From d48cee25e75710ccc6ffcaada2346962ab6026c0 Mon Sep 17 00:00:00 2001
From: devil_gong <devil_gong@wochacha.com>
Date: Fri, 4 Jan 2019 17:47:57 +0800
Subject: [PATCH 1/3] =?UTF-8?q?=E9=98=B2=E6=AD=A2=E7=B3=BB=E7=BB=9F?=
 =?UTF-8?q?=E8=A2=AB=E9=9D=9E=E6=B3=95=E9=87=8D=E5=A4=8D=E5=AE=89=E8=A3=85?=
 =?UTF-8?q?=EF=BC=8C=E5=B0=86sql=E6=96=87=E4=BB=B6=E7=A7=BB=E5=88=B0config?=
 =?UTF-8?q?=E4=B8=AD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/install/controller/Index.php | 27 ++++++++++++------------
 {public/install => config}/shopxo.sql    |  0
 2 files changed, 14 insertions(+), 13 deletions(-)
 rename {public/install => config}/shopxo.sql (100%)

diff --git a/application/install/controller/Index.php b/application/install/controller/Index.php
index 1aefb79a6..ea74683fd 100644
--- a/application/install/controller/Index.php
+++ b/application/install/controller/Index.php
@@ -46,9 +46,9 @@ class Index extends Common
     private function IsInstall()
     {
         // 是否已安装
-        if(file_exists(ROOT.'public/install/install.lock'))
+        if(file_exists(ROOT.'config/database.php'))
         {
-            exit('你已经安装过该系统，重新安装需要先删除 ./public/install/install.lock 文件');
+            exit('你已经安装过该系统，重新安装需要先删除 ./config/database.php 文件');
         }
     }
 
@@ -108,7 +108,7 @@ class Index extends Common
     public function Successful()
     {
         // 检测是否是新安装
-        if(is_dir(ROOT.'public/install') && !file_exists(ROOT.'public/install/install.lock'))
+        if(is_dir(ROOT.'config') && !file_exists(ROOT.'config/database.php'))
         {
             if(empty($_GET['s']) || stripos($_GET['s'], 'install') === false)
             {
@@ -129,6 +129,12 @@ class Index extends Common
      */
     public function Add()
     {
+        // 是否ajax
+        if(!IS_AJAX)
+        {
+            die('非法访问');
+        }
+
         // 参数
         $params = input('post.');
         $ret = $this->ParamsCheck($params);
@@ -141,11 +147,8 @@ class Index extends Common
         // 配置文件校验
         if(file_exists(ROOT.'config/database.php'))
         {
-            if(!is_writable(ROOT.'config/database.php'))
-            {
-                new \base\Behavior(['msg'=>'配置文件没有权限[./config/database.php'.']']);
-                return DataReturn('配置文件没有权限[./config/database.php'.']', -1);
-            }
+            new \base\Behavior(['msg'=>'你已经安装过该系统，重新安装需要先删除[./config/database.php 文件]']);
+            return DataReturn('你已经安装过该系统，重新安装需要先删除[./config/database.php 文件]', -1);
         }
 
         // 开始安装
@@ -281,7 +284,7 @@ php;
         }
 
         new \base\Behavior(['msg'=>'安装成功']);
-        return DataReturn('安装成功', 0);
+        return DataReturn('安装成功', -20);
     }
 
     /**
@@ -295,14 +298,14 @@ php;
      */
     private function CreateTable($db, $params)
     {
-        if(!file_exists(ROOT.'public/install/shopxo.sql'))
+        if(!file_exists(ROOT.'config/shopxo.sql'))
         {
             new \base\Behavior(['msg'=>'数据库sql文件不存在']);
             return DataReturn('数据库sql文件不存在', -1);
         }
 
         // sql文件
-        $sql = file_get_contents(ROOT.'public/install/shopxo.sql');
+        $sql = file_get_contents(ROOT.'config/shopxo.sql');
 
         //替换表前缀
         $sql = str_replace("`s_", " `{$params['DB_PREFIX']}", $sql);
@@ -335,8 +338,6 @@ php;
             return DataReturn('sql运行失败['.$failure.']条', -1);
         }
 
-        // 创建成功标记文件
-        @touch(ROOT.'public/install/install.lock');
         return DataReturn('success', 0, $result);
     }
 
diff --git a/public/install/shopxo.sql b/config/shopxo.sql
similarity index 100%
rename from public/install/shopxo.sql
rename to config/shopxo.sql

From 6707ddcec8b0209c89c3e529c9a61d67c5919629 Mon Sep 17 00:00:00 2001
From: devil_gong <devil_gong@wochacha.com>
Date: Fri, 4 Jan 2019 17:57:40 +0800
Subject: [PATCH 2/3] =?UTF-8?q?=E5=AE=89=E8=A3=85=E5=AE=8C=E6=88=90?=
 =?UTF-8?q?=E6=8F=90=E7=A4=BA=E4=BF=A1=E6=81=AF=E4=BC=98=E5=8C=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/install/view/index/successful.html |  5 +++--
 public/static/install/css/index.css            | 14 +++++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/application/install/view/index/successful.html b/application/install/view/index/successful.html
index 24a819578..4bf831e9d 100644
--- a/application/install/view/index/successful.html
+++ b/application/install/view/index/successful.html
@@ -9,8 +9,9 @@
     <h2>恭喜您安装成功</h2>
     <div class="box">
         <a href="{{$Think.__MY_URL__}}index.php?s=/admin/index/index" target="_blank">后台管理</a><br />
-        <span class="admin_hint">默认账号：admin &emsp; 默认密码为：shopxo</span>
-        <br /><br />
+        <p class="admin-hint">默认账号：admin &emsp; 默认密码为：shopxo</p>
+        <p class="tips-sweet">请尽快修改管理员密码，以防被黑客非法入侵。</p>
+        <br />
         <a href="{{$Think.__MY_URL__}}" target="_blank">访问首页</a>
     </div>
 </div>
diff --git a/public/static/install/css/index.css b/public/static/install/css/index.css
index 9df4040a7..0049aeac8 100755
--- a/public/static/install/css/index.css
+++ b/public/static/install/css/index.css
@@ -167,9 +167,21 @@ p {
 }
 .success .box {
     text-align: left;
-    width: 260px;
+    width: 360px;
     margin: 0 auto;
 }
+.success .admin-hint, .success .tips-sweet {
+    margin-top: 5px;
+}
+.success .tips-sweet {
+    color: #f00;
+    background: #ffee5b;
+    padding: 5px 8px;
+    border: 1px solid #FF9800;
+}
+.success a {
+    font-size: 16px;
+}
 
 /**
  * 错误

From bb8713b6f88b0c7764fcb84d53fce6a9532b01e6 Mon Sep 17 00:00:00 2001
From: devil_gong <devil_gong@wochacha.com>
Date: Fri, 4 Jan 2019 18:16:20 +0800
Subject: [PATCH 3/3] =?UTF-8?q?=E5=B0=8F=E7=A8=8B=E5=BA=8F=E5=8C=85?=
 =?UTF-8?q?=E5=88=A0=E9=99=A4=EF=BC=8C=E9=98=B2=E6=AD=A2=E8=B7=AF=E5=BE=84?=
 =?UTF-8?q?=E5=9B=9E=E6=BA=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 application/service/AppMiniService.php | 16 ++++++++++++++--
 application/service/ThemeService.php   |  4 ++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/application/service/AppMiniService.php b/application/service/AppMiniService.php
index fd3e110fe..69b670d50 100755
--- a/application/service/AppMiniService.php
+++ b/application/service/AppMiniService.php
@@ -187,9 +187,21 @@ class AppMiniService
         // 初始化
         self::Init($params);
 
+        // 目录处理
+        $suffix = '';
+        if(substr($params['id'], -4) === '.zip')
+        {
+            $name = substr($params['id'], 0, strlen($params['id'])-4);
+            $suffix = '.zip';
+        } else {
+            $name = $params['id'];
+        }
+
+        // 防止路径回溯
+        $path = self::$new_path.DS.htmlentities(str_replace(array('.', '/', '\\'), '', strip_tags($name))).$suffix;
+
         // 删除压缩包
-        $path = self::$new_path.DS.$params['id'];
-        if(substr($path, -4) == '.zip')
+        if($suffix == '.zip')
         {
             $status = \base\FileUtil::UnlinkFile($path);
         } else {
diff --git a/application/service/ThemeService.php b/application/service/ThemeService.php
index c66d1f87f..6f6bf8cff 100755
--- a/application/service/ThemeService.php
+++ b/application/service/ThemeService.php
@@ -174,8 +174,8 @@ class ThemeService
         {
             return DataReturn('模板id有误', -1);
         }
-        // 主题
-        $id = str_replace(array('.', '/', '\\'), '', strip_tags($params['id']));
+        // 防止路径回溯
+        $id = htmlentities(str_replace(array('.', '/', '\\'), '', strip_tags($params['id'])));
         if(empty($id))
         {
             return DataReturn('主题名称有误', -1);