微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
3 B* f# u) g* ~/ G
# L1 M$ X9 I( n $ c3 G# H# i: H; p1 ?
\api\StatusesApi.class.php
) j4 W$ B3 {+ N5 B$ ^ 0 B L T4 z7 @8 o6 u3 p* C) K
function uploadpic(){! y! F8 x" Y, h+ T* i0 d0 A
if( $_FILES['pic'] ){' k% K' q- o. c; s( l& m! t
//执行上传操作, t& `+ c9 T: k0 M( T7 `
$savePath = $this->_getSaveTempPath();
4 U1 r- p B: [* A+ ~+ H* S $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
. e Y K! i0 c if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))- l v5 I3 [; c- w" s6 r* ?
{
9 G% q7 J- M; g4 t- q $result['boolen'] = 1;, u; ?+ Z2 h$ e. a- f* F# @+ a
$result['type_data'] = 'temp/'.$filename;
* e; V G* o' m) s& R, q. M+ ^- b $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;; I- ^$ E t9 j# \7 ]
} else {: Z3 I: j( o+ s
$result['boolen'] = 0;, `/ x4 B; O8 t0 g9 o: C. d
$result['message'] = '上传失败';+ q) U" d5 n5 g( Y
}
3 }7 Y9 h; W* D! K }else{# c6 y, }3 f3 E, r
$result['boolen'] = 0;- y, s' ~' h5 q9 R. f7 T' u1 q+ e2 E
$result['message'] = '上传失败';6 C6 K- O3 b" O0 B: q+ ]
}2 E$ x6 U+ _) ?5 n r4 ]9 r
return $result;, `. ]3 X; T# f! N
}
$ n' m5 R& `: ]; \( Z* `; aunloadpic()方法没有对文件类型进行验证
/ ^& Y6 ~( O" D9 d
# T M- h1 \1 k" C4 g7 c) U6 C可以构建表单, 选择任意文件, 提交到9 R) F# g. w8 c2 |, M3 b
/index.php?app=w3g&mod=Index&act=doPost* Z5 F; V" l7 d1 p1 h+ A
* A( }' r' L$ ~. J在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)+ s0 \& ~- ~9 i
, ~6 V! n% p; N" I/ N4 v- l% W" i/ O- @! I0 A' h
在登录thinksns官方微博后,7 [% @. E% P. @2 @4 i! Z" w
构建以下表单:5 _' [% n6 C2 M* e9 B
/ ^8 r) {+ B* U4 k
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
6 ~: n1 Z+ H9 s( Z# r9 _) x' ^' S<textarea name="content">test</textarea>
1 Z1 d! o) @+ c0 s6 `/ E3 bfile: <input id="file" type="file" name="pic" />
$ H2 k$ G* J2 K% [( M<input type="submit" value="Post" />; i, o3 f% T1 }+ _* [
</form>
$ b7 T! B5 _* H# U- ~! ~) o去掉缩略图的前缀(small_ )
2 Q% X, p7 q- ^3 r修复方案:- K# C9 v! S* G0 F
. O8 `, V5 w0 |% ]2 x3 b7 P4 L0 i$ o0 {7 T8 ]+ R
\api\StatusesApi.class.php
/ d( b- d. W5 ]
* A( Q8 |! m) R; u0 M" y8 H! Afunction uploadpic(){
" U& R' V7 o" [0 Z; H( W6 o7 ^ /**# ?. G) L+ u' v
* 20121018 @yelo8 k- N% p5 r8 j. E8 W, X9 X
* 增加上传类型验证
( Z, L. m9 K1 L4 W6 W' t5 n */* ~$ e; C( c* J M* f
$pathinfo = pathinfo($_FILES['pic']['name']);
& I0 ]) s' O" b4 R" B $ext = $pathinfo['extension'];& x. Z% @6 Z& E1 ~0 K8 e1 y
$allowExts = array('jpg', 'png', 'gif', 'jpeg');5 X( A3 X2 N3 I# L* b
[/ ]$ I( a1 q0 T& f W
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
9 v+ q i+ [( \) j# e+ J( z
8 q, I$ z" N3 p8 z J9 Q if( $uploadCondition ){4 p! ]1 {$ U' X4 H0 ~0 |: c! B
//执行上传操作
9 i8 _& }; [, w) N7 {+ \ $savePath = $this->_getSaveTempPath();
5 {* n# |1 G3 w* e3 V; c* G: \ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);0 _! Y1 \8 o( f$ v! b8 P* [( T b
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))4 Y9 a, j( {+ P% Z. n
{7 C/ Z3 a4 k2 e: X0 u: u
$result['boolen'] = 1;
" H: v' z2 Q! F9 Y9 Y) } $result['type_data'] = 'temp/'.$filename;
8 T5 V; l1 U6 b0 r6 r( w; {5 w $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;( ^; u' Q; V7 m8 d3 O# ~/ E) q; e
} else {
7 m' r/ \+ D8 ]' ?! l; l $result['boolen'] = 0;
- h) l3 ?8 ] N* A $result['message'] = '上传失败';# b/ @" q5 ]# Q5 @2 S
}: Y# E8 [6 \. h- Z* W! S
}else{/ q: i8 @/ L" d3 _1 C `
$result['boolen'] = 0;9 ?& L+ N, Y r
$result['message'] = '上传失败';$ ` S, i( W, f$ T9 R, j( ^( @! K
}
+ T9 x7 R% g! o+ Greturn $result;
' T' m6 d+ N. m) m4 Y4 [ }: v9 I2 i$ z3 B1 \6 R& f4 n
6 H; \8 @6 \: P9 n; ?$ e
5 b$ w- { {8 p3 s5 O |
发表于 2012-12-4 11:12:30
收藏
支持
反对