故障描述:
6 O* s! v$ G9 W: o+ |1 @4 }退出登录时出现”您当前的访问请求当中含有非法字符,已经被系统拒绝“错误。
3 Q9 h2 F1 y! {+ d4 g7 M7 m
解决方法:
2 J' F% E- v" ^ b3 a5 t打开 sourceclassdiscuzdiscuz_application.php 文件
1 t& u% j5 I3 q
找到
: _/ P. ]& v, C& xprivate function _xss_check() {
$ U6 m1 f1 n! `7 U
% H9 [! _; w8 c5 ^ static $check = array('"', '>', '<', ''', '(', ')', 'CONTENT-TRANSFER-ENCODING');
( w( V+ F5 }) G. f3 E9 F
; u) a' K+ d" a8 q* y1 g$ @- i/ t if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
( C7 A# I# F! b1 p1 K: O$ r; F" J/ k system_error('request_tainting');
: K2 x0 F$ [8 M3 [5 ^ }
6 A% m. c5 ?1 N$ W' b
% e' {! F& H, T. z- D, c3 _ if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
8 J& c) v! E3 {5 x+ G
$temp = $_SERVER['REQUEST_URI'];
# x7 O2 A* g6 z/ x8 i } elseif(empty ($_GET['formhash'])) {
$ V4 a* G/ ~+ A- z8 E9 s
$temp = $_SERVER['REQUEST_URI'].file_get_contents('php://input');
; _ g! Y9 D. K$ `& N/ F2 j4 P# m3 ? } else {
+ p& b* A( `! q9 `* _9 F9 C. R
$temp = '';
/ F/ H4 t8 h+ k6 W }
% t8 ^+ T. E2 F3 \# A: M, {. A5 s
if(!empty($temp)) {
0 C4 x; f6 Z# D: j7 T' K
$temp = strtoupper(urldecode(urldecode($temp)));
7 I- J+ f- A; O2 B* U: [# G foreach ($check as $str) {
; h' C1 |4 |3 S8 @4 j7 k3 _ if(strpos($temp, $str) !== false) {
( o( d2 I# p5 v3 \! _: J$ h system_error('request_tainting');
, P6 o7 x+ }$ Q1 K, j5 l' i% ^) k/ D$ V }
, l* q3 V8 Q4 K( N }
7 j$ Y! J2 B9 s# O
}
. }/ E4 D0 M* D9 `* e6 c! c, M1 L2 [! Q) W* b
return true;
) H a8 s2 r2 `
}
* d0 q3 U: l8 S% E7 F9 A修改为
# ]+ v0 G; S! |! g% y" `private function _xss_check() {
3 W) m; I; W( u1 b' D7 L
$temp = strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
% P3 Z6 p7 T/ W- i/ q% H if(strpos($temp, '<') !== false || strpos($temp, '"') !== false || strpos($temp, 'CONTENT-TRANSFER-ENCODING') !== false) {
* y/ V2 d, ~; O' U2 K: v7 ^# W% V
system_error('request_tainting');
# Z% x. K. i2 P. F# ^
}
/ l9 T+ W. Y# f: Y
return true;
; `: f. ]4 u# A( ?}
* }4 P9 |# r! R