Merge remote-tracking branch 'remotes/origin/hotfix/loophole'

+<?php
+/**
+ * AES, 128 ECB模式加密数据
+ */
+
+namespace WebPlugin;
+
+class Encryption {
+
+    //密钥
+    private static $_secretKey = 'yoho9646abcdefgh';
+
+    //前面补8位0
+    private static $_preString = '00000000';
+
+    /**
+     * 加密方法
+     * @param string $str
+     * @return string
+     */
+    public static function encrypt($str){
+        $str = self::$_preString.$str;
+        //AES, 128 ECB模式加密数据
+        $secretKey = self::$_secretKey;
+        $str = trim($str);
+        $str = self::addPKCS7Padding($str);
+        $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,MCRYPT_MODE_ECB),MCRYPT_RAND);
+        $encrypt_str =  mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $secretKey, $str, MCRYPT_MODE_ECB, $iv);
+        return base64_encode($encrypt_str);
+    }
+
+    /**
+     * 解密方法
+     * @param string $str
+     * @return string
+     */
+    public static function decrypt($str){
+        //AES, 128 ECB模式加密数据
+        $secretKey = self::$_secretKey;
+        $str = base64_decode($str);
+        $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,MCRYPT_MODE_ECB),MCRYPT_RAND);
+        $encrypt_str =  mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $secretKey, $str, MCRYPT_MODE_ECB, $iv);
+        $encrypt_str = trim($encrypt_str);
+        $encrypt_str = self::stripPKSC7Padding($encrypt_str);
+        $encrypt_str = ltrim($encrypt_str, self::$_preString);
+        return $encrypt_str;
+
+    }
+
+    /**
+     * 填充算法
+     * @param string $source
+     * @return string
+     */
+    private static function addPKCS7Padding($source){
+        $source = trim($source);
+        $block = mcrypt_get_block_size('rijndael-128', 'ecb');
+        $pad = $block - (strlen($source) % $block);
+        if ($pad <= $block) {
+            $char = chr($pad);
+            $source .= str_repeat($char, $pad);
+        }
+        return $source;
+    }
+    /**
+     * 移去填充算法
+     * @param string $source
+     * @return string
+     */
+    private static function stripPKSC7Padding($source){
+        $source = trim($source);
+        $char = substr($source, -1);
+        $num = ord($char);
+        if($num==62)return $source;
+        $source = substr($source,0,-$num);
+        return $source;
+    }
+}

@@ -2,6 +2,7 @@
 
 
 use Action\WebAction;
 use Action\WebAction;
 use WebPlugin\Helpers;
 use WebPlugin\Helpers;
+use WebPlugin\Encryption;
 use Index\HomeModel;
 use Index\HomeModel;
 use Index\CouponModel;
 use Index\CouponModel;
 use LibModels\Web\Home\CouponData;
 use LibModels\Web\Home\CouponData;
@@ -29,7 +30,7 @@ class CouponController extends WebAction
      * 领券页面控制器
      * 领券页面控制器
      */
      */
     public function indexAction()
     public function indexAction()
-    { 
+    {
         $channel = Helpers::getChannelNameByCookie();
         $channel = Helpers::getChannelNameByCookie();
         //领券频道头部
         //领券频道头部
         $this->setWebNavHeader($channel);
         $this->setWebNavHeader($channel);
@@ -52,6 +53,11 @@ class CouponController extends WebAction
                 break;
                 break;
             }
             }
             $couponId = $this->get('id', '');
             $couponId = $this->get('id', '');
+            if (empty($couponId)) {
+                break;
+            }
+            //解密
+            $couponId = Encryption::decrypt($couponId);
             $uid = $this->getUid();
             $uid = $this->getUid();
             if (!$uid) {
             if (!$uid) {
                 $playUrl = Helpers::url('/coupon/index');
                 $playUrl = Helpers::url('/coupon/index');

@@ -4,6 +4,7 @@ namespace Index;
 
 
 use WebPlugin\Helpers;
 use WebPlugin\Helpers;
 use WebPlugin\Images;
 use WebPlugin\Images;
+use WebPlugin\Encryption;
 use Index\HomeModel;
 use Index\HomeModel;
 use LibModels\Web\Home\CouponData;
 use LibModels\Web\Home\CouponData;
 
 
@@ -60,7 +61,7 @@ class CouponModel
                     );
                     );
                     foreach ($couponlistval['data'] as $couponskey => $couponsval) {
                     foreach ($couponlistval['data'] as $couponskey => $couponsval) {
                         $result['categories'][$i]['coupons'][$couponskey] = array(
                         $result['categories'][$i]['coupons'][$couponskey] = array(
-                            'id' => $couponsval['couponID'], //优惠券号
+                            'id' => Encryption::encrypt($couponsval['couponID']), //加密优惠券号
                             'img' => Images::getForceSourceUrl($couponsval['image']['src']), //优惠券图片
                             'img' => Images::getForceSourceUrl($couponsval['image']['src']), //优惠券图片
                             'url' =>  Helpers::getUrlSafe($couponsval['image']['url'])    //去逛逛链接
                             'url' =>  Helpers::getUrlSafe($couponsval['image']['url'])    //去逛逛链接
                         );
                         );

@@ -12,6 +12,7 @@ use WebPlugin\Images;
 use Configs\WebCacheConfig;
 use Configs\WebCacheConfig;
 use Hood\Core\Security\AuthCode;
 use Hood\Core\Security\AuthCode;
 use WebPlugin\UdpLog;
 use WebPlugin\UdpLog;
+use WebPlugin\Encryption;
 use Configs\ChannelConfig;
 use Configs\ChannelConfig;
 
 
 /**
 /**
@@ -980,7 +981,7 @@ class CartModel
                 $mobile = substr($mobile, 0, 3) . '****' . substr($mobile, 7);
                 $mobile = substr($mobile, 0, 3) . '****' . substr($mobile, 7);
 
 
                 $build = array();
                 $build = array();
-                $build['id'] = $value['address_id'];
+                $build['id'] = Encryption::encrypt($value['address_id']);
                 $build['user'] = $value['consignee'];
                 $build['user'] = $value['consignee'];
                 $build['address'] = $value['area'] . $value['address'] . ' ' . $value['zip_code'] . ' ' . $mobile . ' ' . $value['phone'];
                 $build['address'] = $value['area'] . $value['address'] . ' ' . $value['zip_code'] . ' ' . $mobile . ' ' . $value['phone'];
                 $build['checked'] = $value['is_default'] === 'Y';
                 $build['checked'] = $value['is_default'] === 'Y';
@@ -1095,6 +1096,10 @@ class CartModel
             // 处理返回结果
             // 处理返回结果
             if (isset($address['code']) && $address['code'] == 200) {
             if (isset($address['code']) && $address['code'] == 200) {
                 $result = $address;
                 $result = $address;
+                if ($result['data']['address_id']) {
+                    $result['data']['address_id'] = Encryption::encrypt($result['data']['address_id']);
+                    $result['data']['id'] = Encryption::encrypt($result['data']['id']);
+                }
             }
             }
         }
         }
 
 

@@ -4,6 +4,7 @@ use Action\WebAction;
 use WebPlugin\Helpers;
 use WebPlugin\Helpers;
 use Shopping\CartModel;
 use Shopping\CartModel;
 use WebPlugin\UdpLog;
 use WebPlugin\UdpLog;
+use WebPlugin\Encryption;
 
 
 /**
 /**
  * 购物车相关的控制器
  * 购物车相关的控制器
@@ -269,6 +270,8 @@ class IndexController extends WebAction
         if ($this->isAjax()) {
         if ($this->isAjax()) {
             $uid = $this->getUid(false);
             $uid = $this->getUid(false);
             $addressId = $this->post('id');
             $addressId = $this->post('id');
+            //解密
+            $addressId = intval(Encryption::decrypt($addressId));
             $result = CartModel::setDefaultAddress($uid, $addressId);
             $result = CartModel::setDefaultAddress($uid, $addressId);
         }
         }
 
 
@@ -295,7 +298,11 @@ class IndexController extends WebAction
 
 
         if ($this->isAjax()) {
         if ($this->isAjax()) {
             $uid = $this->getUid(false);
             $uid = $this->getUid(false);
-            $id = $this->post('id', null);
+            $id = $this->post('id', null); //TODO
+            if ($id) {
+                //解密
+                $id = intval(Encryption::decrypt($id));
+            }
             $address = $this->post('address', '');
             $address = $this->post('address', '');
             $areaCode = $this->post('areaCode', '');
             $areaCode = $this->post('areaCode', '');
             $consignee = $this->post('consignee', '');
             $consignee = $this->post('consignee', '');
@@ -327,7 +334,8 @@ class IndexController extends WebAction
 
 
         if ($this->isAjax()) {
         if ($this->isAjax()) {
             $uid = $this->getUid(false);
             $uid = $this->getUid(false);
-            $addressId = $this->post('id');
+            $addressId = $this->post('id');// TODO
+            $addressId = intval(Encryption::decrypt($addressId));
             $result = CartModel::delAddress($uid, $addressId);
             $result = CartModel::delAddress($uid, $addressId);
         }
         }
 
 
@@ -435,7 +443,9 @@ class IndexController extends WebAction
                 break;
                 break;
             }
             }
 
 
-            $addressId = $this->post('addressId', null);
+            $addressId = $this->post('addressId', null);//TODO
+            //解密
+            $addressId = intval(Encryption::decrypt($addressId));
             $cartType = $this->post('cartType', 'ordinary'); // 默认普通购物车
             $cartType = $this->post('cartType', 'ordinary'); // 默认普通购物车
             $deliveryTimeId = $this->post('deliveryTimeId', 1); // 默认只工作日配送
             $deliveryTimeId = $this->post('deliveryTimeId', 1); // 默认只工作日配送
             $deliveryWayId = $this->post('deliveryWayId', 1); // 默认普通快递
             $deliveryWayId = $this->post('deliveryWayId', 1); // 默认普通快递