Discuz!X3.4 X3.2并发刷分漏洞修复:开启用户积分信息安全,可防止并发刷分,满足 times(次数)/second(秒) 的操作无法提交:
2017.08.01 更新:同步 细节
编辑:/config/config_global.php
查找:
- $_config['security']['querysafe']['afullnote'] = '0';
复制代码 在其下行增加:
- $_config['security']['creditsafe']['second'] = 1; // 开启用户积分信息安全,可防止并发刷分,满足 times(次数)/second(秒) 的操作 无法提交, 默认 0 关闭
- $_config['security']['creditsafe']['times'] = 10;
复制代码
编辑:/source/class/class_credit.php
查找:
- function updatemembercount($creditarr, $uids = 0, $checkgroup = true, $ruletxt = '') {
复制代码 在其上行增加:
- function frequencycheck($uids) {
- global $_G;
-
if(empty($_G['config']['security']['creditsafe']['second']) ||
empty($_G['config']['security']['creditsafe']['times'])) {
- return true;
- }
- foreach($uids as $uid) {
- $key = 'credit_fc'.$uid;
- $v = intval(memory('get', $key));
- memory('set', $key, ++$v, $_G['config']['security']['creditsafe']['second']);
- if($v > $_G['config']['security']['creditsafe']['times']) {
- system_error('credit frequency limit', true);
- return false;
- }
- }
- return true;
- }
复制代码
查找:
- if($uids && ($creditarr || $this->extrasql)) {
复制代码 在其上行增加:
- $this->frequencycheck($uids);
复制代码 |