Fixed ==> 漏洞修复

Other/Products/Debug/QQPlugin.framework/Resources/Info.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>BuildMachineOSBuild</key>
-	<string>17E199</string>
+	<string>18A391</string>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>en</string>
 	<key>CFBundleExecutable</key>
@@ -17,7 +17,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.1</string>
+	<string>1.2</string>
 	<key>CFBundleSupportedPlatforms</key>
 	<array>
 		<string>MacOSX</string>
@@ -27,17 +27,17 @@
 	<key>DTCompiler</key>
 	<string>com.apple.compilers.llvm.clang.1_0</string>
 	<key>DTPlatformBuild</key>
-	<string>9E145</string>
+	<string>10A255</string>
 	<key>DTPlatformVersion</key>
 	<string>GM</string>
 	<key>DTSDKBuild</key>
-	<string>17E189</string>
+	<string>18A384</string>
 	<key>DTSDKName</key>
-	<string>macosx10.13</string>
+	<string>macosx10.14</string>
 	<key>DTXcode</key>
-	<string>0930</string>
+	<string>1000</string>
 	<key>DTXcodeBuild</key>
-	<string>9E145</string>
+	<string>10A255</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2018年 TK. All rights reserved.</string>
 </dict>

Other/Products/Debug/QQPlugin.framework/Versions/A/Resources/Info.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>BuildMachineOSBuild</key>
-	<string>17E199</string>
+	<string>18A391</string>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>en</string>
 	<key>CFBundleExecutable</key>
@@ -17,7 +17,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.1</string>
+	<string>1.2</string>
 	<key>CFBundleSupportedPlatforms</key>
 	<array>
 		<string>MacOSX</string>
@@ -27,17 +27,17 @@
 	<key>DTCompiler</key>
 	<string>com.apple.compilers.llvm.clang.1_0</string>
 	<key>DTPlatformBuild</key>
-	<string>9E145</string>
+	<string>10A255</string>
 	<key>DTPlatformVersion</key>
 	<string>GM</string>
 	<key>DTSDKBuild</key>
-	<string>17E189</string>
+	<string>18A384</string>
 	<key>DTSDKName</key>
-	<string>macosx10.13</string>
+	<string>macosx10.14</string>
 	<key>DTXcode</key>
-	<string>0930</string>
+	<string>1000</string>
 	<key>DTXcodeBuild</key>
-	<string>9E145</string>
+	<string>10A255</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2018年 TK. All rights reserved.</string>
 </dict>

Other/Products/Debug/QQPlugin.framework/Versions/Current/Resources/Info.plist

@@ -3,7 +3,7 @@
 <plist version="1.0">
 <dict>
 	<key>BuildMachineOSBuild</key>
-	<string>17E199</string>
+	<string>18A391</string>
 	<key>CFBundleDevelopmentRegion</key>
 	<string>en</string>
 	<key>CFBundleExecutable</key>
@@ -17,7 +17,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.1</string>
+	<string>1.2</string>
 	<key>CFBundleSupportedPlatforms</key>
 	<array>
 		<string>MacOSX</string>
@@ -27,17 +27,17 @@
 	<key>DTCompiler</key>
 	<string>com.apple.compilers.llvm.clang.1_0</string>
 	<key>DTPlatformBuild</key>
-	<string>9E145</string>
+	<string>10A255</string>
 	<key>DTPlatformVersion</key>
 	<string>GM</string>
 	<key>DTSDKBuild</key>
-	<string>17E189</string>
+	<string>18A384</string>
 	<key>DTSDKName</key>
-	<string>macosx10.13</string>
+	<string>macosx10.14</string>
 	<key>DTXcode</key>
-	<string>0930</string>
+	<string>1000</string>
 	<key>DTXcodeBuild</key>
-	<string>9E145</string>
+	<string>10A255</string>
 	<key>NSHumanReadableCopyright</key>
 	<string>Copyright © 2018年 TK. All rights reserved.</string>
 </dict>

QQPlugin/Info.plist

@@ -15,7 +15,7 @@
 	<key>CFBundlePackageType</key>
 	<string>FMWK</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.1</string>
+	<string>1.2</string>
 	<key>CFBundleVersion</key>
 	<string>$(CURRENT_PROJECT_VERSION)</string>
 	<key>NSHumanReadableCopyright</key>

QQPlugin/Utils/TKWebServerManager.m

@@ -13,11 +13,13 @@
 #import <GCDWebServerURLEncodedFormRequest.h>
 #import "TKMsgManager.h"
 
+
 @interface TKWebServerManager ()
 @property (nonatomic, strong) GCDWebServer *webServer;
 @end
 
 @implementation TKWebServerManager
+static int port=52777;
 
 + (instancetype)shareManager {
     static TKWebServerManager *manager = nil;
@@ -31,7 +33,7 @@ + (instancetype)shareManager {
 - (void)startServer {
     if (self.webServer) return;
 
-    NSDictionary *options = @{GCDWebServerOption_Port: @52777,
+    NSDictionary *options = @{GCDWebServerOption_Port: [NSNumber numberWithInt:port],
                               GCDWebServerOption_BindToLocalhost: @YES,
                               GCDWebServerOption_ConnectedStateCoalescingInterval: @2,
                               };
@@ -57,11 +59,15 @@ - (void)addHandleForSearchUser {
 
     [self.webServer addHandlerForMethod:@"GET" path:@"/QQ-plugin/user" requestClass:[GCDWebServerRequest class] processBlock:^GCDWebServerResponse * _Nullable(__kindof GCDWebServerRequest * _Nonnull request) {
 
+        if (![weakSelf isLocalhost:request.headers[@"Host"]]) {
+            return [GCDWebServerResponse responseWithStatusCode:404];
+        }
+
         NSString *keyword = request.query ? request.query[@"keyword"] ? request.query[@"keyword"] : @"" : @"";
         NSMutableArray *sessionList = [NSMutableArray array];
 
         if ([keyword isEqualToString:@""]) {
-            sessionList = [self getRecentSessionList];
+            sessionList = [weakSelf getRecentSessionList];
             return [GCDWebServerDataResponse responseWithJSONObject:sessionList];
         }
 
@@ -138,6 +144,9 @@ - (NSMutableArray *)getRecentSessionList {
 - (void)addHandleForSearchUserChatLog {
     __weak typeof(self) weakSelf = self;
     [self.webServer addHandlerForMethod:@"GET" path:@"/qq-plugin/chatlog" requestClass:[GCDWebServerRequest class] processBlock:^GCDWebServerResponse * _Nullable(__kindof GCDWebServerRequest * _Nonnull request) {
+        if (![weakSelf isLocalhost:request.headers[@"Host"]]) {
+            return [GCDWebServerResponse responseWithStatusCode:404];
+        }
         NSString *userId = request.query ? request.query[@"userId"] ? request.query[@"userId"] : nil : nil;
         int sessionType = request.query ? request.query[@"type"] ? [request.query[@"type"] intValue] : 0 : 0;
         if (userId && sessionType != 0) {
@@ -207,7 +216,11 @@ - (void)addHandleForSearchUserChatLog {
 }
 
 - (void)addHandleForOpenSession {
+    __weak typeof(self) weakSelf = self;
     [self.webServer addHandlerForMethod:@"POST" path:@"/QQ-plugin/open-session" requestClass:[GCDWebServerURLEncodedFormRequest class] processBlock:^GCDWebServerResponse * _Nullable(__kindof GCDWebServerURLEncodedFormRequest * _Nonnull request) {
+        if (![weakSelf isLocalhost:request.headers[@"Host"]]) {
+            return [GCDWebServerResponse responseWithStatusCode:404];
+        }
         NSDictionary *requestBody = [request arguments];
 
         if (requestBody && requestBody[@"userId"]) {
@@ -238,7 +251,11 @@ - (void)addHandleForOpenSession {
 }
 
 - (void)addHandleForSendMsg {
+    __weak typeof(self) weakSelf = self;
     [self.webServer addHandlerForMethod:@"POST" path:@"/QQ-plugin/send-message" requestClass:[GCDWebServerURLEncodedFormRequest class] processBlock:^GCDWebServerResponse * _Nullable(__kindof GCDWebServerURLEncodedFormRequest * _Nonnull request) {
+        if (![weakSelf isLocalhost:request.headers[@"Host"]]) {
+            return [GCDWebServerResponse responseWithStatusCode:404];
+        }
         NSDictionary *requestBody = [request arguments];
         if (requestBody && requestBody[@"userId"] && requestBody[@"content"]) {
             dispatch_async(dispatch_get_main_queue(), ^{
@@ -452,4 +469,11 @@ - (NSString *)avatarPathWithUIN:(NSString *)uin isUser:(BOOL)isUser {
     return imgPath ?: @"";
 }
 
+- (BOOL)isLocalhost:(NSString *)host {
+    NSArray *localhostUrls = @[[NSString stringWithFormat:@"127.0.0.1:%d", port],
+                               [NSString stringWithFormat:@"localhost:%d", port]
+                               ];
+    return [localhostUrls containsObject:host];
+}
+
 @end

README.md

@@ -15,6 +15,10 @@ QQ 小助手
 
 ---
 
+### 更新日志
+修复安全漏洞(2018-10-23)
+
+---
 ### 安装
 
 ~~第一次安装需要输入密码，仅是为了获取写入微信文件夹的权限~~