diff --git a/app/admin/controller/Payment.php b/app/admin/controller/Payment.php index 6bb484592..e1d53f87f 100755 --- a/app/admin/controller/Payment.php +++ b/app/admin/controller/Payment.php @@ -103,7 +103,7 @@ class Payment extends Base */ public function Save() { - return ApiService::ApiDataReturn(PaymentService::PaymentUpdate($this->data_request)); + return ApiService::ApiDataReturn(PaymentService::PaymentSave($this->data_request)); } /** diff --git a/app/admin/controller/Theme.php b/app/admin/controller/Theme.php index b0ec01d0f..3f6661ee1 100755 --- a/app/admin/controller/Theme.php +++ b/app/admin/controller/Theme.php @@ -91,8 +91,7 @@ class Theme extends Base */ public function Save() { - $params['common_default_theme'] = empty($this->data_request['theme']) ? 'default' : $this->data_request['theme']; - return ApiService::ApiDataReturn(ConfigService::ConfigSave($params)); + return ApiService::ApiDataReturn(ThemeService::ThemeSwitch($this->data_request)); } /** diff --git a/app/common.php b/app/common.php index d1ba08284..1918163b6 100755 --- a/app/common.php +++ b/app/common.php @@ -2027,7 +2027,7 @@ function PluginsAdminUrl($plugins_name, $plugins_control, $plugins_action, $para * @param [float] $price [金额] * @param [mixed] $default [默认值] */ -function PriceBeautify($price = 0, $default = null) +function PriceBeautify($price = 0, $default = '') { if(empty($price)) { diff --git a/app/service/PaymentService.php b/app/service/PaymentService.php index 86b5eb21a..4a66ad610 100755 --- a/app/service/PaymentService.php +++ b/app/service/PaymentService.php @@ -368,7 +368,7 @@ class PaymentService } /** - * 数据更新 + * 数据保存 * @author Devil * @blog http://gong.gg/ * @version 1.0.0 @@ -376,7 +376,7 @@ class PaymentService * @desc description * @param [array] $params [输入参数] */ - public static function PaymentUpdate($params = []) + public static function PaymentSave($params = []) { // 请求类型 $p = [ @@ -409,6 +409,20 @@ class PaymentService return DataReturn($ret, -1); } + // 获取数据 + $info = Db::name('Payment')->where(['id'=>intval($params['id'])])->find(); + if(empty($info)) + { + return DataReturn(MyLang('no_data'), -1); + } + + // 安全判断 + $ret = self::PaymentLegalCheck($info['payment']); + if($ret['code'] != 0) + { + return $ret; + } + // 附件 $data_fields = ['logo']; $attachment = ResourcesService::AttachmentParams($params, $data_fields); @@ -418,14 +432,14 @@ class PaymentService 'name' => $params['name'], 'apply_terminal' => empty($params['apply_terminal']) ? '' : json_encode(explode(',', $params['apply_terminal'])), 'logo' => $attachment['data']['logo'], - 'config' => json_encode(self::GetPlugConfig($params)), + 'config' => json_encode(self::GetPluginsConfig($params)), 'sort' => intval($params['sort']), 'is_enable' => isset($params['is_enable']) ? intval($params['is_enable']) : 0, 'is_open_user' => isset($params['is_open_user']) ? intval($params['is_open_user']) : 0, ]; $data['upd_time'] = time(); - if(Db::name('Payment')->where(['id'=>intval($params['id'])])->update($data)) + if(Db::name('Payment')->where(['id'=>$info['id']])->update($data)) { return DataReturn(MyLang('edit_success'), 0); } @@ -433,6 +447,47 @@ class PaymentService } /** + * 支付方式安全判断 + * @author Devil + * @blog http://gong.gg/ + * @version 1.0.0 + * @date 2023-05-26 + * @desc description + * @param [string] $payment [支付方式标识] + */ + public static function PaymentLegalCheck($payment) + { + if(RequestModule() == 'admin') + { + $key = 'payment_legal_check_'.$payment; + $ret = MyCache($key); + if(empty($ret)) + { + $config = self::GetPaymentConfig($payment); + if(empty($config)) + { + return DataReturn(MyLang('common_service.pluginsupgrade.payment_config_error_tips'), -1); + } + $check_params = [ + 'type' => 'payment', + 'config' => $config['base'], + 'plugins' => $payment, + 'author' => $config['base']['author'], + 'ver' => $config['base']['version'], + ]; + $ret = StoreService::PluginsLegalCheck($check_params); + MyCache($key, $ret, 3600); + } + if(!in_array($ret['code'], [0, -9999])) + { + return $ret; + } + } + return DataReturn('success', 0); + } + + /** + * 支付插件配置信息 * @author Devil * @blog http://gong.gg/ * @version 1.0.0 @@ -440,7 +495,7 @@ class PaymentService * @desc description * @param [array] $params [输入参数] */ - private static function GetPlugConfig($params = []) + private static function GetPluginsConfig($params = []) { $data = []; foreach($params as $k=>$v) diff --git a/app/service/PluginsAdminService.php b/app/service/PluginsAdminService.php index 225926920..946cf302a 100755 --- a/app/service/PluginsAdminService.php +++ b/app/service/PluginsAdminService.php @@ -1317,6 +1317,13 @@ php; return DataReturn(MyLang('plugins_config_error_tips'), -10); } + // 安全判断 + $ret = PluginsService::PluginsLegalCheck($plugins); + if($ret['code'] != 0) + { + return $ret; + } + // 目录不存在则创建 $new_dir = ROOT.'runtime'.DS.'data'.DS.'plugins_package'.DS.$plugins; \base\FileUtil::CreateDir($new_dir); diff --git a/app/service/PluginsService.php b/app/service/PluginsService.php index 555e0da4b..23f6baa22 100755 --- a/app/service/PluginsService.php +++ b/app/service/PluginsService.php @@ -368,7 +368,28 @@ class PluginsService } // 安全判断 - if(MyConfig('shopxo.is_develop') === false && RequestModule() == 'admin') + $ret = self::PluginsLegalCheck($plugins); + if($ret['code'] != 0) + { + return $ret; + } + + // 调用对应插件 + return DataReturn('success', 0, $obj->$action($params)); + } + + /** + * 插件安全判断 + * @author Devil + * @blog http://gong.gg/ + * @version 1.0.0 + * @date 2023-05-26 + * @desc description + * @param [string] $plugins [插件标识] + */ + public static function PluginsLegalCheck($plugins) + { + if(RequestModule() == 'admin') { $key = 'plugins_legal_check_'.$plugins; $ret = MyCache($key); @@ -379,7 +400,6 @@ class PluginsService { return DataReturn(MyLang('common_service.plugins.plugins_call_config_error_tips'), -1); } - $check_params = [ 'type' => 'plugins', 'config' => $config, @@ -395,9 +415,7 @@ class PluginsService return $ret; } } - - // 调用对应插件 - return DataReturn('success', 0, $obj->$action($params)); + return DataReturn('success', 0); } /** diff --git a/app/service/PluginsUpgradeService.php b/app/service/PluginsUpgradeService.php index 95ecc41db..8b126fd52 100644 --- a/app/service/PluginsUpgradeService.php +++ b/app/service/PluginsUpgradeService.php @@ -12,6 +12,7 @@ namespace app\service; use think\facade\Db; use app\service\PluginsAdminService; +use app\service\PluginsService; use app\service\PaymentService; use app\service\ThemeService; use app\service\AppMiniService; @@ -244,6 +245,7 @@ class PluginsUpgradeService { // 功能插件 case 'plugins' : + // 获取配置 $config = PluginsAdminService::GetPluginsConfig(self::$params['plugins_value']); if(empty($config) || empty($config['base'])) { @@ -252,10 +254,17 @@ class PluginsUpgradeService self::$params['plugins_config'] = $config; self::$params['plugins_ver'] = $config['base']['version']; self::$params['plugins_author'] = $config['base']['author']; + // 安全校验 + $ret = PluginsService::PluginsLegalCheck(self::$params['plugins_value']); + if($ret['code'] != 0) + { + return $ret; + } break; // 支付插件 case 'payment' : + // 获取配置 $config = PaymentService::GetPaymentConfig(self::$params['plugins_value']); if(empty($config)) { @@ -264,10 +273,17 @@ class PluginsUpgradeService self::$params['plugins_config'] = $config['base']; self::$params['plugins_ver'] = $config['base']['version']; self::$params['plugins_author'] = $config['base']['author']; + // 安全校验 + $ret = PaymentService::PaymentLegalCheck(self::$params['plugins_value']); + if($ret['code'] != 0) + { + return $ret; + } break; // web主题 case 'webtheme' : + // 获取配置 $config = ThemeService::ThemeConfig(self::$params['plugins_value']); if($config['code'] != 0) { @@ -276,10 +292,17 @@ class PluginsUpgradeService self::$params['plugins_config'] = $config['data']; self::$params['plugins_ver'] = $config['data']['ver']; self::$params['plugins_author'] = $config['data']['author']; + // 安全校验 + $ret = ThemeService::ThemeLegalCheck(self::$params['plugins_value']); + if($ret['code'] != 0) + { + return $ret; + } break; // 小程序主题 case 'minitheme' : + // 获取配置 if(empty(self::$params['plugins_terminal'])) { return DataReturn(MyLang('common_service.pluginsupgrade.terminal_not_appoint_error_tips'), -1); diff --git a/app/service/ThemeService.php b/app/service/ThemeService.php index 6fd2046a4..27e683271 100755 --- a/app/service/ThemeService.php +++ b/app/service/ThemeService.php @@ -12,6 +12,8 @@ namespace app\service; use think\facade\Db; use app\service\ResourcesService; +use app\service\ConfigService; +use app\service\StoreService; /** * 主题服务层 @@ -241,6 +243,32 @@ class ThemeService return DataReturn(MyLang('install_success'), 0); } + /** + * 主题切换保存 + * @author Devil + * @blog http://gong.gg/ + * @version 1.0.0 + * @date 2023-05-26 + * @desc description + * @param [array] $params [输入参数] + */ + public static function ThemeSwitch($params = []) + { + // 主题标识 + $theme = empty($params['theme']) ? 'default' : $params['theme']; + + // 安全判断 + $ret = self::ThemeLegalCheck($theme); + if($ret['code'] != 0) + { + return $ret; + } + + // 切换配置 + $params['common_default_theme'] = $theme; + return ConfigService::ConfigSave($params); + } + /** * 模板删除 * @author Devil @@ -330,6 +358,13 @@ class ThemeService return DataReturn(MyLang('common_service.theme.theme_name_error_tips'), -1); } + // 安全判断 + $ret = self::ThemeLegalCheck($theme); + if($ret['code'] != 0) + { + return $ret; + } + // 获取配置信息 $config_res = self::ThemeConfig($theme); if($config_res['code'] != 0) @@ -402,6 +437,47 @@ class ThemeService } } + /** + * 主题安全判断 + * @author Devil + * @blog http://gong.gg/ + * @version 1.0.0 + * @date 2023-05-26 + * @desc description + * @param [string] $theme [主题标识] + */ + public static function ThemeLegalCheck($theme) + { + if(RequestModule() == 'admin') + { + $key = 'theme_legal_check_'.$theme; + $ret = MyCache($key); + if(empty($ret)) + { + $config_res = self::ThemeConfig($theme); + if($config_res['code'] != 0) + { + return $config_res; + } + $config = $config_res['data']; + $check_params = [ + 'type' => 'webtheme', + 'config' => $config, + 'plugins' => $theme, + 'author' => $config['author'], + 'ver' => isset($config['version']) ? $config['version'] : $config['ver'], + ]; + $ret = StoreService::PluginsLegalCheck($check_params); + MyCache($key, $ret, 3600); + } + if(!in_array($ret['code'], [0, -9999])) + { + return $ret; + } + } + return DataReturn('success', 0); + } + /** * 主题配置信息 * @author Devil