Skip to content

Commit

Permalink
Merge pull request theme-next#177 from LEAFERx/master
Browse files Browse the repository at this point in the history
Shorten leancloud counter security docs
  • Loading branch information
LEAFERx authored Mar 16, 2018
2 parents 763162d + 6ba3ce8 commit a3f94bb
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 46 deletions.
22 changes: 3 additions & 19 deletions docs/LEANCLOUD-COUNTER-SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,3 @@
The Leancloud visitor counter plugin used in NexT has a big security bug, by which someone could change your visitor number easily and even add/delete records in your database.

This bug is found by [LEAFERx](https://github.com/LEAFERx/) and confirmed by [Ivan.Nginx](https://github.com/ivan-nginx).

- Related issue: [#25](https://github.com/theme-next/hexo-theme-next/issues/25)

- Related pr: [#137](https://github.com/theme-next/hexo-theme-next/pull/137)

- Related plugin: [hexo-leancloud-counter-security](https://github.com/theme-next/hexo-leancloud-counter-security)

This bug could only be fixed manually.

**Warning: All NexT sites using Leancloud visitor counter that are not fixed and other sites integrated this function by similiar ways are considered unsecurity. Please fix it as soon as possible.**

---

For convience, this doc also includes the way to setup the plugin. If you have already done this, skip to *Deploy web engine to avoid your data being changed illegally*.

Before you make the config, please upgrade your NexT version to v6.0.6 or greater.

Please note the difference between **site config file** and **theme config file**
Expand Down Expand Up @@ -187,4 +169,6 @@ Please note the difference between **site config file** and **theme config file*

Now the bug is fixed.

Every time when you run `hexo d`, plugin will scan posts in the `source/_posts` and compare to the database, then add create records for those posts which are not list in the database. This procedure is done locally so that database can only be changed by you.
---

See detailed version here: https://leaferx.online/2018/03/16/lc-security-en/
32 changes: 5 additions & 27 deletions docs/zh-CN/LEANCLOUD-COUNTER-SECURITY.md
Original file line number Diff line number Diff line change
@@ -1,30 +1,4 @@
NexT主题使用的Leancloud访客统计插件存在重大安全漏洞,拥有不良企图的人利用该漏洞可随意更改访客数量或一定程度上增删数据库记录。

该漏洞由[](https://github.com/LEAFERx/)独立发现,并由[Ivan.Nginx](https://github.com/ivan-nginx)确认。

- 有关的issue:[#25](https://github.com/theme-next/hexo-theme-next/issues/25)

- 有关的pr: [#137](https://github.com/theme-next/hexo-theme-next/pull/137)

- 有关的插件:[hexo-leancloud-counter-security](https://github.com/theme-next/hexo-leancloud-counter-security)

经过讨论后,我们认为该漏洞必须由使用者手动修复。本文给出了修复方法。

**注意:所有使用该插件而未经修复的NexT站点或使用类似方法集成Leancloud访客统计功能的站点都被认为是不安全的,请尽快修复。**

---

原文链接:https://leaferx.online/2018/02/11/lc-security/

---

为方便起见,本文将复述从头开始配置Leancloud访客统计插件的过程。

本文部分内容参考自Doublemine的[为NexT主题添加文章阅读量统计功能](https://notes.wanghao.work/2015-10-21-%E4%B8%BANexT%E4%B8%BB%E9%A2%98%E6%B7%BB%E5%8A%A0%E6%96%87%E7%AB%A0%E9%98%85%E8%AF%BB%E9%87%8F%E7%BB%9F%E8%AE%A1%E5%8A%9F%E8%83%BD.html#%E9%85%8D%E7%BD%AELeanCloud)

对于已经完成该部分配置的用户,请自行对照本文步骤进行修复。

在配置前,请升级NexT至**v6.0.5**以上。
在配置前,请升级NexT至**v6.0.6**以上。

在配置过程中请注意**博客配置文件****主题配置文件**的区别。

Expand Down Expand Up @@ -205,3 +179,7 @@ leancloud_visitors:
每次运行`hexo d`部署的时候,插件都会扫描本地`source/_posts`下的文章并与数据库对比,然后在数据库创建没有录入数据库的文章记录。

如果在**博客配置文件**中留空username或password,则在部署过程中程序会要求输入。

---

原文链接:https://leaferx.online/2018/02/11/lc-security/

0 comments on commit a3f94bb

Please sign in to comment.