故障描述:
! @" D3 `. B6 ?5 v- J6 h$ ~
退出登录时出现”您当前的访问请求当中含有非法字符,已经被系统拒绝“错误。
3 p1 C+ Y: w i1 I7 V解决方法:
1 y" v& k E' J: E打开 sourceclassdiscuzdiscuz_application.php 文件
1 g+ R' b- L- ]: i' @
找到
+ z2 j' N# J4 K) K# d dprivate function _xss_check() {
9 y0 I* m3 {( r. X2 y* U
4 e# S8 \ Y% j7 Z6 e7 o. r5 a
static $check = array('"', '>', '<', ''', '(', ')', 'CONTENT-TRANSFER-ENCODING');
1 [" J5 |/ i% n* X9 a: u7 ^
% [# B5 A6 g: E0 K7 `
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
$ Z# V( o3 ?" W' D2 U6 L system_error('request_tainting');
6 W/ {. G \- Y a( F5 x+ j }
4 r/ D; Y" `2 u% g5 G6 u
- x! v4 `: ?/ ` ~4 k) y3 i% |' H* G+ d- R" y
if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
9 Q( O! `+ s2 D' I% B
$temp = $_SERVER['REQUEST_URI'];
]+ Q, }/ K7 ]8 B% O. D
} elseif(empty ($_GET['formhash'])) {
4 D6 e' T) C. G6 w; f $temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
' C' d: j% n; l$ K6 j
} else {
T) u3 R5 k& Z $temp = '';
$ `4 j4 A" c+ F, [
}
/ R. h' q$ J4 q' E0 e. b6 b5 z& z/ n' S! r' N, A
if(!empty($temp)) {
7 f1 e4 g! m, D/ m; `9 A $temp = strtoupper(urldecode(urldecode($temp)));
$ ]" a; n: j. U9 Y4 r+ I
foreach ($check as $str) {
& K7 c$ s b( g; K if(strpos($temp, $str) !== false) {
3 H; P( m' g5 j$ K9 F) C+ x) f; w
system_error('request_tainting');
- d4 m9 U4 d9 Q0 W* k2 l8 _( D
}
9 e4 y+ f1 N$ k; [9 l. J1 [ }
* C5 g+ z1 b7 V7 j }
8 V6 N+ h0 n: M
2 }6 m! T( V) t4 C return true;
* i' }% A" p- o0 @2 _" x2 R}
! @! ]8 ~+ U" Z3 N修改为
9 d3 X( E% `1 n$ `
private function _xss_check() {
$ p9 b% n0 `% @6 F8 n $temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
; I6 ]) w8 y. y- b' w if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
! i' O1 k8 n- E+ \+ w1 @9 `8 g( p system_error('request_tainting');
% @4 q- v3 K0 V8 c0 J, O' T; J
}
2 v5 X6 a) c& @) \; O return true;
4 H9 x8 w8 t4 h3 g, N$ m; Q
}
; A G8 a& T6 i( y- P2 l