Merge branch 'master' into develop

2019-01-04 18:20:17 +08:00 · 2019-01-04 18:20:17 +08:00 · b873b842fb
parent d49398c3d4 bb8713b6f8
commit b873b842fb
6 changed files with 46 additions and 20 deletions
--- a/application/install/controller/Index.php
+++ b/application/install/controller/Index.php
@ -46,9 +46,9 @@ class Index extends Common
    private function IsInstall()
    {
        // 是否已安装
-        if(file_exists(ROOT.'public/install/install.lock'))
+        if(file_exists(ROOT.'config/database.php'))
        {
-            exit('你已经安装过该系统，重新安装需要先删除 ./public/install/install.lock 文件');
+            exit('你已经安装过该系统，重新安装需要先删除 ./config/database.php 文件');
        }
    }

@ -108,7 +108,7 @@ class Index extends Common
    public function Successful()
    {
        // 检测是否是新安装
-        if(is_dir(ROOT.'public/install') && !file_exists(ROOT.'public/install/install.lock'))
+        if(is_dir(ROOT.'config') && !file_exists(ROOT.'config/database.php'))
        {
            if(empty($_GET['s']) || stripos($_GET['s'], 'install') === false)
            {
@ -129,6 +129,12 @@ class Index extends Common
     */
    public function Add()
    {
+        // 是否ajax
+        if(!IS_AJAX)
+        {
+            die('非法访问');
+        }
+
        // 参数
        $params = input('post.');
        $ret = $this->ParamsCheck($params);
@ -141,11 +147,8 @@ class Index extends Common
        // 配置文件校验
        if(file_exists(ROOT.'config/database.php'))
        {
-            if(!is_writable(ROOT.'config/database.php'))
-            {
-                new \base\Behavior(['msg'=>'配置文件没有权限[./config/database.php'.']']);
-                return DataReturn('配置文件没有权限[./config/database.php'.']', -1);
-            }
+            new \base\Behavior(['msg'=>'你已经安装过该系统，重新安装需要先删除[./config/database.php 文件]']);
+            return DataReturn('你已经安装过该系统，重新安装需要先删除[./config/database.php 文件]', -1);
        }

        // 开始安装
@ -281,7 +284,7 @@ php;
        }

        new \base\Behavior(['msg'=>'安装成功']);
-        return DataReturn('安装成功', 0);
+        return DataReturn('安装成功', -20);
    }

    /**
@ -295,14 +298,14 @@ php;
     */
    private function CreateTable($db, $params)
    {
-        if(!file_exists(ROOT.'public/install/shopxo.sql'))
+        if(!file_exists(ROOT.'config/shopxo.sql'))
        {
            new \base\Behavior(['msg'=>'数据库sql文件不存在']);
            return DataReturn('数据库sql文件不存在', -1);
        }

        // sql文件
-        $sql = file_get_contents(ROOT.'public/install/shopxo.sql');
+        $sql = file_get_contents(ROOT.'config/shopxo.sql');

        //替换表前缀
        $sql = str_replace("`s_", " `{$params['DB_PREFIX']}", $sql);
@ -335,8 +338,6 @@ php;
            return DataReturn('sql运行失败['.$failure.']条', -1);
        }

-        // 创建成功标记文件
-        @touch(ROOT.'public/install/install.lock');
        return DataReturn('success', 0, $result);
    }

--- a/application/install/view/index/successful.html
+++ b/application/install/view/index/successful.html
@ -9,8 +9,9 @@
    <h2>恭喜您安装成功</h2>
    <div class="box">
        <a href="{{$Think.__MY_URL__}}index.php?s=/admin/index/index" target="_blank">后台管理</a><br />
-        <span class="admin_hint">默认账号：admin &emsp; 默认密码为：shopxo</span>
-        <br /><br />
+        <p class="admin-hint">默认账号：admin &emsp; 默认密码为：shopxo</p>
+        <p class="tips-sweet">请尽快修改管理员密码，以防被黑客非法入侵。</p>
+        <br />
        <a href="{{$Think.__MY_URL__}}" target="_blank">访问首页</a>
    </div>
 </div>
--- a/application/service/AppMiniService.php
+++ b/application/service/AppMiniService.php
@ -187,9 +187,21 @@ class AppMiniService
        // 初始化
        self::Init($params);

+        // 目录处理
+        $suffix = '';
+        if(substr($params['id'], -4) === '.zip')
+        {
+            $name = substr($params['id'], 0, strlen($params['id'])-4);
+            $suffix = '.zip';
+        } else {
+            $name = $params['id'];
+        }
+
+        // 防止路径回溯
+        $path = self::$new_path.DS.htmlentities(str_replace(array('.', '/', '\\'), '', strip_tags($name))).$suffix;
+
        // 删除压缩包
-        $path = self::$new_path.DS.$params['id'];
-        if(substr($path, -4) == '.zip')
+        if($suffix == '.zip')
        {
            $status = \base\FileUtil::UnlinkFile($path);
        } else {
--- a/application/service/ThemeService.php
+++ b/application/service/ThemeService.php
@ -174,8 +174,8 @@ class ThemeService
        {
            return DataReturn('模板id有误', -1);
        }
-        // 主题
-        $id = str_replace(array('.', '/', '\\'), '', strip_tags($params['id']));
+        // 防止路径回溯
+        $id = htmlentities(str_replace(array('.', '/', '\\'), '', strip_tags($params['id'])));
        if(empty($id))
        {
            return DataReturn('主题名称有误', -1);
--- a/public/install/shopxo.sql
+++ b/public/install/shopxo.sql
--- a/public/static/install/css/index.css
+++ b/public/static/install/css/index.css
@ -167,9 +167,21 @@ p {
 }
 .success .box {
    text-align: left;
-    width: 260px;
+    width: 360px;
    margin: 0 auto;
 }
+.success .admin-hint, .success .tips-sweet {
+    margin-top: 5px;
+}
+.success .tips-sweet {
+    color: #f00;
+    background: #ffee5b;
+    padding: 5px 8px;
+    border: 1px solid #FF9800;
+}
+.success a {
+    font-size: 16px;
+}

 /**
 * 错误