The current repo belongs to Paused status, and some functions are restricted. For details, please refer to the description of repo status
168 Star 527 Fork 164

Kenvix / Tieba-Cloud-Sign
Paused

 / 详情

正常登出系统时发生CSRF错误

Backlog
Opened this issue  
2017-01-28 23:56

云签到版本:4.8(从4.4a覆盖升级)
登出系统时提示“CSRF防御:错误的请求来源”,并且无法登出系统。

Comments (2)

476210180 created 任务

好吧, 我觉得是CSRF的判定有问题. 至少在我的部署环境上,
$_SERVER['SERVER_NAME']取出来是'_', 所以后面的比对必然不通过.
但我这个部署环境上, $_SERVER['HTTP_HOST']是有值的, host:port的格式.
所以我本地调整为了$p['host']$_SERVER['SERVER_NAME']做比较, 同时$p['host'].":".$p['port']$_SERVER['HTTP_HOST']

文件是lib/sfc.functions.php, 最后的判断大致是这样改, (十几年不写php了, 凑活吧...)

$host = $p['host'];
$server = $_SERVER['SERVER_NAME'];
$httphost = $_SERVER['HTTP_HOST'];
$hostport = $p['host'];
if(strpos($httphost, ":") !== false) {
	$hostport = $hostport.":".$p['port'];
}
if($host != $server && $hostport != $httphost) msg('CSRF防御:错误的请求来源<a href="https://git.oschina.net/kenvix/Tieba-Cloud-Sign/wikis/%E5%85%B3%E4%BA%8E%E4%BA%91%E7%AD%BE%E5%88%B0CSRF%E9%98%B2%E5%BE%A1" target="_blank">了解更多关于CSRF防御...</a>');

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(3)
73375 kenvix 1578916327 544377 476210180 1578927173
PHP
1
https://git.oschina.net/kenvix/Tieba-Cloud-Sign.git
git@git.oschina.net:kenvix/Tieba-Cloud-Sign.git
kenvix
Tieba-Cloud-Sign
Tieba-Cloud-Sign

Search

161121 f78d6d6f 1850385 154831 86f8c370 1850385