微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。' j2 h9 P4 E$ C9 i- R) ?
7 V; P. _( D6 I K$ s- s% _6 B
# q& M" N3 v$ f
\api\StatusesApi.class.php
# Q# d/ k7 o8 y6 @8 D . x; h, s0 y6 G; P$ T
function uploadpic(){, ]! j( D& b+ ^3 I( ?( a+ J4 B9 h
if( $_FILES['pic'] ){) }2 s- D7 N5 h9 j- t3 v
//执行上传操作
! U6 X. X7 q. U% `' j7 K8 z $savePath = $this->_getSaveTempPath();
+ t0 e$ w5 \, n2 \ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
. z/ q! L: I6 F& h if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))" N% n. I9 u/ T! u" ?! m2 H2 [& X
{; o" g' q# d' H1 ~- i$ X5 ?
$result['boolen'] = 1;5 A% c0 T( i. h1 R
$result['type_data'] = 'temp/'.$filename;# L& O4 ^8 m4 G* l- G' m2 `4 V! Z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; ] g! E# k& x Y6 z* G } else {& [# i4 X' r4 @& Z: V
$result['boolen'] = 0;; N9 f* Y" C8 U7 o* ~
$result['message'] = '上传失败';
- @* [/ N2 z. Y1 } }0 Z8 i4 S; K7 J' H+ V) ^
}else{5 `1 a8 k& C, K
$result['boolen'] = 0;
: f$ e! @& ]5 s8 P( I $result['message'] = '上传失败';) o4 s; n, Y' g2 R4 C
}4 Z, f( Q: F- H4 C( j# P; W7 d: I
return $result;
, ?3 B* W' d' a2 L, |$ t' V8 k6 Z; M }/ G$ j; P- ?- F" g0 A4 n; M
unloadpic()方法没有对文件类型进行验证 G1 g. r: h0 C" }* s
. q. n2 k( J! c
可以构建表单, 选择任意文件, 提交到1 ?/ c* W+ Z+ Z8 b3 t" X. j
/index.php?app=w3g&mod=Index&act=doPost
+ u( c' I) f7 R5 i' Q
( L& o5 j8 U6 p) R* ]1 E- e% F+ t在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)/ B/ d: L6 _6 B+ P) t/ I" ^
$ {1 c0 s0 ]1 K, D/ R
/ u( B" e- y, d' f0 s在登录thinksns官方微博后,
$ `3 E4 O, C$ a5 L构建以下表单:) }' K- b+ \% u" ~
" }' D, x$ R9 }7 f8 Y- w<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
0 k' L9 C4 Y4 C4 u% p+ Z% V# i6 P<textarea name="content">test</textarea>9 P# G, x0 w( V6 a; T) Y
file: <input id="file" type="file" name="pic" />% L& k( H/ m. f; x0 w2 y
<input type="submit" value="Post" /># H; p, f9 z' i: Q* \
</form>
8 W: I" n1 g; E: x |$ G0 q去掉缩略图的前缀(small_ )
8 C$ ?' ?0 r) E( d修复方案:
, S" S+ \' V3 K: W5 l* V, w4 [" H+ P" J) o/ ]8 E
4 O4 I3 w8 j1 \4 b$ o1 m$ N! l
\api\StatusesApi.class.php
1 z) ^/ E5 J! ~/ E; k y : u! g' G; S0 m5 f+ f
function uploadpic(){8 I/ V s' q6 j2 y" y4 z: M$ {: \* `
/**
+ `1 s& k: `4 l- m; }% f * 20121018 @yelo- ]% | g' S: N8 V2 C/ X. i* Q9 J
* 增加上传类型验证
: w+ W1 Y) A7 E8 A" u, |/ {. m4 l" |+ B */+ p; Q5 F' @8 g
$pathinfo = pathinfo($_FILES['pic']['name']);
: m! m8 P% L- e3 D2 G $ext = $pathinfo['extension'];/ h% R, }1 h, T2 L$ W. w
$allowExts = array('jpg', 'png', 'gif', 'jpeg');7 `8 f: p; s' D1 ?0 R# h
9 p" o: @$ i0 Y $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);& X/ V8 Z% `3 U0 a# L' ?
3 m; d; w" F. X$ s. u# e w. F if( $uploadCondition ){5 y7 Q- ^; ~& H
//执行上传操作
- V3 C8 [" Y' L- ? Y $savePath = $this->_getSaveTempPath();. x l2 w0 `. Y4 [( s) c
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
! s: M6 N& _. K/ x: Z; r$ K8 x! o if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
' v: {' {1 u! |" s$ x1 d, K+ u {8 G# o; v- B1 Y% `+ ]
$result['boolen'] = 1;6 U k0 x8 G- z# E g
$result['type_data'] = 'temp/'.$filename;5 j# a& X0 P! h8 N
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename; d# J4 W( e; j; F* r) g6 t
} else {. W/ ^; K7 H m6 Q
$result['boolen'] = 0;. u+ t" Q# `' ?1 @- A7 H( k" H
$result['message'] = '上传失败';) c T8 Q% Y: p% e x* z3 {
}
- W7 F. m/ r$ J% y* e }else{
" U( U+ t* M2 v) W' u( k $result['boolen'] = 0;9 l- z0 w( p' V1 j
$result['message'] = '上传失败';" L" Y# I$ M9 s: z
}
2 w" a; Q; S% p B/ }4 nreturn $result;
W M0 ]. C8 Y) g& V* H$ V1 _! l }
; S& t! ]: T) ^; p! y) l* r
5 f0 @ O) B- k0 ~+ m& m" m0 ?1 d4 H3 N2 C5 L- g
|