1818import public
1919from flask import Flask ,current_app ,session ,render_template ,send_file ,request ,redirect ,g ,url_for ,make_response ,render_template_string ,abort
2020from flask_session import Session
21-
2221try :
2322 from werkzeug .contrib .cache import SimpleCache
2423except :
3332Compress (app )
3433sockets = Sockets (app )
3534
36-
3735import common
3836import db
3937import jobs
150148 ]
151149if admin_path in admin_path_checks : admin_path = '/bt'
152150
153- @app .route ('/service_status' ,methods = method_get )
151+ @app .route ('/service_status' ,methods = method_all )
154152def service_status ():
155153 return 'True'
156154
@@ -176,7 +174,7 @@ def webssh(ws):
176174 session ['ssh_obj' ].run (ws ,session ['ssh_info' ])
177175
178176
179- @app .route ('/term_open' ,methods = method_all )
177+ @app .route ('/term_open' ,methods = method_get )
180178def term_open ():
181179 comReturn = comm .local ()
182180 if comReturn : return comReturn
@@ -212,9 +210,18 @@ def reload_mod():
212210
213211@app .before_request
214212def request_check ():
215- #if not public.path_safe_check(request.path): return abort(404)
213+ #路由和URI长度过滤
214+ if len (request .path ) > 64 : return abort (403 )
215+ if len (request .url ) > 256 : return abort (403 )
216216 if request .path in ['/service_status' ]: return
217217
218+ #POST参数过滤
219+ if request .path in ['/login' ,'/safe' ,'/hook' ,'/public' ,'/down' ,'/get_app_bind_status' ,'/check_bind' ]:
220+ pdata = request .form .to_dict ()
221+ for k in pdata .keys ():
222+ if len (k ) > 32 : return abort (403 )
223+ if len (pdata [k ]) > 128 : return abort (403 )
224+
218225 if not request .path in ['/safe' ,'/hook' ,'/public' ,'/mail_sys' ,'/down' ]:
219226 ip_check = public .check_ip_panel ()
220227 if ip_check : return ip_check
@@ -291,6 +298,29 @@ def login():
291298 is_auth_path = False
292299 if admin_path != '/bt' and os .path .exists (admin_path_file ) and not 'admin_auth' in session :
293300 is_auth_path = True
301+
302+ #登录输入验证
303+ if request .method == method_post [0 ]:
304+ v_list = ['username' ,'password' ,'code' ,'vcode' ,'cdn_url' ]
305+ for v in v_list :
306+ pv = request .form .get (v ,'' ).strip ()
307+ if v == 'cdn_url' :
308+ if len (pv ) > 32 : return public .returnMsg (False ,'Wrong parameter length!' )
309+ continue
310+
311+ if not pv : continue
312+ p_len = 32
313+ if v == 'code' : p_len = 4
314+ if v == 'vcode' : p_len = 6
315+ if len (pv ) != p_len :
316+ return public .returnJson (False ,'Wrong parameter length' ),json_header
317+ if not re .match (r"^\w+$" ,pv ):
318+ return public .returnJson (False ,'Wrong parameter format' ),json_header
319+
320+ for n in request .form .keys ():
321+ if not n in v_list :
322+ return public .returnJson (False ,'You cannot have extra parameters in the login parameters' ),json_header
323+
294324 get = get_input ()
295325 import userlogin
296326 if hasattr (get ,'tmp_token' ):
@@ -840,6 +870,10 @@ def panel_public():
840870 if panelWaf_data .is_xss (get .__dict__ ):return 'ERROR'
841871 except :
842872 pass
873+
874+ if len ("{}" .format (get .__dict__ )) > 1024 * 32 :
875+ return 'ERROR'
876+
843877 get .client_ip = public .GetClientIp ()
844878 if not hasattr (get ,'name' ): get .name = ''
845879 if not hasattr (get ,'fun' ): return abort (404 )
@@ -1093,6 +1127,8 @@ def download():
10931127 comReturn = comm .local ()
10941128 if comReturn : return comReturn
10951129 filename = request .args .get ('filename' )
1130+ if filename .find ('|' ) != - 1 :
1131+ filename = filename .split ('|' )[1 ]
10961132 if not filename : return public .ReturnJson (False ,"INIT_ARGS_ERR" ),json_header
10971133 if filename in ['alioss' ,'qiniu' ,'upyun' ,'txcos' ,'ftp' ]: return panel_cloud ()
10981134 if filename in ['gdrive' ,'gcloud_storage' ]: return "Google storage products do not currently support downloads"
@@ -1210,17 +1246,24 @@ def panel_cloud():
12101246 comReturn = comm .local ()
12111247 if comReturn : return comReturn
12121248 get = get_input ()
1213- if not os .path .exists ('plugin/' + get .filename + '/' + get .filename + '_main.py' ):
1249+ _filename = get .filename
1250+ plugin_name = ""
1251+ if _filename .find ('|' ) != - 1 :
1252+ plugin_name = get .filename .split ('|' )[1 ]
1253+ else :
1254+ plugin_name = get .filename
1255+
1256+ if not os .path .exists ('plugin/' + plugin_name + '/' + plugin_name + '_main.py' ):
12141257 return public .returnJson (False ,'INIT_PLUGIN_NOT_EXISTS' ),json_header
1215- sys .path .append ('plugin/' + get . filename )
1216- plugin_main = __import__ (get . filename + '_main' )
1217- reload (plugin_main )
1218- tmp = eval ("plugin_main.%s_main()" % get . filename )
1258+ sys .path .append ('plugin/' + plugin_name )
1259+ plugin_main = __import__ (plugin_name + '_main' )
1260+ public . mod_reload (plugin_main )
1261+ tmp = eval ("plugin_main.%s_main()" % plugin_name )
12191262 if not hasattr (tmp ,'download_file' ): return public .returnJson (False ,'INIT_PLUGIN_NOT_DOWN_FUN' ),json_header
1220- if get .filename == 'ftp' :
1221- download_url = tmp .getFile (get .name )
1263+ download_url = tmp .download_file (get .name )
1264+ if plugin_name == 'ftp' :
1265+ if download_url .find ("ftp" ) != 0 :download_url = "ftp://" + download_url
12221266 else :
1223- download_url = tmp .download_file (get .name )
12241267 if download_url .find ('http' ) != 0 :download_url = 'http://' + download_url
12251268 return redirect (download_url )
12261269
0 commit comments