bug

web/index.html

@@ -15,4 +15,4 @@
       'server': window.location.protocol + '//' + window.location.host + window.location.pathname + '../server/index.php?s=',
       // "lang" :'en'
       'lang': 'zh-cn'
-}</script><link href=./static/css/app.802854fe34ede925b040b29916b3ccff.css rel=stylesheet></head><body class=grey-bg><div id=app></div><div style=display:none>本网站基于开源版showdoc搭建，仅供私人使用。如需访问showdoc官网，请在搜索引擎里搜索showdoc字样或者直接访问showdoc.com.cn</div><script type=text/javascript src=./static/js/manifest.3ad1d5771e9b13dbdad2.js></script><script type=text/javascript src=./static/js/vendor.1eb6213d11eb61d1bd46.js></script><script type=text/javascript src=./static/js/app.094d08313226972d1cce.js></script></body></html>
+}</script><link href=./static/css/app.882bda896a14484e3891ab92634f8f81.css rel=stylesheet></head><body class=grey-bg><div id=app></div><div style=display:none>本网站基于开源版showdoc搭建，仅供私人使用。如需访问showdoc官网，请在搜索引擎里搜索showdoc字样或者直接访问showdoc.com.cn</div><script type=text/javascript src=./static/js/manifest.3ad1d5771e9b13dbdad2.js></script><script type=text/javascript src=./static/js/vendor.1eb6213d11eb61d1bd46.js></script><script type=text/javascript src=./static/js/app.87e49745423b95b50fe1.js></script></body></html>

web_src/src/components/user/Login.vue

@@ -87,8 +87,9 @@ export default {
       }
       // 对redirect参数进行校验，以防止钓鱼跳转
       if (this.$route.query.redirect) {
-        // 如果含有点号，则应该为绝对地址。此时禁止。
-        if (this.$route.query.redirect.indexOf('.') > -1) {
+        let redirect = decodeURIComponent(this.$route.query.redirect)
+        if (redirect.search(/[^A-Za-z0-9/:\?\._\*\+\-]+.*/i) > -1) {
+          this.$alert('illegal redirect')
           return false
         }
       }
@@ -156,8 +157,9 @@ export default {
     var that = this
     // 对redirect参数进行校验，以防止钓鱼跳转
     if (this.$route.query.redirect) {
-      // 如果含有点号，则应该为绝对地址。此时禁止。
-      if (this.$route.query.redirect.indexOf('.') > -1) {
+      let redirect = decodeURIComponent(this.$route.query.redirect)
+      if (redirect.search(/[^A-Za-z0-9/:\?\._\*\+\-]+.*/i) > -1) {
+        this.$alert('illegal redirect')
         return false
       }
     }

web_src/src/http.js

@@ -19,24 +19,33 @@ axios.interceptors.request.use(
   },
   err => {
     return Promise.reject(err)
-  })
+  }
+)
 
 // http response 拦截器
 axios.interceptors.response.use(
   response => {
-    if (response.config.data && response.config.data.indexOf('redirect_login=false') > -1) {
+    if (
+      response.config.data &&
+      response.config.data.indexOf('redirect_login=false') > -1
+    ) {
       // 不跳转到登录
     } else if (response.data.error_code === 10102) {
+      var redirect = router.currentRoute.fullPath.repeat(1)
+      if (redirect.indexOf('redirect=') > -1) {
+        return false
+      }
       router.replace({
         path: '/user/login',
-        query: { redirect: router.currentRoute.fullPath }
+        query: { redirect: redirect }
       })
     }
     return response
   },
   error => {
     // console.log(JSON.stringify(error));//console : Error: Request failed with status code 402
     return Promise.reject(error.response)
-  })
+  }
+)
 
 export default axios

web_src/src/request.js

@@ -2,55 +2,59 @@
  *
  */
 
-import axios from "@/http";
-import router from "@/router/index";
-import { MessageBox } from "element-ui";
+import axios from '@/http'
+import router from '@/router/index'
+import { MessageBox } from 'element-ui'
 
-const request = (path, data, method = "post", msgAlert = true) => {
-  var params = new URLSearchParams(data);
-  let url = DocConfig.server + path;
+const request = (path, data, method = 'post', msgAlert = true) => {
+  var params = new URLSearchParams(data)
+  let url = DocConfig.server + path
   return new Promise((resolve, reject) => {
     axios({
       url: url,
       method: method,
       data: params,
       headers: {
-        "Content-Type": "application/x-www-form-urlencoded"
+        'Content-Type': 'application/x-www-form-urlencoded'
       }
     })
       .then(
         response => {
           //超时登录
           if (
             response.data.error_code === 10102 &&
-            response.config.data.indexOf("redirect_login=false") === -1
+            response.config.data.indexOf('redirect_login=false') === -1
           ) {
+            var redirect = router.currentRoute.fullPath.repeat(1)
+            if (redirect.indexOf('redirect=') > -1) {
+              return false
+            }
             router.replace({
-              path: "/user/login",
-              query: { redirect: router.currentRoute.fullPath }
-            });
-            reject(new Error("登录态无效"));
+              path: '/user/login',
+              query: { redirect: redirect }
+            })
+            reject(new Error('登录态无效'))
           }
 
           if (msgAlert && response.data && response.data.error_code !== 0) {
-            MessageBox.alert(response.data.error_message);
-            return reject(new Error("业务级别的错误"));
+            MessageBox.alert(response.data.error_message)
+            return reject(new Error('业务级别的错误'))
           }
           //上面没有return的话，最后返回这个
-          resolve(response.data);
+          resolve(response.data)
         },
         err => {
           if (err.Cancel) {
-            console.log(err);
+            console.log(err)
           } else {
-            reject(err);
+            reject(err)
           }
         }
       )
       .catch(err => {
-        reject(err);
-      });
-  });
-};
+        reject(err)
+      })
+  })
+}
 
-export default request;
+export default request