AlignPixel-Proxy/Pixel-Chat-App
AlignPixel-Proxy/Pixel-Chat-App
1
0
Fork 0
mirror of https://github.com/AlignPixel-Dev/Pixel-Chat-App.git synced 2025-04-20 12:25:25 +08:00
Code Issues Packages Projects Releases Wiki Activity

修复从Boom Hack检测中找到的对服务器访问限制的安全问题

Browse Source
This commit is contained in:
Frederick Chen 2024-07-31 23:54:58 +08:00
parent 8d9085683a
commit 19d37e4aea
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
server-client/simple-verson.py
View File

@ -14,7 +14,7 @@ class PyChattingServer:
self.__msg_handler = ChattingHandler() self.__msg_handler = ChattingHandler()
def start_session(self): def start_session(self):
print('已经上线,用户可通过IP进入\r\n') print('已经上线,用户可通过客户端输入IP进入\r\n')
input_thread_handler = threading.Thread(target=self.input_thread) input_thread_handler = threading.Thread(target=self.input_thread)
input_thread_handler.daemon = True input_thread_handler.daemon = True
input_thread_handler.start() input_thread_handler.start()
@ -123,8 +123,9 @@ class ChattingHandler:
self.__user_name_to_socket.pop(self.__socket_to_user_name[cs]) self.__user_name_to_socket.pop(self.__socket_to_user_name[cs])
self.__socket_to_user_name.pop(cs) self.__socket_to_user_name.pop(cs)
self.__user_name_to_broadcast_state.pop(nickname) self.__user_name_to_broadcast_state.pop(nickname)
nickname += " " nickname += " 离开了本聊天室"
self.broadcast_系统消息_msg(nickname + "离开了本聊天室") if nickname != "SOMEONE": # 说明是正常退出,一个防输出卡死机制,来自 boom hack 0x3299f
self.broadcast_system_msg(nickname)
def handle_msg(self, msg, cs): def handle_msg(self, msg, cs):
js = json.loads(msg) js = json.loads(msg)
@ -237,6 +238,8 @@ class ChattingHandler:
def broadcast(self, msg, cs): def broadcast(self, msg, cs):
data = '[ %s ]\r\n[%s] : %s\r\n' % (ctime(), self.__socket_to_user_name[cs], msg) data = '[ %s ]\r\n[%s] : %s\r\n' % (ctime(), self.__socket_to_user_name[cs], msg)
if '' in data: # 屏蔽卡死服务器的字符,所有 Contributors 请不要更改这条判断,否则 PR 将直接拒绝合并,本安全措施来自 来自 boom hack 0x3657f
data = '[ %s ]\r\n[ 系统警告 - %s ] : %s\r\n' % (ctime(), self.__socket_to_user_name[cs], '{用户发送的内容可能包含卡死服务器的内容,已经被屏蔽显示}')
js = json.dumps({ js = json.dumps({
'type': 'broadcast', 'type': 'broadcast',
'msg': data 'msg': data
@ -277,11 +280,20 @@ class ChattingHandler:
elif ip == '.an': elif ip == '.an':
user = input("请输入要发布的内容:") user = input("请输入要发布的内容:")
self.broadcast_system_msg(user) self.broadcast_system_msg(user)
print("发布成功")
elif ip == '.online': elif ip == '.online':
login_list = "[ 输出 ] 在线用户 : " login_list = "[ 输出 ] 在线用户 : "
for key in self.__socket_to_user_name: for key in self.__socket_to_user_name:
login_list += self.__socket_to_user_name[key] + ' | ' login_list += self.__socket_to_user_name[key] + ' | '
print(login_list) print(login_list)
elif ip == '.setvisit': # 一个防输出卡死的屏蔽功能,目前仅支持手动添加,来自 boom hack 0x3299f
ip = input("请输入限制访问信息的ip地址")
if not self.is_alisted(ip):
self.__alist.add(ip)
print(f"IP {ip} 已经被手动更改访问")
else:
self.__alist.remove(ip)
print(f"IP {ip} 已经被手动更改访问")
elif ip == '.help': elif ip == '.help':
print("BAN: 封禁某个IP\r\n"\ print("BAN: 封禁某个IP\r\n"\
"UNBAN: 解除封禁某个IP\r\n"\ "UNBAN: 解除封禁某个IP\r\n"\
@ -289,6 +301,7 @@ class ChattingHandler:
"KICK: 踢出某个用户\r\n"\ "KICK: 踢出某个用户\r\n"\
"AN: 以系统身份发布消息\r\n"\ "AN: 以系统身份发布消息\r\n"\
"ONELINE: 查看在线用户\r\n"\ "ONELINE: 查看在线用户\r\n"\
"SETVISIT: 对用户访问进行操作\r\n"\
"HELP: 查看操作帮助") "HELP: 查看操作帮助")
else: else:
print("不存在的命令!") print("不存在的命令!")