微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
+ {" d- v4 C' v; `8 C& H; K2 b8 z9 q. ?
+ y0 x" a p" N+ H/ F\api\StatusesApi.class.php
, [3 u$ t6 ^: Z2 W9 [. Q/ a
7 S2 E9 ~) F' n% l* O5 }7 n2 cfunction uploadpic(){
9 i- e; Y0 N9 Q/ u1 |4 }5 L if( $_FILES['pic'] ){- K; ~: c- s, x: J/ E6 Z1 c
//执行上传操作
% l* v2 {0 V" v: i $savePath = $this->_getSaveTempPath();$ C0 z6 Q5 a4 q. |% |
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
# l& r6 M7 d6 u7 }0 {, ]8 G1 q if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))1 Y4 k) p7 K; k5 x7 S5 ]
{; |- E6 f* C; O" ?: n; a- U% r
$result['boolen'] = 1;, F1 e1 Q% _) H+ w
$result['type_data'] = 'temp/'.$filename;; Q% E+ j/ |4 n8 R- \' \* k3 W
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;' o- j) r' a2 V* X/ i
} else {
y% `2 x9 W/ [6 d# q5 o $result['boolen'] = 0;( H0 m6 Y6 W' I1 i9 G- @
$result['message'] = '上传失败';; _+ V5 v5 k6 b- L
}. E) }3 H1 z9 B
}else{
7 Z2 E& ^7 T4 E! V; E+ [ $result['boolen'] = 0;0 Y: ]0 J5 l% M6 F2 ]$ K9 g" V
$result['message'] = '上传失败';2 A+ q: }4 L) k% w- I" J- h# q! n
}
' w; q. p2 F8 d6 c, ?+ W6 t& A! Ureturn $result;6 i' C# j. V" O; i
}
- f9 ?" \/ Y; ~" Eunloadpic()方法没有对文件类型进行验证 Q7 \- G4 Q; n; r' B) q
, v, F* s- f& i- e9 V$ e可以构建表单, 选择任意文件, 提交到
R+ v+ i1 P- J+ }1 Q B/index.php?app=w3g&mod=Index&act=doPost
1 k$ J& ?# i0 G# A
- d: e' z. r; Q: g, { H4 X% G在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
8 Y6 @$ P; @% @9 K
3 s$ T) [) {8 K. L/ n3 v- m
8 e; v5 U5 C( i: W' h# L在登录thinksns官方微博后,
4 H+ o! G+ g* ]% S3 S' ?构建以下表单:2 c1 e( p- N6 x7 M) V9 @
& P* F" V1 Z4 b- w9 {; ^<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
5 |5 P+ @4 B) N& A% Y% b! l3 m* v<textarea name="content">test</textarea>
. q9 M* R, t2 Y# k+ k6 m1 ~4 ufile: <input id="file" type="file" name="pic" />) a! \( r$ `8 w" M5 u% E- E
<input type="submit" value="Post" />7 f# _2 B6 D4 w& s! t( o
</form>5 O; E/ R' ^5 r3 ^: j- D
去掉缩略图的前缀(small_ )
; l" @/ {/ Q1 ^: v# }5 t修复方案:
2 e1 H2 G3 j& K. ^+ y! r9 X: c7 H, G/ q9 K0 c3 d( j& q
3 F( C; L/ d" Y' B& f\api\StatusesApi.class.php
; s1 e8 L3 c' C1 |+ @3 p
4 ~' Z' `# z3 O- N4 R$ jfunction uploadpic(){) A- q: A9 l/ K( W+ W( t0 A
/**7 N! j/ H" R/ x d
* 20121018 @yelo
* Y/ `& b4 J6 W8 L# n * 增加上传类型验证
" h0 X$ M2 n9 m% v3 j2 Q" E */
' [5 C0 c, c3 F) C0 i( w $pathinfo = pathinfo($_FILES['pic']['name']);
2 A( H# ~4 C6 I5 L9 @7 m $ext = $pathinfo['extension'];
( I# Q/ a1 F% f5 r$ X$ d* \" G $allowExts = array('jpg', 'png', 'gif', 'jpeg');
. {! y3 z" Q+ p3 t4 q! ?6 R" p. S
& D- Z0 w6 ]! Z7 |5 J- v $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
: l& S, V; p( U6 u5 _ 7 \! u, C: k3 S2 l6 h4 _% H
if( $uploadCondition ){. R6 ]1 j, o1 `6 N
//执行上传操作$ ?5 \* X7 r# {4 V* O( K
$savePath = $this->_getSaveTempPath();
$ t/ m* a- q' q+ z $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);: ^9 A; R; d6 F1 M8 {* ]
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
' m* N6 h& E6 r( z& @: ~2 u* x9 N' P {
+ U8 C, m' y0 S $result['boolen'] = 1;; d2 y- U8 e/ {* I( P; n
$result['type_data'] = 'temp/'.$filename;
0 v% j3 `8 K* F8 k4 H* H8 y $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
. q" {+ z5 t+ G8 a6 u8 M/ { } else {3 E, {9 M' n. c1 H% P% ^6 z
$result['boolen'] = 0;) R( ]& k" o* P9 ^6 w* \) J# s
$result['message'] = '上传失败';
: l. h; P7 B2 m* k$ P7 u }, C* [) z8 t" S: f4 U5 ~
}else{4 `+ _, N% K8 T( u
$result['boolen'] = 0;5 h1 d% t' p( M) |9 ~6 I9 o) y
$result['message'] = '上传失败';4 ]8 K& \# j" z' j" z! t- ]# g. l
}- ~4 L d4 O; h7 T! A
return $result;
% u& }. i) j0 s5 q }
3 t C U8 i! q6 [ L% a* L: u2 X) N) s, U" r- w
& G7 l& B# I0 q" R
|