From 3e77dd314560f219053c6b66922994c9cd62ee83 Mon Sep 17 00:00:00 2001
From: wangyidong <yidong@cnezsoft.com>
Date: Thu, 5 Nov 2015 09:51:42 +0800
Subject: [PATCH]  * code for safe in framework.

---
 framework/helper.class.php           | 49 ----------------------------
 framework/router.class.php           | 42 +++++++++++++++++++++---
 module/admin/view/checkweak.html.php |  2 +-
 module/company/view/browse.html.php  |  2 +-
 module/user/control.php              |  1 +
 module/user/view/profile.html.php    |  2 +-
 6 files changed, 41 insertions(+), 57 deletions(-)

diff --git a/framework/helper.class.php b/framework/helper.class.php
index e1c4c24995..72f2048d00 100644
--- a/framework/helper.class.php
+++ b/framework/helper.class.php
@@ -616,52 +616,3 @@ function isonlybody()
 {
     return (isset($_GET['onlybody']) and $_GET['onlybody'] == 'yes');
 }
-
-/**
- * Process evil params.
- * 
- * @param  string    $value 
- * @access public
- * @return void
- */
-function processEvil($value)
-{
-    if(strpos(htmlspecialchars_decode($value), '<?') !== false)
-    {
-        $value       = (string) $value;
-        $evils       = array('eval', 'exec', 'passthru', 'proc_open', 'shell_exec', 'system', '$$', 'include', 'require', 'assert');
-        $gibbedEvils = array('e v a l', 'e x e c', ' p a s s t h r u', ' p r o c _ o p e n', 's h e l l _ e x e c', 's y s t e m', '$ $', 'i n c l u d e', 'r e q u i r e', 'a s s e r t');
-        return str_ireplace($evils, $gibbedEvils, $value);
-    }
-    return $value;
-}
-
-/**
- * Process array evils.
- * 
- * @param  array    $params 
- * @access public
- * @return array
- */
-function processArrayEvils($params)
-{
-    $params = (array) $params;
-    foreach($params as $item => $values)
-    {
-        if(!is_array($values))
-        {
-            $params[$item] = processEvil($values);
-            if(processEvil($item) != $item) unset($params[$item]);
-        }
-        else
-        {
-            foreach($values as $key => $value)
-            {
-                if(is_array($value)) continue;
-                $params[$item][$key] = processEvil($value);
-                if(processEvil($key) != $key) unset($params[$item][$key]);
-            }
-        }
-    }
-    return $params;
-}
diff --git a/framework/router.class.php b/framework/router.class.php
index 6fe29fda9a..9c5701968f 100755
--- a/framework/router.class.php
+++ b/framework/router.class.php
@@ -292,10 +292,9 @@ class router
         $this->setModuleRoot();
         $this->setThemeRoot();
 
+        $this->loadConfig('common');
         $this->filterSuperVars();
         $this->setSuperVars();
-
-        $this->loadConfig('common');
         $this->setDebug();
         $this->setErrorHandler();
 
@@ -477,9 +476,36 @@ class router
      */
     public function filterSuperVars()
     {
-        $_POST   = processArrayEvils($_POST);
-        $_GET    = processArrayEvils($_GET);
-        $_COOKIE = processArrayEvils($_COOKIE);
+        if(!empty($_COOKIE))
+        {
+            foreach($_COOKIE as $cookieKey => $cookieValue)
+            {
+                if(preg_match('/[^a-zA-Z0-9=_- ,`+\/\.]/', $cookieValue)) unset($_COOKIE[$cookieKey]);
+            }
+        }
+
+        if(!empty($_FILES))
+        {
+            foreach($_FILES as $varName => $files)
+            {
+                if(is_array($files['name']))
+                {
+                    foreach($files['name'] as $i => $fileName)
+                    {
+                        $extension = ltrim(strrchr($fileName, '.'), '.');
+                        if(strrpos($this->config->file->dangers, $extension) !== false)
+                        {
+                            foreach($files as $fileKey => $value) unset($_FILES[$varName][$fileKey][$i]);
+                        }
+                    }
+                }
+                else
+                {
+                    $extension = ltrim(strrchr($files['name'], '.'), '.');
+                    if(strrpos($this->config->file->dangers, $extension) !== false) $_FILES[$varName] = array();
+                }
+            }
+        }
         unset($_GLOBALS);
         unset($_REQUEST);
     }
@@ -1205,6 +1231,12 @@ class router
      */
     private function mergeParams($defaultParams, $passedParams)
     {
+        /* Check params from URL. */
+        foreach($passedParams as $param => $value)
+        {
+            if(preg_match('/[^a-zA-Z0-9=_,`+\/\.]/', $value)) die('Error params!');
+        }
+
         /* If not strict mode, the keys of passed params and default params must be the same order. */
         if(!isset($this->config->strictParams) or $this->config->strictParams == false) 
         {
diff --git a/module/admin/view/checkweak.html.php b/module/admin/view/checkweak.html.php
index 18e735283c..26435fa9de 100644
--- a/module/admin/view/checkweak.html.php
+++ b/module/admin/view/checkweak.html.php
@@ -39,7 +39,7 @@
         <td><?php echo $user->mobile?></td>
         <td><?php echo $user->birthday?></td>
         <td><?php echo $lang->admin->safe->reasonList[$user->weakReason];?></td>
-        <td><?php common::printIcon('user', 'edit', "userID=$user->id", '', 'list');?></td>
+        <td><?php common::printIcon('user', 'edit', "userID=" . helper::safe64Encode($user->account), '', 'list');?></td>
       </tr>
       <?php endforeach;?>
     </tbody>
diff --git a/module/company/view/browse.html.php b/module/company/view/browse.html.php
index daa56c5acf..8d3a6fa9c6 100644
--- a/module/company/view/browse.html.php
+++ b/module/company/view/browse.html.php
@@ -78,7 +78,7 @@ js::set('confirmDelete', $lang->user->confirmDelete);
       <td><?php echo $user->visits;?></td>
       <td class='text-left'>
         <?php 
-        common::printIcon('user', 'edit',      "userID=$user->account&from=company", '', 'list');
+        common::printIcon('user', 'edit',      "userID=" . helper::safe64Encode($user->account) . "&from=company", '', 'list');
         if(strpos($this->app->company->admins, ",{$user->account},") === false and common::hasPriv('user', 'delete'))
         {
             echo html::a($this->createLink('user', 'delete', "userID=$user->id"), '<i class="icon-remove"></i>', '', "title='{$lang->user->delete}' class='btn-icon iframe'");
diff --git a/module/user/control.php b/module/user/control.php
index ca7f91f8a1..587f820e33 100644
--- a/module/user/control.php
+++ b/module/user/control.php
@@ -471,6 +471,7 @@ class user extends control
      */
     public function edit($userID)
     {
+        $userID = helper::safe64Decode($userID);
         $this->lang->set('menugroup.user', 'company');
         $this->lang->user->menu      = $this->lang->company->menu;
         $this->lang->user->menuOrder = $this->lang->company->menuOrder;
diff --git a/module/user/view/profile.html.php b/module/user/view/profile.html.php
index 8143ea8fa0..564b0996d5 100644
--- a/module/user/view/profile.html.php
+++ b/module/user/view/profile.html.php
@@ -21,7 +21,7 @@
       <small class='text-muted'> <?php echo $lang->user->profile;?> <?php echo html::icon('eye-open');?></small>
     </div>
     <div class='actions'>
-      <?php echo html::a($this->createLink('user', 'edit', "userID=$user->id"), html::icon('pencil') . ' ' . $lang->user->editProfile, '', "class='btn btn-primary'"); ?>
+      <?php echo html::a($this->createLink('user', 'edit', "userID=" . helper::safe64Encode($user->account)), html::icon('pencil') . ' ' . $lang->user->editProfile, '', "class='btn btn-primary'"); ?>
     </div>
   </div>
   <table class='table table-borderless table-data'>