Merge branch 'master' into develop

application/service/AppMiniService.php

@@ -198,7 +198,7 @@ class AppMiniService
         }
 
         // 防止路径回溯
-        $path = self::$new_path.DS.htmlentities(str_replace(array('.', '/', '\\'), '', strip_tags($name))).$suffix;
+        $path = self::$new_path.DS.htmlentities(str_replace(array('.', '/', '\\', ':'), '', strip_tags($name))).$suffix;
 
         // 删除压缩包
         if($suffix == '.zip')

application/service/PaymentService.php

@@ -437,18 +437,22 @@ class PaymentService
             return DataReturn('已存在相同插件', -3);
         }
 
+        // 文件名称过滤
+        $name = substr($_FILES['file']['name'], 0, strlen($_FILES['file']['name'])-4);
+        $payment = str_replace(array('.', '/', '\\', ':'), '', $name);
+
         // 存储文件
-        if(!move_uploaded_file($_FILES['file']['tmp_name'], self::$payment_dir.$_FILES['file']['name']))
+        $file = self::$payment_dir.$payment.'.php';
+        if(!move_uploaded_file($_FILES['file']['tmp_name'], $file))
         {
             return DataReturn('上传失败', -100);
         }
 
         // 文件校验
-        $payment = htmlentities(str_replace('.php', '', $_FILES['file']['name']));
         $config = self::GetPaymentConfig($payment);
         if($config === false)
         {
-            @unlink(self::$payment_dir.$_FILES['file']['name']);
+            @unlink($file);
             return DataReturn('插件编写有误，请参考文档编写', -10);
         }
         return DataReturn('上传成功');

application/service/ThemeService.php

@@ -175,7 +175,7 @@ class ThemeService
             return DataReturn('模板id有误', -1);
         }
         // 防止路径回溯
-        $id = htmlentities(str_replace(array('.', '/', '\\'), '', strip_tags($params['id'])));
+        $id = htmlentities(str_replace(array('.', '/', '\\', ':'), '', strip_tags($params['id'])));
         if(empty($id))
         {
             return DataReturn('主题名称有误', -1);