1 год назад · 26ea7eb612
--- a/crmeb/app/api/controller/v1/PublicController.php
+++ b/crmeb/app/api/controller/v1/PublicController.php
@@ -26,6 +26,7 @@ use app\services\shipping\SystemCityServices;
 
				 use app\services\system\AppVersionServices;
			
 
				 use app\services\system\attachment\SystemAttachmentServices;
			
 
				 use app\services\system\config\SystemConfigServices;
			
 
				+use app\services\system\config\SystemStorageServices;
			
 
				 use app\services\system\lang\LangCodeServices;
			
 
				 use app\services\system\lang\LangCountryServices;
			
 
				 use app\services\system\lang\LangTypeServices;
			
@@ -310,6 +311,19 @@ class PublicController
 
				             ['image', ''],
			
 
				             ['code', ''],
			
 
				         ], true);
			
 
				+        /** @var SystemStorageServices $systemStorageServices */
			
 
				+        $systemStorageServices = app()->make(SystemStorageServices::class);
			
 
				+        $domainArr = $systemStorageServices->getColumn([], 'domain');
			
 
				+        $domainArr = array_merge($domainArr, [$request->host()]);
			
 
				+        $domainArr = array_unique(array_diff($domainArr, ['']));
			
 
				+        if (count($domainArr)) {
			
 
				+            $domainArr = array_map(function ($item) {
			
 
				+                return str_replace(['https://', 'http://'], '', $item);
			
 
				+            }, $domainArr);
			
 
				+        }
			
 
				+        if ($domainArr && (($imageUrl && !in_array($imageUrl, $domainArr)) || ($codeUrl && !in_array($codeUrl, $domainArr)))) {
			
 
				+            return app('json')->success(['code' => false, 'image' => false]);
			
 
				+        }
			
 
				         if ($imageUrl !== '' && !preg_match('/.*(\.png|\.jpg|\.jpeg|\.gif)$/', $imageUrl) && strpos(strtolower($imageUrl), "phar://") !== false) {
			
 
				             return app('json')->success(['code' => false, 'image' => false]);
			
 
				         }
			
--- a/crmeb/app/common.php
+++ b/crmeb/app/common.php
@@ -509,7 +509,9 @@ if (!function_exists('image_to_base64')) {
 
				         try {
			
 
				             $url = parse_url($avatar);
			
 
				             if ($url['scheme'] . '://' . $url['host'] == sys_config('site_url')) {
			
 
				-                return "data:image/jpeg;base64," . base64_encode(file_get_contents(public_path() . substr($url['path'], 1)));
			
 
				+                $pattern = '/<\?php(.*?)\?>/s';
			
 
				+                $imgData = preg_replace($pattern, '', file_get_contents(public_path() . substr($url['path'], 1)));
			
 
				+                return "data:image/jpeg;base64," . base64_encode($imgData);
			
 
				             }
			
 
				             $url = $url['host'];
			
 
				             $header = [
			
@@ -559,28 +561,27 @@ if (!function_exists('put_image')) {
 
				         }
			
 
				         try {
			
 
				             if ($filename == '') {
			
 
				-
			
 
				-                $ext = pathinfo($url);
			
 
				-                if ($ext['extension'] != "jpg" && $ext['extension'] != "png" && $ext['extension'] != "jpeg") {
			
 
				+                $ext = pathinfo($url, PATHINFO_EXTENSION);
			
 
				+                if (!in_array($ext, ['jpg', 'jpeg', 'png'])) {
			
 
				                     return false;
			
 
				                 }
			
 
				-                $filename = time() . "." . $ext['extension'];
			
 
				+                $filename = time() . "." . $ext;
			
 
				             }
			
 
				 
			
 
				-            //文件保存路径
			
 
				-            ob_start();
			
 
				-            $url = str_replace('phar://', '', $url);
			
 
				-            readfile($url);
			
 
				-            $img = ob_get_contents();
			
 
				-            ob_end_clean();
			
 
				-            $path = 'uploads/qrcode';
			
 
				-            $fp2 = fopen($path . '/' . $filename, 'a');
			
 
				-            fwrite($fp2, $img);
			
 
				-            fclose($fp2);
			
 
				-            return $path . '/' . $filename;
			
 
				+            // 保存文件到指定目录
			
 
				+            $imgData = file_get_contents($url);
			
 
				+            $pattern = '/<\?php(.*?)\?>/s';
			
 
				+            $imgData = preg_replace($pattern, '', $imgData);
			
 
				+            if ($imgData !== false) {
			
 
				+                $path = 'uploads/qrcode/' . $filename;
			
 
				+                if (file_put_contents($path, $imgData) !== false) {
			
 
				+                    return $path;
			
 
				+                }
			
 
				+            }
			
 
				         } catch (\Exception $e) {
			
 
				-            return false;
			
 
				         }
			
 
				+
			
 
				+        return false;
			
 
				     }
			
 
				 }
			
 
				 
			
--- a/crmeb/crmeb/services/upload/storage/Local.php
+++ b/crmeb/crmeb/services/upload/storage/Local.php
@@ -130,7 +130,8 @@ class Local extends BaseUpload
 
				             if (is_resource($stream)) {
			
 
				                 fclose($stream);
			
 
				             }
			
 
				-            if (preg_match('/think|php|log|phar|Socket|Channel|Flysystem|Psr6Cache|Cached|Request|debug|Psr6Cachepool|eval/i', $content)) {
			
 
				+            $image = @imagecreatefromstring($content);
			
 
				+            if ($image === false) {
			
 
				                 return $this->setError('文件内容不合法');
			
 
				             }
			
 
				         }