Merge remote-tracking branch 'remotes/origin/hotfix/loophole'

梁志锋
Commit be8532e3752ee902d7a613a322ddd11ae3f3932f 2 parents d0b8cdb8 d17a2bbd
Showing 7 changed files with 103 additions and 6 deletions
library/Plugin/DataProcess/CouponFloorProcess.php
library/Plugin/Encryption.php
yohobuy/m.yohobuy.com/application/controllers/Coupon.php
yohobuy/m.yohobuy.com/application/controllers/Home.php
yohobuy/m.yohobuy.com/application/models/Index/Cart.php
yohobuy/m.yohobuy.com/application/models/Index/User.php
yohobuy/m.yohobuy.com/application/modules/Cart/controllers/Index.php
--- a/library/Plugin/DataProcess/CouponFloorProcess.php
View file @be8532e
+++ b/library/Plugin/DataProcess/CouponFloorProcess.php
View file @be8532e
@@ -12,6 +12,7 @@ use WebPlugin\Cache;
 use Plugin\Images;
 use Plugin\Helpers;
 use WebPlugin\HelperSearch;
+ use Plugin\Encryption;
 
 class CouponFloorProcess
 {
@@ -109,6 +110,7 @@ class CouponFloorProcess
                 $floorTitle = (key_exists('text', $item) && ($item['text'] !== '')) ? $item['text'] : '';
                 continue;
             }
+             $item['couponID'] = Encryption::encrypt($item['couponID']);
             $imageSrc = Images::getImageUrl($item['image']['src'], 0, 0);
             $item['image']['src'] = $imageSrc;
             $item['image']['url'] = $isApp ? $item['image']['url'] : Helpers::getFilterUrl($item['image']['url']);
--- a/library/Plugin/Encryption.php 0 → 100644
View file @be8532e
+++ b/library/Plugin/Encryption.php 0 → 100644
View file @be8532e
+ <?php
+ /**
+  * AES, 128 ECB模式加密数据
+  * 原有的填充方法没用到，否则与java、node不一致，暂时保留
+  */
+ 
+ namespace Plugin;
+ 
+ class Encryption {
+ 
+     //密钥
+     private static $_secretKey = 'yoho9646abcdefgh';
+ 
+     /**
+      * 加密方法
+      * @param string $str 加密字符
+      * @param string $key 密钥
+      * @return string
+      */
+     public static function encrypt($str, $key = ''){
+ 
+         //AES, 128 ECB模式加密数据
+         $secretKey = $key ? $key : self::$_secretKey;
+         $str = trim($str);
+ //        $str = self::addPKCS7Padding($str);
+         $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,MCRYPT_MODE_ECB),MCRYPT_RAND);
+         $encrypt_str =  mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $secretKey, $str, MCRYPT_MODE_ECB, $iv);
+         return base64_encode($encrypt_str);
+     }
+ 
+     /**
+      * 解密方法
+      * @param string $str 解密字符
+      * @param string $key 密钥
+      * @return string
+      */
+     public static function decrypt($str, $key = ''){
+         //AES, 128 ECB模式加密数据
+         $secretKey = $key ? $key : self::$_secretKey;
+         $str = base64_decode($str);
+         $iv = mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128,MCRYPT_MODE_ECB),MCRYPT_RAND);
+         $encrypt_str =  mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $secretKey, $str, MCRYPT_MODE_ECB, $iv);
+         $encrypt_str = trim($encrypt_str);
+ //        $encrypt_str = self::stripPKSC7Padding($encrypt_str);
+         return $encrypt_str;
+ 
+     }
+ 
+     /**
+      * 填充算法
+      * @param string $source
+      * @return string
+      */
+     private static function addPKCS7Padding($source){
+         $source = trim($source);
+         $block = mcrypt_get_block_size('rijndael-128', 'ecb');
+         $pad = $block - (strlen($source) % $block);
+         if ($pad <= $block) {
+             $char = chr($pad);
+             $source .= str_repeat($char, $pad);
+         }
+         return $source;
+     }
+     /**
+      * 移去填充算法
+      * @param string $source
+      * @return string
+      */
+     private static function stripPKSC7Padding($source){
+         $source = trim($source);
+         $char = substr($source, -1);
+         $num = ord($char);
+         if($num==62)return $source;
+         $source = substr($source,0,-$num);
+         return $source;
+     }
+ }
\ No newline at end of file
--- a/yohobuy/m.yohobuy.com/application/controllers/Coupon.php
View file @be8532e
+++ b/yohobuy/m.yohobuy.com/application/controllers/Coupon.php
View file @be8532e
@@ -11,6 +11,7 @@ use Coupon\CouponModel;
 use LibModels\Wap\Coupon\CouponData;
 use Plugin\DataProcess\CouponFloorProcess;
 use Plugin\Helpers;
+ use Plugin\Encryption;
 
 
 class CouponController extends AbstractAction
@@ -67,6 +68,9 @@ class CouponController extends AbstractAction
             'code' => FILTER_DEFAULT,
             'app_version' => FILTER_DEFAULT
         ));
+         if ($receiveData['couponID']) {
+             $receiveData['couponID'] = Encryption::decrypt($receiveData['couponID']);
+         }
         // 跳转 URl
         $playUrl = Helpers::url('/coupon/floor');
         // 判断用户是否登录
--- a/yohobuy/m.yohobuy.com/application/controllers/Home.php
View file @be8532e
+++ b/yohobuy/m.yohobuy.com/application/controllers/Home.php
View file @be8532e
@@ -11,6 +11,7 @@ use Plugin\Pay\weixin\lib\WxPayUnifiedOrder;
 use Plugin\Pay\weixin\lib\WxPayApi;
 use Plugin\Pay\weixin\lib\WxPayConfig;
 use Plugin\UdpLog;
+ use Plugin\Encryption;
 
 /**
  * 个人中心相关的控制器
@@ -472,7 +473,6 @@ class HomeController extends AbstractAction
             'addressActionPage' => true,
             'addressList' => UserModel::getAddressListData($uid)
         );
- 
         if ($id !== null) { // 编辑地址
             // 设置网站标题
             $this->setTitle('编辑地址');
@@ -505,6 +505,9 @@ class HomeController extends AbstractAction
             $consignee = $this->post('consignee', '');
             $email = $this->post('email', '');
             $id = $this->post('id', null);
+             if ($id) {
+                 $id = Encryption::decrypt($id);
+             }
             $mobile = $this->post('mobile', '');
             $zipCode = $this->post('zip_code', '');
 
@@ -528,7 +531,10 @@ class HomeController extends AbstractAction
 
         if ($this->isAjax()) {
             $uid = $this->getUid(true);
-             $id = $this->post('id', '');
+             $id = $this->post('id', '');// TODO
+             if ($id) {
+                 $id = Encryption::decrypt($id);
+             }
             $result = UserModel::setDefaultAddress($uid, $id);
         }
 
@@ -550,6 +556,9 @@ class HomeController extends AbstractAction
         if ($this->isAjax()) {
             $uid = $this->getUid(true);
             $id = $this->post('id', '');
+             if ($id) {
+                 $id = Encryption::decrypt($id);
+             }
             $result = UserModel::deleteAddress($uid, $id);
         }
 
--- a/yohobuy/m.yohobuy.com/application/models/Index/Cart.php
View file @be8532e
+++ b/yohobuy/m.yohobuy.com/application/models/Index/Cart.php
View file @be8532e
@@ -7,6 +7,7 @@ use LibModels\Wap\Home\OrderData;
 use Plugin\Helpers;
 use Plugin\Images;
 use Plugin\UdpLog;
+ use Plugin\Encryption;
 
 
 /**
@@ -406,6 +407,7 @@ class CartModel
             $isSunfengSupport = false; // 是否支持顺丰快递
             if (isset($payReturn['delivery_address']) && !empty($payReturn['delivery_address'])) {
                 $result['addressId'] = isset($address['address_id']) ? $address['address_id'] : $payReturn['delivery_address']['address_id'];
+                 $result['addressId'] = Encryption::encrypt($result['addressId']);
                 $result['name'] = isset($address['consignee']) ? $address['consignee'] : $payReturn['delivery_address']['consignee'];
                 $result['phoneNum'] = isset($address['mobile']) ? $address['mobile'] : $payReturn['delivery_address']['mobile'];
 //                $result['area'] = isset($address['area']) ? $address['area'] : $payReturn['delivery_address']['area'];
--- a/yohobuy/m.yohobuy.com/application/models/Index/User.php
View file @be8532e
+++ b/yohobuy/m.yohobuy.com/application/models/Index/User.php
View file @be8532e
@@ -9,6 +9,7 @@ use Plugin\Cache;
 use Plugin\Helpers;
 use Plugin\Images;
 use Plugin\UdpLog;
+ use Plugin\Encryption;
 
 /**
  *
@@ -594,6 +595,9 @@ class UserModel
 
         // 处理地址数据
         if (isset($address['data']) && !empty($address['data'])) {
+             foreach ($address['data'] as $key => $val) {
+                 $address['data'][$key]['address_id'] = Encryption::encrypt($val['address_id']);
+             }
             UdpLog::info('地址数据校验','uid'.$uid.'返回:'.json_encode($address));
             $result = $address['data'];
         }
@@ -646,16 +650,14 @@ class UserModel
      * 根据用户id和地址id获取地址数据
      *
      * @param int $uid 用户ID
-      * @param int $id 地址ID
+      * @param string $id 加密后的地址ID
      * @return array|mixed 地址数据
      */
     public static function getAddressDataById($uid, $id)
     {
         $result = array();
- 
         // 调用接口获取地址数据
         $address = self::getAddressData($uid);
- 
         // 处理地址数据
         foreach ($address as $val) {
             if ($val['address_id'] == $id) {
@@ -663,7 +665,6 @@ class UserModel
                 break;
             }
         }
- 
         return $result;
     }
 
--- a/yohobuy/m.yohobuy.com/application/modules/Cart/controllers/Index.php
View file @be8532e
+++ b/yohobuy/m.yohobuy.com/application/modules/Cart/controllers/Index.php
View file @be8532e
@@ -8,6 +8,7 @@ use Plugin\Helpers;
 use Plugin\UnionTrans;
 use Home\OrderModel;
 use Plugin\UdpLog;
+ use Plugin\Encryption;
 
 /**
  * 购物车相关的控制器
@@ -452,6 +453,7 @@ class IndexController extends AbstractAction
         if ($this->isAjax()) {
             $uid = $this->getUid(true);
             $addressId = $this->post('addressId', null);
+             $addressId = Encryption::decrypt($addressId);
             $cartType = $this->post('cartType', 'ordinary'); // 默认普通购物车
             $deliveryTime = $this->post('deliveryTimeId', 1); // 默认只工作日配送
             $deliveryWay = $this->post('deliveryId', 1); // 默认普通快递