故障描述:
. D( P6 ]& q/ I) k3 P' B$ o退出登录时出现”您当前的访问请求当中含有非法字符,已经被系统拒绝“错误。
# d1 v9 }, n! P0 k4 \% ~
解决方法:
6 x8 G+ j5 Q- K! v2 A, G打开 sourceclassdiscuzdiscuz_application.php 文件
# v# ^, [7 \6 h/ b找到
. V5 R" |7 F$ p {( C- R* D+ z
private function _xss_check() {
h# p+ Z$ y0 {# G5 X$ u4 ^
; |8 v" i9 \" D3 z+ x8 c
static $check = array('"', '>', '<', ''', '(', ')', 'CONTENT-TRANSFER-ENCODING');
2 c( D) z0 o0 I0 M5 s- E4 d8 U. c+ t
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
0 x3 g4 C9 V6 E- C5 t1 ~" w
system_error('request_tainting');
6 o& h e- g$ C$ Y
}
& W, y/ b0 M- Q6 W$ N# a' \& I( M+ W$ y# L7 Z8 Y9 v$ ~
if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
9 {7 m9 I$ L& e- N3 t. w% o
$temp = $_SERVER['REQUEST_URI'];
' E% q/ a- I" j" q& f/ x% L0 W E } elseif(empty ($_GET['formhash'])) {
& ?) |/ t* C3 I4 m. D $temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
5 F) C% W' Y2 D, J- c } else {
" q) K) p. B h $temp = '';
6 r8 \2 n! U4 x3 E
}
# p' z0 g) m2 I1 t
4 L) Y8 b# G( x% E2 @9 a
if(!empty($temp)) {
/ K3 W1 q' j' G& O) q
$temp = strtoupper(urldecode(urldecode($temp)));
, p+ ?5 N- U* M foreach ($check as $str) {
; P, y2 K9 n1 l& N' \
if(strpos($temp, $str) !== false) {
1 v, Q6 X T: w6 a0 K, `$ G system_error('request_tainting');
& l- v! H% j5 h3 b: _ ~ }
0 D! T, V( z1 T- | }
8 i& G: C, i" m; d Y }
. y0 t# l' r: f% ]% P* c
1 B( R* V& Y. ` G return true;
% P6 W& T b% |% Y: U2 H
}
" b/ s. o1 g8 Q
修改为
- Y& \, R& [$ q# }. uprivate function _xss_check() {
' E9 S) w+ `/ M* i
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
9 N: A7 _: K" N+ | if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
& b* w8 b W% a \3 d- I system_error('request_tainting');
, M3 e9 a [ W4 \+ V* `$ O
}
9 a8 t: \/ p4 f S/ M+ r3 A7 }9 v5 z) L
return true;
- P* \% h& K+ i! G) g8 H
}
/ b' \. I+ ~ R9 \4 \8 P