# F) @ foreach ($check as $str) {
9 r. K$ D( n0 ~1 h' c+ Z if(strpos($temp, $str) !== false) {
\% E) P" q% j* s# a% b5 \& Y# Y
system_error('request_tainting');
0 n, e a' h5 X% k' E! }
}
5 B8 J1 N1 m4 ~* f }
5 S- T6 [8 Q! i, L5 N. o }
& i5 \5 W2 ]# L" A0 c) r5 ^
7 e5 L3 W6 j: j: `/ v$ W; C return true;
8 R6 h+ \! v4 X0 `* P}
) d3 _: O' ~9 A. b
修改为
6 `4 d+ ?" X% a$ K& s8 T! l
private function _xss_check() {
* d1 B( L1 d4 N# I, R5 ^ $temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
6 _4 O b# I# i) e' J4 D- H/ s
if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
& j$ Q% q7 x* S* A6 } system_error('request_tainting');
u. L* |& s- F) _! i: ^
}
7 i' Q5 s) r7 F return true;
: n4 v/ y. I* f9 E0 x
}
$ Y+ i) z* p) _