From 4880972d77b9c0fc3b25349cb03902913d33e9c6 Mon Sep 17 00:00:00 2001
From: HFO4 <912394456@qq.com>
Date: Mon, 11 Mar 2019 18:11:19 +0800
Subject: [PATCH] Feat: Referer check

---
 application/index/controller/Share.php        |  46 +++++-
 application/index/model/Avatar.php            |   2 +-
 application/index/view/home/album.html        |  82 -----------
 application/index/view/home/home.html         |   6 +-
 application/index/view/share/share_dir.html   |   9 +-
 application/index/view/share/share_lock.html  | 131 +++++++++++-------
 .../index/view/share/share_lock_old.html      |  53 +++++++
 mysql.sql                                     |   5 +-
 8 files changed, 186 insertions(+), 148 deletions(-)
 delete mode 100644 application/index/view/home/album.html
 create mode 100644 application/index/view/share/share_lock_old.html

diff --git a/application/index/controller/Share.php b/application/index/controller/Share.php
index f373275f..f35f5534 100644
--- a/application/index/controller/Share.php
+++ b/application/index/controller/Share.php
@@ -16,7 +16,7 @@ class Share extends Controller{
 
 	public function _initialize(){
 		$this->userObj = new User(cookie('user_id'),cookie('login_key'));
-		$this->siteOptions = Option::getValues(["basic"]);
+		$this->siteOptions = Option::getValues(["basic","share"]);
 	}
 
 	public function index(){
@@ -54,12 +54,12 @@ class Share extends Controller{
 			}
 		}else{
 			return view('share_lock', [
-				'options'  => Option::getValues(['basic','share']),
+				'options'  => Option::getValues(['basic','share'],$this->userObj->userSQLData),
 				'userInfo' => $shareObj->shareOwner->userSQLData,
 				'fileData' => $shareObj->fileData,
 				'shareData' => $shareObj->shareData,
 				'loginStatus' => $this->userObj->loginStatus,
-				'userData' => $this->userObj->userSQLData,
+				'userData' => $this->userObj->getInfo(),
 				'pwd' => input("?get.pwd") ? input("get.pwd") : "",
 			]);
 		}
@@ -74,6 +74,12 @@ class Share extends Controller{
 	public function Download(){
 		$shareId = input('param.key');
 		$filePath = input('get.path');
+		if($this->siteOptions["refererCheck"]=="true"){
+			$check = $this->referCheck();
+			if(!$check){
+				$this->error("来源非法",403,$this->siteOptions);
+			}
+		}
 		$shareObj = new ShareHandler($shareId,false);
 		if(empty($filePath)){
 			$DownloadHandler = $shareObj->Download($this->userObj);
@@ -90,6 +96,12 @@ class Share extends Controller{
 	public function Content(){
 		$shareId = input('param.key');
 		$filePath = input('get.path');
+		if($this->siteOptions["refererCheck"]=="true"){
+			$check = $this->referCheck();
+			if(!$check){
+				$this->error("来源非法",403,$this->siteOptions);
+			}
+		}
 		$shareObj = new ShareHandler($shareId,false);
 		if(empty($filePath)){
 			$contentHandller = $shareObj->getContent($this->userObj,$filePath,false);
@@ -111,12 +123,26 @@ class Share extends Controller{
 				"msg" => "分享不存在"
 				);
 		}
-		return $shareObj->checkPwd($inputPwd);
+		return json($shareObj->checkPwd($inputPwd));
+	}
+
+	private function referCheck(){
+		$agent = Request::instance()->header('referer');
+		if(substr($agent, 0, strlen($this->siteOptions["siteURL"])) !== $this->siteOptions["siteURL"]){
+			return false;
+		}
+		return true;
 	}
 
 	public function Preview(){
 		$shareId = input('param.key');
 		$filePath = input('get.path');
+		if($this->siteOptions["refererCheck"]=="true"){
+			$check = $this->referCheck();
+			if(!$check){
+				$this->error("来源非法",403,$this->siteOptions);
+			}
+		}
 		$shareObj = new ShareHandler($shareId,false);
 		if(empty($filePath)){
 			$previewHandler = $shareObj->Preview($this->userObj);
@@ -154,6 +180,12 @@ class Share extends Controller{
 		if(input("get.isImg") != "true"){
 			return "";
 		}
+		if($this->siteOptions["refererCheck"]=="true"){
+			$check = $this->referCheck();
+			if(!$check){
+				$this->error("来源非法",403,$this->siteOptions);
+			}
+		}
 		$shareObj = new ShareHandler($shareId,false);
 		$Redirect = $shareObj->getThumb($this->userObj,$filePath);
 		if($Redirect[0]){
@@ -166,6 +198,12 @@ class Share extends Controller{
 	public function DocPreview(){
 		$shareId = input('param.key');
 		$filePath = urldecode(input('get.path'));
+		if($this->siteOptions["refererCheck"]=="true"){
+			$check = $this->referCheck();
+			if(!$check){
+				$this->error("来源非法",403,$this->siteOptions);
+			}
+		}
 		$shareObj = new ShareHandler($shareId,false);
 		if(empty($filePath)){
 			$Redirect = $shareObj->getDocPreview($this->userObj,$filePath,false);
diff --git a/application/index/model/Avatar.php b/application/index/model/Avatar.php
index 2eee3cbb..c889fb34 100644
--- a/application/index/model/Avatar.php
+++ b/application/index/model/Avatar.php
@@ -20,7 +20,7 @@ class Avatar extends Model{
 		if(!$new){
 			$userData = Db::name("users")->where('id',$obj)->find();
 			$this->userData = $userData;
-			if($userData["avatar"] == "default"){
+			if(empty($userData)||$userData["avatar"] == "default"){
 				$this->avatarType = "default";
 			}else{
 				$avatarPrarm = explode(".",$userData["avatar"]);
diff --git a/application/index/view/home/album.html b/application/index/view/home/album.html
deleted file mode 100644
index d414ee4f..00000000
--- a/application/index/view/home/album.html
+++ /dev/null
@@ -1,82 +0,0 @@
-<!DOCTYPE HTML>
-<!--
-	Multiverse by HTML5 UP
-	html5up.net | @ajlkn
-	Free for personal and commercial use under the CCA 3.0 license (html5up.net/license)
--->
-<html>
-	<head>
-		<title>图片集 - {$options.siteName}</title>
-		<meta charset="utf-8" />
-		<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
-		<!--[if lte IE 8]><script src="https://file.aoaoao.me/content/themes/material/pages/js/ie/html5shiv.js"></script><![endif]-->
-		<link rel="stylesheet" href="/static/css/main.css" />
-		  <link href="/static/css/font-awesome.min.css" rel="stylesheet">
-		<!--[if lte IE 9]><link rel="stylesheet" href="https://file.aoaoao.me/content/themes/material/pages/css/ie9.css" /><![endif]-->
-		<!--[if lte IE 8]><link rel="stylesheet" href="https://file.aoaoao.me/content/themes/material/pages/css/ie8.css" /><![endif]-->
-		<style type="text/css">
-			body{
-				font-family: "微软雅黑","黑体";
-			}
-		</style>
-	</head>
-
-	<body>
-
-		<!-- Wrapper -->
-			<div id="wrapper">
-			<!-- Header -->
-	
-					<div id="main">
-	    {volist name='list' id='pic'}
-								<article class="thumb">
-							<a href="/File/Preview?action=preview&path={$pic.dir|urlencode}/{$pic.orign_name|urlencode}" class="image"><img src="/File/Preview?action=preview&path={$pic.dir|urlencode}/{$pic.orign_name|urlencode}" alt="" /></a>
-							<h2>{$pic.orign_name}</h2>
-							
-						</article>	
-						{/volist}		
-					</div>
-				<header id="header">
-						<h1><a href="/Home"><strong>图片集</strong> {$options.siteName}</a></h1>
-						<nav>
-							<ul>
-								<li><a href="javascript:previous();" class="icon fa-arrow-circle-left">上一页</a></li>
-								{$page}/{$pageCount}								<li><a href="javascript:next();" class="icon fa-arrow-circle-right">下一页</a></li>
-							</ul>
-						</nav>
-					</header>
-
-				<!-- Main -->
-				<!-- Footer -->
-
-
-			</div>
-
-		<!-- Scripts -->
-			<script src = "/static/js/jquery.min.js"></script>
-			<script src="/static/js/jquery.poptrox.min.js"></script>
-			<script src="/static/js/skel.min.js"></script>
-			<script src="/static/js/util.js"></script>
-			<!--[if lte IE 8]><script src="assets/js/ie/respond.min.js"></script><![endif]-->
-			<script src="/static/js/album.js"></script>
-			<script type="text/javascript">
-			pageNow = {$page};
-			pageTotal = {$pageCount};
-				function next(){
-					if(pageNow == pageTotal){
-
-					}else{
-						window.location.href="/Home/Album?page="+(pageNow+1);
-					}
-				}
-				function previous(){
-					if(pageNow == 1){
-
-					}else{
-						window.location.href="/Home/Album?page="+(pageNow-1);
-					}
-				}
-			</script>
-{$options.js_code}
-	</body>
-</html> 
\ No newline at end of file
diff --git a/application/index/view/home/home.html b/application/index/view/home/home.html
index 5b44fc39..9e532817 100644
--- a/application/index/view/home/home.html
+++ b/application/index/view/home/home.html
@@ -79,10 +79,10 @@
 </body>
 <script src="http://192.168.123.19:3000/static/js/runtime~index.bundle.js"></script>
 <script src="http://192.168.123.19:3000/static/js/0.chunk.js"></script>
-<script src="http://192.168.123.19:3000/static/js/3.chunk.js"></script>
-<script src="http://192.168.123.19:3000/static/js/5.chunk.js"></script>
-<script src="http://192.168.123.19:3000/static/js/1.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/2.chunk.js"></script>
 <script src="http://192.168.123.19:3000/static/js/4.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/1.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/3.chunk.js"></script>
 <script src="http://192.168.123.19:3000/static/js/6.chunk.js"></script>
 <script src="http://192.168.123.19:3000/static/js/index.chunk.js"></script>
 
diff --git a/application/index/view/share/share_dir.html b/application/index/view/share/share_dir.html
index 251c4745..05f9714d 100644
--- a/application/index/view/share/share_dir.html
+++ b/application/index/view/share/share_dir.html
@@ -90,11 +90,12 @@
     -->
 </body>
 <script src="http://192.168.123.19:3000/static/js/runtime~folderShare.bundle.js"></script>
-<script src="http://192.168.123.19:3000/static/js/8.chunk.js"></script>
-<script src="http://192.168.123.19:3000/static/js/10.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/14.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/15.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/16.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/17.chunk.js"></script>
 <script src="http://192.168.123.19:3000/static/js/12.chunk.js"></script>
-<script src="http://192.168.123.19:3000/static/js/9.chunk.js"></script>
-<script src="http://192.168.123.19:3000/static/js/11.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/18.chunk.js"></script>
 <script src="http://192.168.123.19:3000/static/js/13.chunk.js"></script>
 <script src="http://192.168.123.19:3000/static/js/folderShare.chunk.js"></script>
 
diff --git a/application/index/view/share/share_lock.html b/application/index/view/share/share_lock.html
index 1beafaa3..00006e09 100644
--- a/application/index/view/share/share_lock.html
+++ b/application/index/view/share/share_lock.html
@@ -1,53 +1,80 @@
-{extend name="header_public" /}
-{block name="title"}私密分享 - {$options.siteName}{/block}
-{block name="content"}
-   <link rel="stylesheet" href="/static/css/share.css" />
-      <link rel="stylesheet" href="/static/css/lock.css" />
-        <script src="/static/js/jquery.color.js"></script>
-    </head>
-    <body data-ma-header="teal">
-        <nav class="navbar navbar-inverse" >
-            <div class="container-fluid">
-                <div class="container" >
-{include file="navbar_public" loginStatus=$loginStatus userData=$userData /}
-                <div class="header-panel shadow-z-2">
-                    <div class="container-fluid">
-                        <div class="row">
-                            
-                        </div>
-                    </div>
-                </div>
-                <div class="container main" >
-                    <div class="col-md-4"></div>
-                    <div class="col-md-4">
-                        <div class="jumbotron" >
-                            <div class="card_top">
-                                <div class="row top-color">
-                                    <div class="card-top-row">
-                                      加密分享
-                                    </div>
-                                </div>
-                            
-                            </div>
-                            
-                            <div class="card_botom">
-                                <div class="row bottom-width" align="right"> 
-                                 <input type="password" class="form-control" id="inputPassword" placeholder="请输入分享密码" value="{$pwd}">
-                                 <button href="javascript:void(0)" id="submit_pwd" class="btn btn-raised active"><i class="fa fa-arrow-right" aria-hidden="true"></i></button>
-                                </div>
-                            </div>
-                        </div>
-                        <div class="col-md-4"></div>
-                    </div>
-                </div>
-            </body>
-            <script src="/static/js/jquery.liMarquee.js"></script>
-            <script type="text/javascript">
-            shareInfo={
-            	shareId : "{$shareData.share_key}",
-            };
+<!DOCTYPE html>
+<html lang="zh-cn">
 
-            </script>
-            <script src="/static/js/lock.js"> </script>
-            {$options.js_code}
-            {/block}
\ No newline at end of file
+<head>
+    <meta charset="utf-8">
+    <link rel="shortcut icon" href="/favicon.ico">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="theme-color" content="{$options.themeColor}" />
+    <!--
+      manifest.json provides metadata used when your web app is added to the
+      homescreen on Android. See https://developers.google.com/web/fundamentals/web-app-manifest/
+    -->
+    <link rel="manifest" href="/manifest.json">
+    <!--
+      Notice the use of %PUBLIC_URL% in the tags above.
+      It will be replaced with the URL of the `public` folder during the build.
+      Only files inside the `public` folder can be referenced from the HTML.
+
+      Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will
+      work correctly both with client-side routing and a non-root public URL.
+      Learn how to configure a non-root public URL by running `npm run build`.
+    -->
+    <title>私密分享 - {$options.siteName}</title>
+    <script type="text/javascript">
+        colorTheme = {:json_encode($options["themeConfig"])};
+        isHomePage = false;
+        isSharePage = false;
+        pageId="shareLock";
+        userInfo = {
+            uid: {$userData.uid},
+            nick: "{$userData.userNick}",
+            email: "{$userData.userMail}",
+            group: "{$userData.groupData.group_name}",
+            groupId: {$userData.groupData.id},
+            groupColor: "{$userData.groupData.color}",
+        };
+        siteInfo = {
+            mainTitle: "{$options.siteName}",
+        };
+        uploadConfig = {
+            allowSource: false,
+            allowShare: false,
+            allowRemoteDownload: "0",
+            allowTorrentDownload: "0",
+        };
+        shareInfo={
+            shareDate : "{$shareData.share_time}",
+            shareId : "{$shareData.share_key}",
+            ownerUid:"{$userInfo.id}",
+            ownerNick:"{$userInfo.user_nick}",
+        };
+        isMobile = window.innerWidth < 600;
+    </script>
+</head>
+
+<body>
+
+    <noscript>
+      You need to enable JavaScript to run this app.
+    </noscript>
+    <div id="root"></div>
+    <!--
+      This HTML file is a template.
+      If you open it directly in the browser, you will see an empty page.
+
+      You can add webfonts, meta tags, or analytics to this file.
+      The build step will place the bundled scripts into the <body> tag.
+
+      To begin the development, run `npm start` or `yarn start`.
+      To create a production bundle, use `npm run build` or `yarn build`.
+    -->
+</body>
+<script src="http://192.168.123.19:3000/static/js/runtime~lock.bundle.js"></script>
+<script src="http://192.168.123.19:3000/static/js/0.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/2.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/20.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/1.chunk.js"></script>
+<script src="http://192.168.123.19:3000/static/js/lock.chunk.js"></script>
+
+</html>
\ No newline at end of file
diff --git a/application/index/view/share/share_lock_old.html b/application/index/view/share/share_lock_old.html
new file mode 100644
index 00000000..1beafaa3
--- /dev/null
+++ b/application/index/view/share/share_lock_old.html
@@ -0,0 +1,53 @@
+{extend name="header_public" /}
+{block name="title"}私密分享 - {$options.siteName}{/block}
+{block name="content"}
+   <link rel="stylesheet" href="/static/css/share.css" />
+      <link rel="stylesheet" href="/static/css/lock.css" />
+        <script src="/static/js/jquery.color.js"></script>
+    </head>
+    <body data-ma-header="teal">
+        <nav class="navbar navbar-inverse" >
+            <div class="container-fluid">
+                <div class="container" >
+{include file="navbar_public" loginStatus=$loginStatus userData=$userData /}
+                <div class="header-panel shadow-z-2">
+                    <div class="container-fluid">
+                        <div class="row">
+                            
+                        </div>
+                    </div>
+                </div>
+                <div class="container main" >
+                    <div class="col-md-4"></div>
+                    <div class="col-md-4">
+                        <div class="jumbotron" >
+                            <div class="card_top">
+                                <div class="row top-color">
+                                    <div class="card-top-row">
+                                      加密分享
+                                    </div>
+                                </div>
+                            
+                            </div>
+                            
+                            <div class="card_botom">
+                                <div class="row bottom-width" align="right"> 
+                                 <input type="password" class="form-control" id="inputPassword" placeholder="请输入分享密码" value="{$pwd}">
+                                 <button href="javascript:void(0)" id="submit_pwd" class="btn btn-raised active"><i class="fa fa-arrow-right" aria-hidden="true"></i></button>
+                                </div>
+                            </div>
+                        </div>
+                        <div class="col-md-4"></div>
+                    </div>
+                </div>
+            </body>
+            <script src="/static/js/jquery.liMarquee.js"></script>
+            <script type="text/javascript">
+            shareInfo={
+            	shareId : "{$shareData.share_key}",
+            };
+
+            </script>
+            <script src="/static/js/lock.js"> </script>
+            {$options.js_code}
+            {/block}
\ No newline at end of file
diff --git a/mysql.sql b/mysql.sql
index edc615c8..d3fb9e3d 100644
--- a/mysql.sql
+++ b/mysql.sql
@@ -203,8 +203,9 @@ INSERT INTO `sd_options` (`id`, `option_name`, `option_value`, `option_type`) VA
 (55, 'aria2_options', '{\"max-tries\":5}', 'aria2'),
 (56, 'task_queue_token', '', 'task'),
 (57, 'defaultTheme', '#3f51b5', 'basic'),
-(58, 'themes', '[{\"#3f51b5\":{\"palette\":{\"common\":{\"black\":\"#000\",\"white\":\"#fff\"},\"background\":{\"paper\":\"#fff\",\"default\":\"#fafafa\"},\"primary\":{\"light\":\"#7986cb\",\"main\":\"#3f51b5\",\"dark\":\"#303f9f\",\"contrastText\":\"#fff\"},\"secondary\":{\"light\":\"#ff4081\",\"main\":\"#f50057\",\"dark\":\"#c51162\",\"contrastText\":\"#fff\"},\"error\":{\"light\":\"#e57373\",\"main\":\"#f44336\",\"dark\":\"#d32f2f\",\"contrastText\":\"#fff\"},\"text\":{\"primary\":\"rgba(0, 0, 0, 0.87)\",\"secondary\":\"rgba(0, 0, 0, 0.54)\",\"disabled\":\"rgba(0, 0, 0, 0.38)\",\"hint\":\"rgba(0, 0, 0, 0.38)\"},\"explorer\":{\"filename\":\"#474849\",\"icon\":\"#8f8f8f\",\"bgSelected\":\"#D5DAF0\",\"emptyIcon\":\"#e8e8e8\"}}}}]\r\n', 'basic');
--- --------------------------------------------------------
+(58, 'themes', '[{\"#3f51b5\":{\"palette\":{\"common\":{\"black\":\"#000\",\"white\":\"#fff\"},\"background\":{\"paper\":\"#fff\",\"default\":\"#fafafa\"},\"primary\":{\"light\":\"#7986cb\",\"main\":\"#3f51b5\",\"dark\":\"#303f9f\",\"contrastText\":\"#fff\"},\"secondary\":{\"light\":\"#ff4081\",\"main\":\"#f50057\",\"dark\":\"#c51162\",\"contrastText\":\"#fff\"},\"error\":{\"light\":\"#e57373\",\"main\":\"#f44336\",\"dark\":\"#d32f2f\",\"contrastText\":\"#fff\"},\"text\":{\"primary\":\"rgba(0, 0, 0, 0.87)\",\"secondary\":\"rgba(0, 0, 0, 0.54)\",\"disabled\":\"rgba(0, 0, 0, 0.38)\",\"hint\":\"rgba(0, 0, 0, 0.38)\"},\"explorer\":{\"filename\":\"#474849\",\"icon\":\"#8f8f8f\",\"bgSelected\":\"#D5DAF0\",\"emptyIcon\":\"#e8e8e8\"}}}}]\r\n', 'basic'),
+(59, 'refererCheck', 'true', 'share');
+-- -------------------------------------------------------
 
 --
 -- 表的结构 `sd_policy`