ecshop/OMS
1
0
Fork 0
mirror of https://gitee.com/ShopeX/OMS synced 2026-04-26 10:45:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

1. 【新增】售后单售后原因类型支持搜索

Browse Source 
2. 【新增】手工创建订单折扣可输入正数

3. 【优化】盘点申请单确认

4. 【修复】采购退货单模拟出库失败问题

5. 【新增】订单金额客户实付与结算金额

6. 【优化】仓库发货统计报表物料名称显示

7. 【优化】自有仓储虚拟发货逻辑

8. 【修复】基础物料分类管理问题
This commit is contained in:
chenping
2026-04-01 11:59:17 +08:00
parent 9341122827
commit 61783b7d01
754 changed files with 46179 additions and 5700 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
app/ome/lib/service/login.php
View File

@@ -23,7 +23,8 @@ class ome_service_login {
*/
public function b2b_login_error($msg) {
$server_name = trim($_SERVER['SERVER_NAME']);
if(stristr($server_name,B2B_TG_URL)) {
// 安全修复检查B2B相关常量是否定义
if (defined('B2B_TG_URL') && defined('B2B_API_URL') && stristr($server_name, B2B_TG_URL)) {
$arr = array('msg'=>$msg,'url'=>$server_name);
$arr = json_encode($arr);
$arr = base64_encode($arr);
@@ -121,12 +122,7 @@ class ome_service_login {
if (!$params)
return false;
//[huishang]用户不存在时,使用传过来的登录密码
if($params['login_from']=='huishang'){
$login_password = $params['visitor_pwd'];
}else{
$login_password = md5(DB_PASSWORD);
}
$login_password = md5(DB_PASSWORD);
$account = array(
'pam_account' => array(
@@ -171,85 +167,94 @@ class ome_service_login {
// begin分销王登录
if($params['login_from']=='b2b') {
$sign = strtoupper(md5(B2B_APP_KEY . $params['saas_params'] . $params['saas_ts'] . B2B_SECRE_KEY));
}elseif($params['login_from']=='huishang'){
//汇尚免登
$sign = strtoupper(md5(HUISHANG_APP_KEY . $params['saas_params'] . $params['saas_ts'] . HUISHANG_SECRE_KEY));
// 分销王登录检查B2B密钥常量是否定义
if (!defined('B2B_APP_KEY') || !defined('B2B_SECRE_KEY')) {
return false;
}
$appKey = B2B_APP_KEY;
$secretKey = B2B_SECRE_KEY;
} else {
// 默认SAAS登录检查SAAS密钥常量是否定义
if (!defined('SASS_APP_KEY') || !defined('SAAS_SECRE_KEY')) {
return false;
}
$appKey = SASS_APP_KEY;
$secretKey = SAAS_SECRE_KEY;
}
// end
// 安全修复:先验证签名,再解析参数(防止签名绕过)
$sign = strtoupper(md5($appKey . $params['saas_params'] . $params['saas_ts'] . $secretKey));
if ($sign !== $params['saas_sign']) {
// 签名验证不通过
$this->b2b_login_error('签名错误');
return false;
}
// 安全修复:签名验证通过后,再解析参数
$saasParams = base64_decode($params['saas_params']);
$saasParams = @explode('&', $saasParams);
foreach ((array) $saasParams as $param) {
if ($saasParams === false) {
$this->b2b_login_error('参数错误');
return false;
}
$saasParams = explode('&', $saasParams);
if (!is_array($saasParams) || empty($saasParams)) {
$this->b2b_login_error('参数错误');
return false;
}
// 安全修复:使用白名单限制参数键名,防止参数覆盖攻击
$allowedKeys = array('visitor_nick', 'visitor_pwd', 'visitor_role', 'visitor_id', 'top_session', 'server_name');
$sParams = array();
foreach ($saasParams as $param) {
if (strpos($param, '=') === false) {
$key = $param;
$key = trim($param);
$value = '';
} else {
$pos = strpos($param, '=');
$key = substr($param, 0, $pos);
$value = substr($param, $pos + 1, strlen($param) - $pos);
$key = trim(substr($param, 0, $pos));
$value = trim(substr($param, $pos + 1));
}
// 只接受白名单中的参数
if (in_array($key, $allowedKeys)) {
$sParams[$key] = $value;
}
$sParams[$key] = $value;
}
if ($sign != $params['saas_sign']) {
//检验不通过
$this->b2b_login_error('签名错误');
return $this->signErrorReturn($sParams);
} else {
// begin 如果是分销王登录,必须输入帐号和密码
if($params['login_from']=='b2b') {
if (trim($sParams['visitor_nick'])=='' || trim($sParams['visitor_pwd'])=='') {
$this->b2b_login_error('帐号和密码不能为空');
return $this->signErrorReturn($sParams);
}
$sParams['login_from']='b2b';
}
elseif($params['login_from']=='huishang')
{
//[huishang]免登必须输入用户名(密码不会验证有效性,当用户不存在时,会保存密码)
if (trim($sParams['visitor_nick'])=='' || trim($sParams['visitor_pwd'])=='') {
$this->b2b_login_error('免登帐号和密码不能为空');
//die('Error免登帐号和密码不能为空!');
return $this->signErrorReturn($sParams);
}
$sParams['login_from'] = 'huishang';
}
// end
if (is_array($saasParams) && !empty($saasParams)) {
if (abs(time() - $params['saas_ts']) > 86400) {
//检查时间,已经过了有效期
$this->b2b_login_error('登录超时');
return $this->signErrorReturn($sParams);
} else {
if (trim($sParams['server_name']) != trim($_SERVER['SERVER_NAME'])) {
$this->b2b_login_error('网址不匹配');
return $this->signErrorReturn($sParams);
} else {
return $this->realLogin($sParams, $params['type']);
}
}
} else {
if (trim($sParams['server_name']) != trim($_SERVER['SERVER_NAME'])) {
return $this->signErrorReturn($sParams);
} else {
$sParams['visitor_nick'] = 'admin';
return $this->realLogin($sParams, $params['type']);
}
// 安全修复缩短时间戳窗口期从24小时到15分钟900秒
if (abs(time() - intval($params['saas_ts'])) > 900) {
$this->b2b_login_error('登录超时');
return false;
}
// 安全修复:改进域名校验,使用更严格的比较
if (empty($sParams['server_name'])) {
$this->b2b_login_error('参数错误');
return false;
}
$requestServerName = strtolower(trim($_SERVER['SERVER_NAME']));
$paramServerName = strtolower(trim($sParams['server_name']));
// 移除端口号进行比较(如果存在)
$requestServerName = preg_replace('/:\d+$/', '', $requestServerName);
$paramServerName = preg_replace('/:\d+$/', '', $paramServerName);
if ($paramServerName !== $requestServerName) {
$this->b2b_login_error('网址不匹配');
return false;
}
// begin 如果是分销王登录,必须输入帐号和密码
if($params['login_from']=='b2b') {
if (empty($sParams['visitor_nick']) || empty($sParams['visitor_pwd'])) {
$this->b2b_login_error('帐号和密码不能为空');
return false;
}
$sParams['login_from']='b2b';
}
*/
}