漏洞修复

2 weeks ago · b0615994b0
--- a/V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoController.cs
+++ b/V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoController.cs
@@ -182,6 +182,20 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
        {
            Pagination paginationobj = pagination.ToObject<Pagination>();
            var data = empInfoIBLL.GetPageList(paginationobj, queryJson);
            if (data.Any())
            {
                foreach (var item in data)
                {
                    if (!item.IdentityCardNo.IsEmpty())
                    {
                        item.IdentityCardNo = $"{item.IdentityCardNo.Substring(0, 2)}************{item.IdentityCardNo.Substring(14, 4)}";
                    }
                    if (!item.mobile.IsEmpty())
                    {
                        item.mobile = $"{item.mobile.Substring(0, 3)}****{item.mobile.Substring(7, 4)}";
                    }
                }
            }
            var jsonData = new
            {
                rows = data,
--- a/V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoEnternalController.cs
+++ b/V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoEnternalController.cs
@@ -37,7 +37,8 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
        [AjaxOnly]
        public ActionResult GetMap(string code, string ver, string where)
        {
            where=StrHelper.DelErrChar(where);
            code=StringHelper.DelErrChar(code);
            where= StringHelper.DelErrChar(where);
            var data = dataSourceIBLL.GetDataTable(code, where);

            string md5 = Md5Helper.Encrypt(data.ToJson(), 32);
--- a/V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/StuInfoBasicController.cs
+++ b/V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/StuInfoBasicController.cs
@@ -258,6 +258,20 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
        {
            Pagination paginationobj = pagination.ToObject<Pagination>();
            var data = stuInfoBasicIBLL.GetPageList(paginationobj, queryJson);
            if (data.Any())
            {
                foreach (var item in data)
                {
                    if (!item.IdentityCardNo.IsEmpty())
                    {
                        item.IdentityCardNo = $"{item.IdentityCardNo.Substring(0, 2)}************{item.IdentityCardNo.Substring(14, 4)}";
                    }
                    if (!item.mobile.IsEmpty())
                    {
                        item.mobile = $"{item.mobile.Substring(0, 3)}****{item.mobile.Substring(7, 4)}";
                    }
                }
            }
            var jsonData = new
            {
                rows = data,
--- a/V7/Learun.Application.Web/Areas/LR_OAModule/Controllers/ResourceFileController.cs
+++ b/V7/Learun.Application.Web/Areas/LR_OAModule/Controllers/ResourceFileController.cs
@@ -3,6 +3,7 @@ using Learun.Application.OA.File.FileFolder;
 using Learun.Application.OA.File.FileInfo;
 using Learun.Application.OA.File.FilePreview;
 using Learun.Util;
 using NPOI.SS.Formula.Functions;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -383,6 +384,8 @@ namespace Learun.Application.Web.Areas.LR_OAModule.Controllers
                string fileGuid = Guid.NewGuid().ToString();
                long filesize = Filedata.ContentLength;
                string FileEextension = Path.GetExtension(Filedata.FileName);
                var fts = new List<string> { "jpg", "gif", "png", "bmp", "jpeg", "doc", "docx", "ppt", "pptx", "xls", "xlsx", "pdf", "txt", "rar", "zip", "csv" };
                if (!DirFileHelper.IsFileTyep(fts, FileEextension.ToLower().Replace(".",""))) throw new Exception("不支持的类型");
                string uploadDate = DateTime.Now.ToString("yyyyMMdd");
                string virtualPath = string.Format("~/Resource/DocumentFile/{0}/{1}/{2}{3}", userId, uploadDate, fileGuid, FileEextension);
                string fullFileName = this.Server.MapPath(virtualPath);
--- a/V7/Learun.Application.Web/Areas/LR_OrganizationModule/Controllers/UserController.cs
+++ b/V7/Learun.Application.Web/Areas/LR_OrganizationModule/Controllers/UserController.cs
@@ -8,6 +8,7 @@ using System;
 using Learun.Application.Base.SystemModule;
 using Learun.Application.TwoDevelopment.EducationalAdministration;
 using System.Configuration;
 using static Learun.Util.QRCodeHelper;

 namespace Learun.Application.Web.Areas.LR_OrganizationModule.Controllers
 {
@@ -97,6 +98,16 @@ namespace Learun.Application.Web.Areas.LR_OrganizationModule.Controllers
        {
            Pagination paginationobj = pagination.ToObject<Pagination>();
            var data = userIBLL.GetPageList(companyId, departmentId, paginationobj, keyword, tp);
            if(data.Any())
            {
                foreach (var item in data)
                {
                    if(!item.F_Mobile.IsEmpty())
                    {
                        item.F_Mobile = $"{item.F_Mobile.Substring(0, 3)}****{item.F_Mobile.Substring(7, 4)}";
                    }
                }
            }
            var jsonData = new
            {
                rows = data,
--- a/V7/Learun.Application.Web/Controllers/UserCenterController.cs
+++ b/V7/Learun.Application.Web/Controllers/UserCenterController.cs
@@ -228,6 +228,22 @@ namespace Learun.Application.Web.Controllers
                    photo = "/" + photo.Substring(photo.IndexOf("Content"));
                }
                result.Photo = photo;
                if(!result.mobile.IsEmpty())
                {
                    result.mobile = $"{result.mobile.Substring(0, 3)}****{result.mobile.Substring(7, 4)}";
                }
                if(!result.IdentityCardNo.IsEmpty())
                {
                    result.IdentityCardNo = $"{result.IdentityCardNo.Substring(0, 2)}************{result.IdentityCardNo.Substring(14, 4)}";
                }
                if (!result.FatherPhone.IsEmpty())
                {
                    result.FatherPhone = $"{result.FatherPhone.Substring(0, 3)}****{result.FatherPhone.Substring(7, 4)}";
                }
                if (!result.MatherPhone.IsEmpty())
                {
                    result.MatherPhone = $"{result.MatherPhone.Substring(0, 3)}****{result.MatherPhone.Substring(7, 4)}";
                }
            }
            return Success(new { basicInfo = data, userInfo = result });

@@ -237,6 +253,21 @@ namespace Learun.Application.Web.Controllers
        {
            var data = LoginUserInfo.Get();
            var result = empInfoIBLL.GetEmpInfoEntityByEmpNo(data.account);
            if(result!=null)
            {
                if (!result.mobile.IsEmpty())
                {
                    result.mobile = $"{result.mobile.Substring(0, 3)}****{result.mobile.Substring(7, 4)}";
                }
                if (!result.IdentityCardNo.IsEmpty())
                {
                    result.IdentityCardNo = $"{result.IdentityCardNo.Substring(0, 2)}************{result.IdentityCardNo.Substring(14, 4)}";
                }
                if (!result.PhoneOfLinkman.IsEmpty())
                {
                    result.PhoneOfLinkman = $"{result.PhoneOfLinkman.Substring(0, 3)}****{result.PhoneOfLinkman.Substring(7, 4)}";
                }
            }
            return Success(new { basecInfo = data, userInfo = result });
        }

--- a/V7/Learun.Application.Web/Extensions/StrHelper.cs
+++ b/V7/Learun.Application.Web/Extensions/StrHelper.cs
@@ -3,21 +3,6 @@
    public class StrHelper
    {

        public static string DelErrChar(string str)
        {
            str = str.Trim().ToLower();
            if (string.IsNullOrEmpty(str))
                return string.Empty;

            string[] ErrStr = new string[] { "select", "update", "insert", "delete", "'", ";", ":", "@", "or", "and", "drop", "alter", "create", "exec" };
            for (int i = 0; i < ErrStr.Length; i++)
            {
                if (str.Contains(ErrStr[i]))
                {
                    str = str.Replace(ErrStr[i], string.Empty);
                }
            }
            return str;
        }
        
    }
 }
--- a/V7/Learun.Application.WebApi/Modules/DataSourceApi.cs
+++ b/V7/Learun.Application.WebApi/Modules/DataSourceApi.cs
@@ -1,6 +1,7 @@
 using Learun.Application.Base.SystemModule;
 using Learun.Util;
 using Nancy;
 using System.Data;

 namespace Learun.Application.WebApi.Modules
 {
@@ -39,6 +40,15 @@ namespace Learun.Application.WebApi.Modules
            }
            else
            {
                if (data.Rows.Count > 0)
                {
                    foreach (DataRow item in data.Rows)
                    {
                        item["f_password"] = "";
                        item["f_mobile"] = "";
                        item["f_identitycardno"] = "";
                    }
                }
                var jsondata = new
                {
                    data = data,
--- a/V7/Learun.Application.WebApi/Modules/SunshineEducationApi.cs
+++ b/V7/Learun.Application.WebApi/Modules/SunshineEducationApi.cs
@@ -162,7 +162,22 @@ namespace Learun.Application.WebApi
        public Response GetPageList(dynamic _)
        {
            ReqPageParam parameter = this.GetReqData<ReqPageParam>();
            parameter.queryJson = StringHelper.DelErrChar(parameter.queryJson);
            var data = sunshineEducationIBLL.GetPageList(parameter.pagination, parameter.queryJson);
            if(data.Any())
            {
                foreach (var item in data)
                {
                    if(!item.Phone.IsEmpty())
                    {
                        item.Phone = item.Phone.Substring(0, 3) + "****" + item.Phone.Substring(7, 4);
                    }
                    if (!item.EMail.IsEmpty())
                    {
                        item.EMail = item.EMail.Substring(0, 3) + "****@" + item.EMail.Split('@')[1];
                    }
                }
            }
            var jsonData = new
            {
                rows = data,
--- a/V7/Learun.Application.WebApi/Modules/UserApi.cs
+++ b/V7/Learun.Application.WebApi/Modules/UserApi.cs
@@ -790,6 +790,9 @@ namespace Learun.Application.WebApi
        /// 旧密码
        /// </summary>
        public string oldpassword { get; set; }

        public string mobile { get; set; }
        public string verifycode { get; set; }
    }

    public class MobileVerify
--- a/V7/Learun.Application.WebApi/Modules/UsernologinApi.cs
+++ b/V7/Learun.Application.WebApi/Modules/UsernologinApi.cs
@@ -12,6 +12,7 @@ using Learun.Application.TwoDevelopment.LR_Desktop;
 using Learun.Cache.Base;
 using Learun.Cache.Factory;
 using Quanjiang.DigitalScholl.SendSms;
 using static Learun.Application.WebApi.SunshineEducationApi;

 namespace Learun.Application.WebApi
 {
@@ -132,15 +133,24 @@ namespace Learun.Application.WebApi
        private Response forgetpass(dynamic _)
        {
            ModifyModel modifyModel = this.GetReqData<ModifyModel>();
            var code = redisCache.Read<string>("studentuserlogin_" + modifyModel.phone);
            if (!string.IsNullOrEmpty(code) && code == modifyModel.verifycode)
            {
                //return Success("验证成功。");
                UserEntity userEntity = userIBLL.GetEntityByMobile(modifyModel.phone);
                if (userEntity == null)
                {
                    return Fail("用户不存在");
                }
                userIBLL.setPassword(userEntity.F_UserId, modifyModel.newpassword);

            UserEntity userEntity = userIBLL.GetEntityByMobile(modifyModel.phone);
            if (userEntity == null)
                return Success("密码修改成功");
            }
            else
            {
                return Fail("用户不存在");
                return Fail("验证失败，验证码错误或已失效。");
            }
            userIBLL.setPassword(userEntity.F_UserId, modifyModel.newpassword);

            return Success("密码修改成功");
            
        }

    }
--- a/V7/Learun.Framework.Module/Learun.Util/Learun.Util/File/DirFileHelper.cs
+++ b/V7/Learun.Framework.Module/Learun.Util/Learun.Util/File/DirFileHelper.cs
@@ -4,6 +4,7 @@ using System.IO;
 using System.Data;
 using System.Web;
 using System.Reflection;
 using System.Collections.Generic;

 namespace Learun.Util
 {
@@ -826,5 +827,11 @@ namespace Learun.Util
            return "";
        }
        #endregion

        public static bool IsFileTyep(List<string> tps,string tp)
        {
            if(tps.Contains(tp)) return true;
            return false;
        }
    }
 }
--- a/V7/Learun.Framework.Module/Learun.Util/Learun.Util/Learun.Util.csproj
+++ b/V7/Learun.Framework.Module/Learun.Util/Learun.Util/Learun.Util.csproj
@@ -107,6 +107,7 @@
    <Compile Include="Mail\Model\MailModel.cs" />
    <Compile Include="Model\jfGridModel.cs" />
    <Compile Include="SignalR\SendHubs.cs" />
    <Compile Include="String\StringHelper.cs" />
    <Compile Include="Tree\TreeDataMake.cs" />
    <Compile Include="Tree\TreeModelEx.cs" />
    <Compile Include="Ueditor\UeditorConfig.cs" />
--- a/V7/Learun.Framework.Module/Learun.Util/Learun.Util/String/StringHelper.cs
+++ b/V7/Learun.Framework.Module/Learun.Util/Learun.Util/String/StringHelper.cs
@@ -0,0 +1,23 @@
 namespace Learun.Util
 {
    public static class StringHelper
    {
        public static string DelErrChar(string str)
        {
            str = str.Trim().ToLower();
            if (string.IsNullOrEmpty(str))
                return string.Empty;


            string[] ErrStr = new string[] { "select", "update", "insert", "delete", "'", ";", ":", "@", "or", "and", "drop", "alter", "create", "exec", "=" };
            for (int i = 0; i < ErrStr.Length; i++)
            {
                if (str.Contains(ErrStr[i]))
                {
                    str = str.Replace(ErrStr[i], string.Empty);
                }
            }
            return str;
        }
    }
 }