first commit

var/Widget/Security.php

@@ -0,0 +1,156 @@
+<?php
+
+namespace Widget;
+
+use Typecho\Common;
+use Typecho\Response;
+use Typecho\Widget;
+
+if (!defined('__TYPECHO_ROOT_DIR__')) {
+    exit;
+}
+
+/**
+ * 安全选项组件
+ *
+ * @link typecho
+ * @package Widget
+ * @copyright Copyright (c) 2014 Typecho team (http://typecho.org)
+ * @license GNU General Public License 2.0
+ */
+class Security extends Base
+{
+    /**
+     * @var string
+     */
+    private string $token;
+
+    /**
+     * @var boolean
+     */
+    private bool $enabled = true;
+
+    /**
+     * @param int $components
+     */
+    public function initComponents(int &$components)
+    {
+        $components = self::INIT_OPTIONS | self::INIT_USER;
+    }
+
+    /**
+     * 初始化函数
+     */
+    public function execute()
+    {
+        $this->token = $this->options->secret;
+        if ($this->user->hasLogin()) {
+            $this->token .= '&' . $this->user->authCode . '&' . $this->user->uid;
+        }
+    }
+
+    /**
+     * @param bool $enabled
+     */
+    public function enable(bool $enabled = true)
+    {
+        $this->enabled = $enabled;
+    }
+
+    /**
+     * 保护提交数据
+     */
+    public function protect()
+    {
+        if ($this->enabled && $this->request->get('_') != $this->getToken($this->request->getReferer())) {
+            $this->response->goBack();
+        }
+    }
+
+    /**
+     * 获取token
+     *
+     * @param string|null $suffix 后缀
+     * @return string
+     */
+    public function getToken(?string $suffix): string
+    {
+        return md5($this->token . '&' . $suffix);
+    }
+
+    /**
+     * 获取绝对路由路径
+     *
+     * @param string|null $path
+     * @return string
+     */
+    public function getRootUrl(?string $path): string
+    {
+        return Common::url($this->getTokenUrl($path), $this->options->rootUrl);
+    }
+
+    /**
+     * 生成带token的路径
+     *
+     * @param $path
+     * @param string|null $url
+     * @return string
+     */
+    public function getTokenUrl($path, ?string $url = null): string
+    {
+        $parts = parse_url($path);
+        $params = [];
+
+        if (!empty($parts['query'])) {
+            parse_str($parts['query'], $params);
+        }
+
+        $params['_'] = $this->getToken($url ?: $this->request->getRequestUrl());
+        $parts['query'] = http_build_query($params);
+
+        return Common::buildUrl($parts);
+    }
+
+    /**
+     * 输出后台安全路径
+     *
+     * @param $path
+     */
+    public function adminUrl($path)
+    {
+        echo $this->getAdminUrl($path);
+    }
+
+    /**
+     * 获取安全的后台路径
+     *
+     * @param string $path
+     * @return string
+     */
+    public function getAdminUrl(string $path): string
+    {
+        return Common::url($this->getTokenUrl($path), $this->options->adminUrl);
+    }
+
+    /**
+     * 输出安全的路由路径
+     *
+     * @param $path
+     */
+    public function index($path)
+    {
+        echo $this->getIndex($path);
+    }
+
+    /**
+     * 获取安全的路由路径
+     *
+     * @param $path
+     * @return string
+     */
+    public function getIndex($path): string
+    {
+        return Common::url($this->getTokenUrl($path), $this->options->index);
+    }
+}
+