Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

建议修改构造函数,通过validateSignature判断消息是否合法,避免因接口URL暴露后,被恶意提交无效消息数据。 #2

Closed
leosee opened this issue May 20, 2013 · 2 comments
Closed

建议修改构造函数,通过validateSignature判断消息是否合法,避免因接口URL暴露后,被恶意提交无效消息数据。 #2

leosee opened this issue May 20, 2013 · 2 comments

Comments

@leosee
Copy link

leosee commented May 20, 2013

public function __construct($token, $debug = FALSE) {
if($this->validateSignature($token)){
if ($this->isValid()) {
exit($_GET['echostr']);
}

$this->debug = $debug;
set_error_handler(array(&$this, 'errorHandler'));
// 设置错误处理函数,将错误通过文本消息回复显示

$xml = (array) simplexml_load_string($GLOBALS['HTTP_RAW_POST_DATA'], 'SimpleXMLElement', LIBXML_NOCDATA);

$this->request = array_change_key_case($xml, CASE_LOWER);
// 将数组键名转换为小写,提高健壮性,减少因大小写不同而出现的问题

}
}
@netputer
Copy link
Owner

原来不止验证网址时需要验证签名,每一次 POST 请求都有。感谢提醒。

netputer added a commit that referenced this issue May 20, 2013
@netputer
改进验证签名信息的判断逻辑 #2
f146646
@netputer netputer closed this as completed Jun 3, 2013
@milkytsu
Copy link

正想问是不是验证通过后,每一次接收消息都要判断验证签名,原来确实是这样,我自己的代码也要改了,多谢!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@netputer @milkytsu @leosee