From 89cc4be4290527aeb7d502bab510aa6fad41abd3 Mon Sep 17 00:00:00 2001 From: AthBe1337 Date: Thu, 24 Jul 2025 16:49:10 +0800 Subject: [PATCH 1/4] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=AF=84=E8=AE=BA?= =?UTF-8?q?=E5=8C=BAQQ=E5=A4=B4=E5=83=8F=E6=98=BE=E7=A4=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- functions.php | 30 ++++++++++++++++++++++-------- inc/classes/QQ.php | 14 ++++++++------ opt/options/theme-options.php | 8 ++++++++ 3 files changed, 38 insertions(+), 14 deletions(-) diff --git a/functions.php b/functions.php index 4802dd853..5e5cfce11 100644 --- a/functions.php +++ b/functions.php @@ -2305,19 +2305,17 @@ function change_avatar($avatar) preg_match('/:\"([^\"]*)\"/i', $qqavatar, $matches); return '😀'; } - + // Ensure $sakura_privkey is defined and not null if (isset($sakura_privkey) && !is_null($sakura_privkey)) { - // 生成一个合适长度的初始化向量 - $iv_length = openssl_cipher_iv_length('aes-128-cbc'); - $iv = openssl_random_pseudo_bytes($iv_length); - + $iv = substr(md5($sakura_privkey), 0, 16); + // 加密数据 $encrypted = openssl_encrypt($qq_number, 'aes-128-cbc', $sakura_privkey, 0, $iv); - + // 将初始化向量和加密数据一起编码 $encrypted = urlencode(base64_encode($iv . $encrypted)); - + return '😀'; } else { // Handle the case where $sakura_privkey is not set or is null @@ -2326,7 +2324,6 @@ function change_avatar($avatar) } return $avatar; } - //生成随机链接,防止浏览器缓存策略 function get_random_url(string $url): string { @@ -4212,3 +4209,20 @@ function iro_action_operator() } } iro_action_operator(); + + +/* * 检查并生成加密密钥 + * 如果不存在,则生成一个新的256位密钥并存储在选项中 + */ +// 检查密钥是否存在,如果不存在则生成并存储 +if (!get_option('sakura_encryption_key')) { + // 生成一个安全的 256-bit (32字节) 密钥 + $new_key = bin2hex(random_bytes(32)); // 或者使用 openssl_random_pseudo_bytes(32) + update_option('sakura_encryption_key', $new_key, false); // 'false' 表示不自动加载 +} + +// 在 init 钩子中设置全局变量 +add_action('init', function() { + global $sakura_privkey; + $sakura_privkey = get_option('sakura_encryption_key'); +}); diff --git a/inc/classes/QQ.php b/inc/classes/QQ.php index 6f235f394..ee3660b88 100644 --- a/inc/classes/QQ.php +++ b/inc/classes/QQ.php @@ -5,7 +5,7 @@ class QQ { public static function get_qq_info($qq) { - $get_info = file_get_contents('https://api.qjqq.cn/api/qqinfo?qq=' . $qq); + $get_info = file_get_contents('https://api.nsmao.net/api/qq/v1/query?key=' . iro_opt('qq_avatar_api_key') . '&qq=' . $qq); $name = json_decode($get_info, true); if ($name) { if ($name['code'] == 200){ @@ -13,8 +13,8 @@ public static function get_qq_info($qq) { 'status' => 200, 'success' => true, 'message' => 'success', - 'avatar' => 'https://q2.qlogo.cn/headimg_dl?dst_uin=' . $qq . '&spec=100', - 'name' => $name['name'], + 'avatar' => $name['data']['avatar'], + 'name' => $name['data']['name'], ); } } else { @@ -30,9 +30,11 @@ public static function get_qq_info($qq) { public static function get_qq_avatar($encrypted) { global $sakura_privkey; if (isset($encrypted)) { - $iv = str_repeat($sakura_privkey, 2); - $encrypted = base64_decode(urldecode($encrypted)); - $qq_number = openssl_decrypt($encrypted, 'aes-128-cbc', $sakura_privkey, 0, $iv); + $decoded = base64_decode(urldecode($encrypted)); + $iv = substr($decoded, 0, 16); // 提取前16字节作为IV + $data = substr($decoded, 16); // 剩余是加密数据 + $qq_number = openssl_decrypt($data, 'aes-128-cbc', $sakura_privkey, 0, $iv); + preg_match('/^\d{3,}$/', $qq_number, $matches); return 'https://q2.qlogo.cn/headimg_dl?dst_uin=' . $matches[0] . '&spec=100'; } diff --git a/opt/options/theme-options.php b/opt/options/theme-options.php index 007062fdf..110a92032 100644 --- a/opt/options/theme-options.php +++ b/opt/options/theme-options.php @@ -3158,6 +3158,14 @@ function iro_validate_optional_url( $value ) { 'default' => true ), + array( + 'id' => 'qq_avatar_api_key', + 'type' => 'text', + 'title' => __('QQ Avatar API Key','sakurairo_csf'), + 'desc' => __('Enter your API key for QQ avatar service, get your API key at: https://api.nsmao.net','sakurairo_csf','sakurairo_csf'), + 'default' => '' + ), + array( 'id' => 'qq_avatar_link', 'type' => 'select', From 40ae44bef16c7a6ab5e0bb981cf4c0e519d43240 Mon Sep 17 00:00:00 2001 From: AthBe1337 <2448981792@qq.com> Date: Sun, 3 Aug 2025 20:13:55 +0800 Subject: [PATCH 2/4] Update opt/options/theme-options.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- opt/options/theme-options.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/opt/options/theme-options.php b/opt/options/theme-options.php index 110a92032..c8203e3a3 100644 --- a/opt/options/theme-options.php +++ b/opt/options/theme-options.php @@ -3162,7 +3162,7 @@ function iro_validate_optional_url( $value ) { 'id' => 'qq_avatar_api_key', 'type' => 'text', 'title' => __('QQ Avatar API Key','sakurairo_csf'), - 'desc' => __('Enter your API key for QQ avatar service, get your API key at: https://api.nsmao.net','sakurairo_csf','sakurairo_csf'), + 'desc' => __('Enter your API key for QQ avatar service, get your API key at: https://api.nsmao.net','sakurairo_csf'), 'default' => '' ), From 3815d08c30029da1e2e6f781b960fb4a5033ad9c Mon Sep 17 00:00:00 2001 From: AthBe1337 <2448981792@qq.com> Date: Sun, 3 Aug 2025 20:14:03 +0800 Subject: [PATCH 3/4] Update inc/classes/QQ.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- inc/classes/QQ.php | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/inc/classes/QQ.php b/inc/classes/QQ.php index ee3660b88..aaa11f1ae 100644 --- a/inc/classes/QQ.php +++ b/inc/classes/QQ.php @@ -5,7 +5,21 @@ class QQ { public static function get_qq_info($qq) { - $get_info = file_get_contents('https://api.nsmao.net/api/qq/v1/query?key=' . iro_opt('qq_avatar_api_key') . '&qq=' . $qq); + // Validate QQ number: must be 3 or more digits + if (!preg_match('/^\d{3,}$/', $qq)) { + return array( + 'status' => 400, + 'success' => false, + 'message' => 'Invalid QQ number.' + ); + } + $api_key = iro_opt('qq_avatar_api_key'); + $query = http_build_query([ + 'key' => $api_key, + 'qq' => $qq + ]); + $url = 'https://api.nsmao.net/api/qq/v1/query?' . $query; + $get_info = file_get_contents($url); $name = json_decode($get_info, true); if ($name) { if ($name['code'] == 200){ From 3b08f8b1e28389c00c2d44b7b6216f89fb784d56 Mon Sep 17 00:00:00 2001 From: AthBe1337 <2448981792@qq.com> Date: Sun, 3 Aug 2025 20:14:12 +0800 Subject: [PATCH 4/4] Update functions.php Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- functions.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/functions.php b/functions.php index 5e5cfce11..905d8ecc7 100644 --- a/functions.php +++ b/functions.php @@ -4216,8 +4216,8 @@ function iro_action_operator() */ // 检查密钥是否存在,如果不存在则生成并存储 if (!get_option('sakura_encryption_key')) { - // 生成一个安全的 256-bit (32字节) 密钥 - $new_key = bin2hex(random_bytes(32)); // 或者使用 openssl_random_pseudo_bytes(32) + // 生成一个安全的 128-bit (16字节) 密钥,适用于 AES-128-CBC + $new_key = bin2hex(random_bytes(16)); // 或者使用 openssl_random_pseudo_bytes(16) update_option('sakura_encryption_key', $new_key, false); // 'false' 表示不自动加载 }