修复外链跳转的一些安全问题

zblogcn · Oct 9, 2023 · 29837f5 · 29837f5
1 parent 864242d
commit 29837f5
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 17 deletions.
diff --git a/zb_system/defend/default/external-link.php b/zb_system/defend/default/external-link.php
@@ -53,6 +53,7 @@
             padding: 12px;
             background: #f7f8f9;
             color: #a3a3a3;
+            line-height: 1.6;
         }
 
         .link {
@@ -63,7 +64,7 @@
             vertical-align: middle;
         }
 
-        @media (max-width: 620px) {
+        @media (max-width: 490px) {
             body {
                 font-size: 14px;
             }
@@ -79,7 +80,7 @@
             border-radius: 3px;
         }
 
-        @media (max-width: 620px) {
+        @media (max-width: 490px) {
             .button {
                 font-size: 16px;
             }
@@ -97,7 +98,7 @@
             margin: auto;
             padding-left: 30px;
             padding-right: 30px;
-            max-width: 540px;
+            max-width: 420px;
             padding-top: 25px;
             padding-bottom: 25px;
             background: #fff;
@@ -106,7 +107,7 @@
             border: 1px solid #E1E1E1;
         }
 
-        @media (max-width: 620px) {
+        @media (max-width: 490px) {
             .wrapper {
                 margin: 0 10px;
             }
@@ -121,7 +122,7 @@
             text-align: center;
         }
 
-        @media (max-width: 620px) {
+        @media (max-width: 490px) {
             h1 {
                 font-size: 18px;
             }

diff --git a/zb_system/function/c_system_route.php b/zb_system/function/c_system_route.php
@@ -1798,6 +1798,13 @@ function ViewExternalLink()
 
     $args = func_get_arg(0);
     $ok = true;
+
+    // 检查来源
+    $referer = GetVars('HTTP_REFERER', 'SERVER');
+    if (!is_null($referer) && strpos($referer, $zbp->host) !== 0) {
+        $ok = false;
+    }
+
     if (!isset($args['_route']['args'][0]) || $args['_route']['args'][0]['name'] !== 'external_link') {
         $ok = false;
     }
@@ -1806,6 +1813,7 @@ function ViewExternalLink()
     if (!isset($parsed_url['host'])) {
         $ok = false;
     }
+    $link = FormatString($link, '[nohtml][noscript]');
 
     $template = &$zbp->GetTemplate();
     $template->SetTags('title', $zbp->title);

diff --git a/zb_system/function/lib/zblogphp.php b/zb_system/function/lib/zblogphp.php
@@ -913,15 +913,6 @@ public function Initialize()
         $this->LoadPostType();
         $this->LoadRoutes();
 
-        $this->RegRoute(array(
-            'posttype' => 0,
-            'type' => 'active',
-            'name' => 'post_article_view_external_link',
-            'call' => 'ViewExternalLink',
-            'urlrule' => '',
-            'must_get' => array('external_link'),
-        ));
-
         $this->themeapp = new App();
         $this->themeinfo = $this->themeapp->GetInfoArray();
 

diff --git a/zb_users/language/en.php b/zb_users/language/en.php
@@ -285,7 +285,7 @@
         'enable_login_csrfcheck'            => 'Enable Login CSRF Token Verification',
         'enable_login_verify'               => 'Enable Login Captcha',
         'external_link_about_to_leave'      => 'About to leave',
-        'external_link_info'                => 'About to redirect to an external link, please pay attention to the security of your account and property.',
+        'external_link_info'                => 'About to redirect to an external link, please pay attention to the security of your account and property. We are not responsible for the security and content of this website.',
         'external_link_no_url_error'        => 'The page you are visiting cannot be opened due to unknown reasons.',
         'external_link_continue'            => 'Continue',
         ''                                  => '',

diff --git a/zb_users/language/zh-cn.php b/zb_users/language/zh-cn.php
@@ -284,7 +284,7 @@
         'enable_login_csrfcheck'            => '启用登录CSRF Token校验',
         'enable_login_verify'               => '启用登录验证码功能',
         'external_link_about_to_leave'      => '即将离开',
-        'external_link_info'                => '即将跳转到外部网站，请注意您的账号和财产安全。',
+        'external_link_info'                => '即将跳转到外部网站。我们不对该网站的安全性和内容负责，请注意您的账号和财产安全。',
         'external_link_no_url_error'        => '您所访问的页面由于未知原因无法打开',
         'external_link_continue'            => '继续访问',
         ''                                  => '',

diff --git a/zb_users/language/zh-tw.php b/zb_users/language/zh-tw.php
@@ -288,7 +288,7 @@
         'enable_login_csrfcheck'            => '啟用登入CSRF Token校驗',
         'enable_login_verify'               => '啟用登入驗證碼功能',
         'external_link_about_to_leave'      => '即將離開',
-        'external_link_info'                => '即將跳轉到外部網站，請注意您的帳號和財產安全。',
+        'external_link_info'                => '即將跳轉到外部網站。我們不對該網站的安全性和內容負責，請注意您的帳號和財產安全。',
         'external_link_no_url_error'        => '您所訪問的頁面由於未知原因無法打開',
         'external_link_continue'            => '繼續訪問',
         ''                                  => '',