漏洞修复

Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoController.cs

@@ -182,6 +182,20 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
         {
             Pagination paginationobj = pagination.ToObject<Pagination>();
             var data = empInfoIBLL.GetPageList(paginationobj, queryJson);
+            if (data.Any())
+            {
+                foreach (var item in data)
+                {
+                    if (!item.IdentityCardNo.IsEmpty())
+                    {
+                        item.IdentityCardNo = $"{item.IdentityCardNo.Substring(0, 2)}************{item.IdentityCardNo.Substring(14, 4)}";
+                    }
+                    if (!item.mobile.IsEmpty())
+                    {
+                        item.mobile = $"{item.mobile.Substring(0, 3)}****{item.mobile.Substring(7, 4)}";
+                    }
+                }
+            }
             var jsonData = new
             {
                 rows = data,

Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/EmpInfoEnternalController.cs

@@ -37,7 +37,8 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
         [AjaxOnly]
         public ActionResult GetMap(string code, string ver, string where)
         {
-            where=StrHelper.DelErrChar(where);
+            code=StringHelper.DelErrChar(code);
+            where= StringHelper.DelErrChar(where);
             var data = dataSourceIBLL.GetDataTable(code, where);
 
             string md5 = Md5Helper.Encrypt(data.ToJson(), 32);

Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/EducationalAdministration/Controllers/StuInfoBasicController.cs

@@ -258,6 +258,20 @@ namespace Learun.Application.Web.Areas.EducationalAdministration.Controllers
         {
             Pagination paginationobj = pagination.ToObject<Pagination>();
             var data = stuInfoBasicIBLL.GetPageList(paginationobj, queryJson);
+            if (data.Any())
+            {
+                foreach (var item in data)
+                {
+                    if (!item.IdentityCardNo.IsEmpty())
+                    {
+                        item.IdentityCardNo = $"{item.IdentityCardNo.Substring(0, 2)}************{item.IdentityCardNo.Substring(14, 4)}";
+                    }
+                    if (!item.mobile.IsEmpty())
+                    {
+                        item.mobile = $"{item.mobile.Substring(0, 3)}****{item.mobile.Substring(7, 4)}";
+                    }
+                }
+            }
             var jsonData = new
             {
                 rows = data,

Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_OAModule/Controllers/ResourceFileController.cs

@@ -3,6 +3,7 @@ using Learun.Application.OA.File.FileFolder;
 using Learun.Application.OA.File.FileInfo;
 using Learun.Application.OA.File.FilePreview;
 using Learun.Util;
+using NPOI.SS.Formula.Functions;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -383,6 +384,8 @@ namespace Learun.Application.Web.Areas.LR_OAModule.Controllers
                 string fileGuid = Guid.NewGuid().ToString();
                 long filesize = Filedata.ContentLength;
                 string FileEextension = Path.GetExtension(Filedata.FileName);
+                var fts = new List<string> { "jpg", "gif", "png", "bmp", "jpeg", "doc", "docx", "ppt", "pptx", "xls", "xlsx", "pdf", "txt", "rar", "zip", "csv" };
+                if (!DirFileHelper.IsFileTyep(fts, FileEextension.ToLower().Replace(".",""))) throw new Exception("不支持的类型");
                 string uploadDate = DateTime.Now.ToString("yyyyMMdd");
                 string virtualPath = string.Format("~/Resource/DocumentFile/{0}/{1}/{2}{3}", userId, uploadDate, fileGuid, FileEextension);
                 string fullFileName = this.Server.MapPath(virtualPath);

Learun.Framework.Ultimate V7/Learun.Application.Web/Areas/LR_OrganizationModule/Controllers/UserController.cs

@@ -8,6 +8,7 @@ using System;
 using Learun.Application.Base.SystemModule;
 using Learun.Application.TwoDevelopment.EducationalAdministration;
 using System.Configuration;
+using static Learun.Util.QRCodeHelper;
 
 namespace Learun.Application.Web.Areas.LR_OrganizationModule.Controllers
 {
@@ -97,6 +98,16 @@ namespace Learun.Application.Web.Areas.LR_OrganizationModule.Controllers
         {
             Pagination paginationobj = pagination.ToObject<Pagination>();
             var data = userIBLL.GetPageList(companyId, departmentId, paginationobj, keyword, tp);
+            if(data.Any())
+            {
+                foreach (var item in data)
+                {
+                    if(!item.F_Mobile.IsEmpty())
+                    {
+                        item.F_Mobile = $"{item.F_Mobile.Substring(0, 3)}****{item.F_Mobile.Substring(7, 4)}";
+                    }
+                }
+            }
             var jsonData = new
             {
                 rows = data,

Learun.Framework.Ultimate V7/Learun.Application.Web/Controllers/UserCenterController.cs

@@ -228,6 +228,22 @@ namespace Learun.Application.Web.Controllers
                     photo = "/" + photo.Substring(photo.IndexOf("Content"));
                 }
                 result.Photo = photo;
+                if(!result.mobile.IsEmpty())
+                {
+                    result.mobile = $"{result.mobile.Substring(0, 3)}****{result.mobile.Substring(7, 4)}";
+                }
+                if(!result.IdentityCardNo.IsEmpty())
+                {
+                    result.IdentityCardNo = $"{result.IdentityCardNo.Substring(0, 2)}************{result.IdentityCardNo.Substring(14, 4)}";
+                }
+                if (!result.FatherPhone.IsEmpty())
+                {
+                    result.FatherPhone = $"{result.FatherPhone.Substring(0, 3)}****{result.FatherPhone.Substring(7, 4)}";
+                }
+                if (!result.MatherPhone.IsEmpty())
+                {
+                    result.MatherPhone = $"{result.MatherPhone.Substring(0, 3)}****{result.MatherPhone.Substring(7, 4)}";
+                }
             }
             return Success(new { basicInfo = data, userInfo = result });
 
@@ -237,6 +253,21 @@ namespace Learun.Application.Web.Controllers
         {
             var data = LoginUserInfo.Get();
             var result = empInfoIBLL.GetEmpInfoEntityByEmpNo(data.account);
+            if(result!=null)
+            {
+                if (!result.mobile.IsEmpty())
+                {
+                    result.mobile = $"{result.mobile.Substring(0, 3)}****{result.mobile.Substring(7, 4)}";
+                }
+                if (!result.IdentityCardNo.IsEmpty())
+                {
+                    result.IdentityCardNo = $"{result.IdentityCardNo.Substring(0, 2)}************{result.IdentityCardNo.Substring(14, 4)}";
+                }
+                if (!result.PhoneOfLinkman.IsEmpty())
+                {
+                    result.PhoneOfLinkman = $"{result.PhoneOfLinkman.Substring(0, 3)}****{result.PhoneOfLinkman.Substring(7, 4)}";
+                }
+            }
             return Success(new { basecInfo = data, userInfo = result });
         }
 

Learun.Framework.Ultimate V7/Learun.Application.Web/Extensions/StrHelper.cs

@@ -3,21 +3,6 @@
     public class StrHelper
     {
 
-        public static string DelErrChar(string str)
-        {
-            str = str.Trim().ToLower();
-            if (string.IsNullOrEmpty(str))
-                return string.Empty;
-
-            string[] ErrStr = new string[] { "select", "update", "insert", "delete", "'", ";", ":", "@", "or", "and", "drop", "alter", "create", "exec" };
-            for (int i = 0; i < ErrStr.Length; i++)
-            {
-                if (str.Contains(ErrStr[i]))
-                {
-                    str = str.Replace(ErrStr[i], string.Empty);
-                }
-            }
-            return str;
-        }
+        
     }
 }

Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/DataSourceApi.cs

@@ -1,6 +1,7 @@
 using Learun.Application.Base.SystemModule;
 using Learun.Util;
 using Nancy;
+using System.Data;
 
 namespace Learun.Application.WebApi.Modules
 {
@@ -39,6 +40,15 @@ namespace Learun.Application.WebApi.Modules
             }
             else
             {
+                if (data.Rows.Count > 0)
+                {
+                    foreach (DataRow item in data.Rows)
+                    {
+                        item["f_password"] = "";
+                        item["f_mobile"] = "";
+                        item["f_identitycardno"] = "";
+                    }
+                }
                 var jsondata = new
                 {
                     data = data,

Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/SunshineEducationApi.cs

@@ -162,7 +162,22 @@ namespace Learun.Application.WebApi
         public Response GetPageList(dynamic _)
         {
             ReqPageParam parameter = this.GetReqData<ReqPageParam>();
+            parameter.queryJson = StringHelper.DelErrChar(parameter.queryJson);
             var data = sunshineEducationIBLL.GetPageList(parameter.pagination, parameter.queryJson);
+            if(data.Any())
+            {
+                foreach (var item in data)
+                {
+                    if(!item.Phone.IsEmpty())
+                    {
+                        item.Phone = item.Phone.Substring(0, 3) + "****" + item.Phone.Substring(7, 4);
+                    }
+                    if (!item.EMail.IsEmpty())
+                    {
+                        item.EMail = item.EMail.Substring(0, 3) + "****@" + item.EMail.Split('@')[1];
+                    }
+                }
+            }
             var jsonData = new
             {
                 rows = data,

Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/UserApi.cs

@@ -790,6 +790,9 @@ namespace Learun.Application.WebApi
         /// 旧密码
         /// </summary>
         public string oldpassword { get; set; }
+
+        public string mobile { get; set; }
+        public string verifycode { get; set; }
     }
 
     public class MobileVerify

Learun.Framework.Ultimate V7/Learun.Application.WebApi/Modules/UsernologinApi.cs

@@ -12,6 +12,7 @@ using Learun.Application.TwoDevelopment.LR_Desktop;
 using Learun.Cache.Base;
 using Learun.Cache.Factory;
 using Quanjiang.DigitalScholl.SendSms;
+using static Learun.Application.WebApi.SunshineEducationApi;
 
 namespace Learun.Application.WebApi
 {
@@ -132,15 +133,24 @@ namespace Learun.Application.WebApi
         private Response forgetpass(dynamic _)
         {
             ModifyModel modifyModel = this.GetReqData<ModifyModel>();
+            var code = redisCache.Read<string>("studentuserlogin_" + modifyModel.phone);
+            if (!string.IsNullOrEmpty(code) && code == modifyModel.verifycode)
+            {
+                //return Success("验证成功。");
+                UserEntity userEntity = userIBLL.GetEntityByMobile(modifyModel.phone);
+                if (userEntity == null)
+                {
+                    return Fail("用户不存在");
+                }
+                userIBLL.setPassword(userEntity.F_UserId, modifyModel.newpassword);
 
-            UserEntity userEntity = userIBLL.GetEntityByMobile(modifyModel.phone);
-            if (userEntity == null)
+                return Success("密码修改成功");
+            }
+            else
             {
-                return Fail("用户不存在");
+                return Fail("验证失败，验证码错误或已失效。");
             }
-            userIBLL.setPassword(userEntity.F_UserId, modifyModel.newpassword);
-
-            return Success("密码修改成功");
+            
         }
 
     }

Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/File/DirFileHelper.cs

@@ -4,6 +4,7 @@ using System.IO;
 using System.Data;
 using System.Web;
 using System.Reflection;
+using System.Collections.Generic;
 
 namespace Learun.Util
 {
@@ -826,5 +827,11 @@ namespace Learun.Util
             return "";
         }
         #endregion
+
+        public static bool IsFileTyep(List<string> tps,string tp)
+        {
+            if(tps.Contains(tp)) return true;
+            return false;
+        }
     }
 }

Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/Learun.Util.csproj

@@ -107,6 +107,7 @@
     <Compile Include="Mail\Model\MailModel.cs" />
     <Compile Include="Model\jfGridModel.cs" />
     <Compile Include="SignalR\SendHubs.cs" />
+    <Compile Include="String\StringHelper.cs" />
     <Compile Include="Tree\TreeDataMake.cs" />
     <Compile Include="Tree\TreeModelEx.cs" />
     <Compile Include="Ueditor\UeditorConfig.cs" />

Learun.Framework.Ultimate V7/Learun.Framework.Module/Learun.Util/Learun.Util/String/StringHelper.cs

@@ -0,0 +1,23 @@
+namespace Learun.Util
+{
+    public static class StringHelper
+    {
+        public static string DelErrChar(string str)
+        {
+            str = str.Trim().ToLower();
+            if (string.IsNullOrEmpty(str))
+                return string.Empty;
+
+
+            string[] ErrStr = new string[] { "select", "update", "insert", "delete", "'", ";", ":", "@", "or", "and", "drop", "alter", "create", "exec", "=" };
+            for (int i = 0; i < ErrStr.Length; i++)
+            {
+                if (str.Contains(ErrStr[i]))
+                {
+                    str = str.Replace(ErrStr[i], string.Empty);
+                }
+            }
+            return str;
+        }
+    }
+}