Skip to content

创建 Thread 的安全问题 #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
poplite opened this issue Jun 24, 2018 · 2 comments
Open

创建 Thread 的安全问题 #28

poplite opened this issue Jun 24, 2018 · 2 comments

Comments

@poplite
Copy link
Contributor

poplite commented Jun 24, 2018
edited
Loading

创建 Thread 时没有设置任何验证,允许任何人直接调用createthread.php创建任意 Thread。

另外,在部署有评论框的网页 URL 后添加任意参数(如?123),就能调起创建 Thread 窗口:(貌似用网页 URL 当 Identifier 都存在类似问题)
default

建议:在服务端上检查创建 Thread 的用户身份,仅允许管理员创建 Thread,否则返回错误。
@fooleap
Copy link
Owner

fooleap commented Jun 26, 2018

嗯,如果不指定唯一 url,加上查询字符串就会被当成另一个页面,这是个问题。
现在还没有在创建 thread 时验证用户身份,主要考虑到有些博主本身就不是科学上网的环境,在考虑非翻墙环境下怎么搞定认证。

@achuanya
Copy link

博客用不到GET传参就直接屏蔽掉.....放在head前

  var url = decodeURI(window.location);
  url = url.split('?')[0];

  window.history.pushState({}, 0, url);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fooleap @poplite @achuanya