故障描述:
, u' @6 K3 ~% Z4 `/ W$ C2 V
退出登录时出现”您当前的访问请求当中含有非法字符,已经被系统拒绝“错误。
4 V/ k5 h) N1 V$ g, j5 c/ j6 w
解决方法:
' e j# r+ E0 Q2 N% T t4 Y
打开 sourceclassdiscuzdiscuz_application.php 文件
% n7 e {9 p. d% N3 t. x$ c T
找到
' _6 a! ]+ n1 y T/ Cprivate function _xss_check() {
! h/ S3 {# X% P1 L4 S+ w( x7 G- H! F: U& k+ P j
static $check = array('"', '>', '<', ''', '(', ')', 'CONTENT-TRANSFER-ENCODING');
% d" O f1 S) `2 l. _7 }
( h- _! J: T" h) n! A& t
if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
* N1 i- }$ S; t5 i. b system_error('request_tainting');
5 @# o" m9 u& C2 j% Q) P0 G; V }
$ U3 [5 K8 L z* S
$ g m# h8 c5 ?) u l0 U7 j% Z" B* D
if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
. B7 Z H+ L0 h5 }
$temp = $_SERVER['REQUEST_URI'];
7 O& h& Q% M& w V } elseif(empty ($_GET['formhash'])) {
. f2 Y, v' S/ P/ ]4 s' |( L0 D% [
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
: l- g3 `2 q2 v' ~8 v0 @/ _
} else {
+ R( _+ m) c* h $temp = '';
! r& H" Q/ t3 n0 S& |9 B
}
. h2 Y3 O6 E7 [3 M' j; y1 W' [* J' R! b) z- H
if(!empty($temp)) {
3 ~/ ^: M- {) E2 ~& d$ R $temp = strtoupper(urldecode(urldecode($temp)));
s) n3 S. I6 f foreach ($check as $str) {
9 x+ I; b0 F8 j: ~' o& [9 m% H9 E9 `
if(strpos($temp, $str) !== false) {
, z, f$ Z; _, S5 M. N system_error('request_tainting');
S' W7 m) u' c
}
7 Z) Y H& c; _" x* ?0 F }
]3 W. [% L U% U/ L: ~1 m }
4 \ i7 w' w3 G* R. T" a. ~
( [) w+ o& [' U
return true;
. [/ ?" o! i' r i9 i}
$ V: e& @+ S1 S
修改为
9 `% U4 u4 M2 wprivate function _xss_check() {
8 ?$ M7 f. f6 d# J
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
0 A, C S2 j9 ? if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
+ A! T5 z8 _4 A5 i; W0 x system_error('request_tainting');
6 \2 y( E1 p& q# n
}
, z0 m3 G# k% L/ ]: z0 M
return true;
; R4 E' X, A' x! {: j}
' U3 o8 K2 v* A) c$ p