#40

面板安全入口问题【修复👌】

route/__init__.py

@@ -177,20 +177,6 @@ def checkLogin():
     return "false"
 
 
-@app.route("/login")
-def login():
-    dologin = request.args.get('dologin', '')
-    if dologin == 'True':
-        session.clear()
-        session['login'] = False
-        session['overdue'] = 0
-        return redirect('/login')
-
-    if isLogined():
-        return redirect('/')
-    return render_template('login.html')
-
-
 @app.route("/do_login", methods=['POST'])
 def doLogin():
     username = request.form.get('username', '').strip()
@@ -251,30 +237,77 @@ def page_unauthorized(error):
     return render_template_string('404 not found', error_info=error), 404
 
 
+def get_admin_safe():
+    path = 'data/admin_path.pl'
+    if os.path.exists(path):
+        cont = mw.readFile(path)
+        cont = cont.strip().strip('/')
+        return (True, cont)
+    return (False, '')
+
+
+def admin_safe_path(path, req, data):
+    if path != req and not isLogined():
+        return render_template('path.html')
+
+    if not isLogined():
+        return render_template('login.html', data=data)
+
+    return render_template(req + '.html', data=data)
+
+
 @app.route('/<reqClass>/<reqAction>', methods=['POST', 'GET'])
 @app.route('/<reqClass>/', methods=['POST', 'GET'])
 @app.route('/<reqClass>', methods=['POST', 'GET'])
 @app.route('/', methods=['POST', 'GET'])
 def index(reqClass=None, reqAction=None, reqData=None):
+
     comReturn = common.local()
     if comReturn:
         return comReturn
 
-    if (reqClass == None):
-        reqClass = 'index'
-    pageFile = ('config', 'control', 'crontab', 'files', 'firewall',
-                'index', 'plugins', 'login', 'system', 'site', 'ssl', 'task', 'soft')
-    if not reqClass in pageFile:
-        return redirect('/')
-
+    # 页面请求
     if reqAction == None:
+        import config_api
+        data = config_api.config_api().get()
+
+        if reqClass == None:
+            reqClass = 'index'
+
+        pageFile = ('config', 'control', 'crontab', 'files', 'firewall',
+                    'index', 'plugins', 'login', 'system', 'site', 'ssl', 'task', 'soft')
+
+        # 设置了安全路径
+        ainfo = get_admin_safe()
+
+        # 登录页
+        if reqClass == 'login':
+            dologin = request.args.get('dologin', '')
+            if dologin == 'True':
+                session.clear()
+                session['login'] = False
+                session['overdue'] = 0
+
+            if ainfo[0]:
+                return admin_safe_path(ainfo[1], reqClass, data)
+
+            return render_template('login.html', data=data)
+
+        if ainfo[0]:
+            return admin_safe_path(ainfo[1], reqClass, data)
+
+        if not reqClass in pageFile:
+            return redirect('/')
+
         if not isLogined():
             return redirect('/login')
 
-        import config_api
-        data = config_api.config_api().get()
         return render_template(reqClass + '.html', data=data)
 
+    if not isLogined():
+        return 'request error!'
+
+    # API请求
     classFile = ('config_api', 'crontab_api', 'files_api', 'firewall_api',
                  'plugins_api', 'system_api', 'site_api', 'task_api')
     className = reqClass + '_api'
@@ -286,6 +319,7 @@ def index(reqClass=None, reqAction=None, reqData=None):
 
     return publicObject(newInstance, reqAction)
 
+
 ssh = None
 shell = None
 try:

route/templates/default/path.html

@@ -0,0 +1,16 @@
+
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <title>安全入口校验失败</title>
+</head>
+<body>
+    <h1>请使用正确的入口登录面板</h1>
+    <p><b>错误原因：</b>当前新安装的已经开启了安全入口登录，新装机器都会随机一个8位字符的安全入口名称，亦可以在面板设置处修改，如您没记录或不记得了，可以使用以下方式解决</p>
+    <p><b>解决方法：</b>在SSH终端输入以下一种命令来解决</p>
+    <p>1.查看面板入口：/etc/init.d/mw default</p>
+    <p>2.关闭安全入口：rm -f /www/server/panel/data/admin_path.pl</p>
+    <p style="color:red;">注意：【关闭安全入口】将使您的面板登录地址被直接暴露在互联网上，非常危险，请谨慎操作</p>
+</body>
+</html>