微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。6 ~/ a d6 R; W% @
6 t/ L( {1 K, l7 y- @3 B
" C0 m A! ~# Y. n\api\StatusesApi.class.php
. I* Z7 U- y* R . i, @! X5 }/ j
function uploadpic(){
& o; N2 s- Q/ w8 j if( $_FILES['pic'] ){5 W* u# q# w( j( U0 _% J( {# Z. I
//执行上传操作* D2 P B/ L- J4 J& k9 x
$savePath = $this->_getSaveTempPath();
d# e# ^3 F, q7 D9 |- S $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
3 @) a% v# c$ K( j3 f& G4 k if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))* \, T& g b; |5 [& p5 B
{
6 u+ W2 }/ A) F; p, h2 @ $result['boolen'] = 1;9 `" n3 Z) m% [
$result['type_data'] = 'temp/'.$filename;6 {- }. N6 F2 g' T( h
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;$ @( X* v$ I% a
} else {5 l, z/ C( S( r4 J0 f# j" m
$result['boolen'] = 0;: `" t. ?2 t' Q& s8 ^
$result['message'] = '上传失败';
/ ]8 Q) P4 }5 o5 J% X }
% m: j2 U! I+ Q }else{
% ^6 t8 }3 d# O, c $result['boolen'] = 0;# m1 Y5 K2 ~) ?. y' {8 ~
$result['message'] = '上传失败';6 ^3 |+ U6 `! z$ S) q6 ~1 c4 U* J! l- ^
}2 v6 f% ]8 ~8 x- [) v2 s
return $result;% [% y0 I/ [: _2 h3 q; b! p, j
}
7 P9 c8 m% N* q5 C! o; S! E' {unloadpic()方法没有对文件类型进行验证9 ]& O: E7 i6 t0 w$ q" z
- a& k4 F: t" F! v; h+ m7 G6 F可以构建表单, 选择任意文件, 提交到8 p% I/ Y2 _* m2 n
/index.php?app=w3g&mod=Index&act=doPost. _- S9 \ p) F
% ]' j Q- V1 h8 l
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
! R; J7 N4 n+ E& x6 q, H+ |6 U; o4 \' f
3 ]" G, r: L' @' J! u; W
在登录thinksns官方微博后,
+ r* w* s( ?: q0 |9 _构建以下表单:$ }7 q, d/ _, c7 X, g* K( ^
. E7 D8 D, k! M' P5 E: r3 N- D
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
: a. {6 Y/ g G/ L4 n* q<textarea name="content">test</textarea>
# z' a7 e( Z( @ H7 E E6 gfile: <input id="file" type="file" name="pic" />
( n* X7 S5 Q1 T) Q<input type="submit" value="Post" />
# ~7 H5 b1 }3 W3 q</form>
$ J' _+ w! c6 j去掉缩略图的前缀(small_ ), b3 H/ R3 y6 u; ]$ t$ @
修复方案:
) o+ u, ]+ t9 q: o' {
3 j$ M9 b3 h( ~/ A) G3 M! n- G- H; m$ N, i
\api\StatusesApi.class.php
3 u3 b J" Z, |1 } h M$ d) }: [2 \, Y ! k/ a) P) t/ Y7 i" Z7 b. @" q
function uploadpic(){0 c" l& [( s' X) R" p% W& Q
/**2 y4 ~! A5 g4 u
* 20121018 @yelo
) j, J" n; D* F * 增加上传类型验证$ K- E& `! }0 U. V
*/* ]) }: z3 p8 F \1 P
$pathinfo = pathinfo($_FILES['pic']['name']);
! |% G2 R4 c- z $ext = $pathinfo['extension'];
2 f- R0 o* b y. l1 S $allowExts = array('jpg', 'png', 'gif', 'jpeg');' z0 c& E+ z- T! O* k0 f1 U
& c0 `' Y- f5 [$ }2 ?
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
. k7 n; W$ ~( J# V8 ^' d0 K( n
' y3 n6 g: y. M" L4 @2 J8 v if( $uploadCondition ){' d- Q4 s2 q) }' ]0 v
//执行上传操作9 D' G: U9 _# g8 s' h. j
$savePath = $this->_getSaveTempPath();
& I/ g" [9 W1 Y! H, \ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
# N! `" t) L/ o! J9 Z9 F0 C if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
( u% z9 {/ L# c) N, a" L {+ ~2 w: `: c9 R+ H- Q; ~
$result['boolen'] = 1;. c/ h5 i% N! z/ @& n, X0 y
$result['type_data'] = 'temp/'.$filename;+ K9 g3 u8 J" \- y2 t
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; L8 L+ Q- L+ ?$ g9 A9 Q- Q } else {
! [& d+ S0 |8 d+ r $result['boolen'] = 0;
/ H2 H% p" @* @( B9 Y( ^2 X/ L $result['message'] = '上传失败';
6 s# B T) H* G V1 E8 _4 N }
# d( ~2 V/ b; S8 k }else{ h$ k# i$ ?. | @
$result['boolen'] = 0;
1 P3 u! r! t$ |/ B+ R5 Y# m# g $result['message'] = '上传失败';8 i8 ]) e* w. m- H5 P: a" `
}
7 ?. \4 S+ N/ M; nreturn $result;
# ?8 J9 b/ p5 i }
% V' l. c0 O" p5 x+ U! m0 ?; B/ O$ J/ l# C' b, U- m
% a& u. y+ Q4 D" K7 F8 ~8 [ |