故障描述:
& R2 \" K0 h8 r: t/ Z$ g2 H
退出登录时出现”您当前的访问请求当中含有非法字符,已经被系统拒绝“错误。
: ]1 F# a& H4 e- Q解决方法:
! x1 R/ B3 ?' \* h
打开 sourceclassdiscuzdiscuz_application.php 文件
, j/ L0 B* U6 i, W. d8 |* P找到
0 C% s4 q9 n0 ~& F6 U C& i4 Y/ w
private function _xss_check() {
# ?: i9 i2 |* I6 ]' q3 _
% T# E6 o% }8 r( r3 ~9 B) Q
static $check = array('"', '>', '<', ''', '(', ')', 'CONTENT-TRANSFER-ENCODING');
9 ^9 J v9 k# `
+ u8 Q- s. G% J9 X4 W1 i! y
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
, u6 ?; e% c' O5 s" L system_error('request_tainting');
; o! j0 m. N# G3 x7 d' F$ i$ Q. S }
1 |) S& Y, T+ x6 ]! O
2 F/ t8 ^5 P; k5 h6 L if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
. r9 u. K3 |. Q+ l2 M, ]; u
$temp = $_SERVER['REQUEST_URI'];
1 P: K. G( Q/ | G8 u2 t } elseif(empty ($_GET['formhash'])) {
" u$ b/ B: P f$ ] V0 T
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
4 ?# p* @# c' X7 c+ H1 _3 p4 H } else {
" E4 w- N) Z6 @$ ?* X; y' ?" h9 M+ v $temp = '';
/ r- V4 r2 f% Y, M$ q" G. G
}
8 l/ G$ E( c' e/ Q
5 n% B8 n0 G+ \+ j- ^4 D
if(!empty($temp)) {
6 |/ g( j7 j' ?: n+ h5 E $temp = strtoupper(urldecode(urldecode($temp)));
; v* w/ C/ I# @3 r; n
foreach ($check as $str) {
3 z, Y* Z7 |) n4 ` if(strpos($temp, $str) !== false) {
& [# v7 O* p) o2 p L system_error('request_tainting');
( B* A0 B' p' C3 B2 e- N8 M }
, b7 L. ]3 e' O* g. O }
, |. d" }9 \$ w' j: T' _8 E }
" N* v6 O9 P8 R$ ]; T* J7 ?0 {
@! K+ R/ m1 G( t return true;
: h; y# h: W" a- E0 \}
$ h: ^( r$ [/ ]3 F! R
修改为
5 t- A' {3 s, b Z& p
private function _xss_check() {
6 ]6 P2 U8 s% z! d: [3 Z $temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
+ p% l+ F* ]& I" v. d/ D if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
$ [$ y1 L2 O' K# ?, V system_error('request_tainting');
" j- A: B" e8 r }
3 S# ], S% v% X- h$ v; S" T6 V
return true;
8 V, z! y. P I6 \% U5 E}
; ?6 L( m" D% q0 Q1 w