蓝队云

咨询热线:4006-75-4006

售前:9:00-23:30    备案:9:00-18:00    技术:7*24h

discuz 搜索时“您当前的访问请求当中含有非法字符,已经被系统拒绝”

2016-09-11 14:33:48 8475次

Discuz!x3.1故障描述:垃圾站博主发现升级Discuz! x3.1版本后,退出登录或以游客状态搜索时出现“您当前的访问请求当中含有非法字符,已经被系统拒绝”的错误。

解决方案如下:sourceclassdiscuz的discuz_application.php 查找

1private function _xss_check() {
2
3                static $check array('"''>''<'''''('')''CONTENT-TRANSFER-ENCODING');
4
5                if(isset($_GET['formhash']) && $_GET['formhash'] !== formhash()) {
6                        system_error('request_tainting');
7                }
8
9                if($_SERVER['REQUEST_METHOD'] == 'GET' ) {
10                        $temp $_SERVER['REQUEST_URI'];
11                elseif(empty ($_GET['formhash'])) {
12                        $temp =$_SERVER['REQUEST_URI'].file_get_contents('php://input');
13                else {
14                        $temp '';
15                }
16
17                if(!empty($temp)) {
18                        $temp strtoupper(urldecode(urldecode($temp)));
19                        foreach ($check as $str) {
20                                if(strpos($temp$str) !== false) {
21                                        system_error('request_tainting');
22                                }
23                        }
24                }
25
26                return true;
27        }

替换为:

1private function _xss_check() {
2                $temp =strtoupper(urldecode(urldecode($_SERVER['REQUEST_URI'])));
3                if(strpos($temp'<') !== false || strpos($temp'"') !== false || strpos($temp'CONTENT-TRANSFER-ENCODING') !== false) {
4                        system_error('request_tainting');
5                }
首页
最新活动
个人中心