微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
# o1 n! `3 E* w8 |1 S$ g
# }5 d c+ A9 g0 }* w9 i' C
9 l \, V! I+ y\api\StatusesApi.class.php. g3 f- z7 N: m) X% F
& N% Y* J A, l8 E* \function uploadpic(){
; q) c! p; h9 p; A0 | if( $_FILES['pic'] ){
2 v3 y! s' `! I& o7 V //执行上传操作
' L) Q; ^1 N# ^" j+ \* @2 i" s $savePath = $this->_getSaveTempPath();
8 |0 p2 W7 ~6 { G; _0 s7 w/ R! O $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
2 X o# P3 L; ]- D5 {: D3 D4 m if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))3 ^& v7 D3 I* T: {( O, s% R
{9 r3 B6 W! W- p5 Q0 v' o# Y) H
$result['boolen'] = 1;/ l5 j0 W3 W: N. \ q( X
$result['type_data'] = 'temp/'.$filename;+ M) B8 [* v7 H6 T+ D
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;7 p+ @9 U7 Q. q! P; h
} else {- s. X+ m% U4 ^4 K. a6 M: `9 V% X
$result['boolen'] = 0;7 \4 q7 C) H" u; M
$result['message'] = '上传失败';
8 Q) s; \" I! X" F8 a }
4 @/ U4 q( R& ~$ o* v+ j }else{, X0 R, L. s- b8 g0 ^" S
$result['boolen'] = 0;
8 _8 H; \1 v# T& O! N7 `, A $result['message'] = '上传失败';% R, b- ^5 O8 \9 ~2 t' v" @
}
9 L0 m; |/ C+ O2 v( Ireturn $result;
2 b" g2 f1 O$ J. v }
& J6 c1 w# @: Z% W5 ?unloadpic()方法没有对文件类型进行验证& E: U6 a* ^6 ~1 o9 A
. G! J+ ?( q% T" u+ d% W
可以构建表单, 选择任意文件, 提交到
3 V2 L( k. p5 P- P: K/index.php?app=w3g&mod=Index&act=doPost
& K' Q. O5 n: G; c* m
. f: W1 A% L& M2 h: ~+ H9 I* u5 G2 W在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)* Q, |3 ~( F1 K/ K% U- ~4 g
9 |/ g9 s1 o, |$ Q3 x, u
" k; d4 g! a1 _8 a0 i- N* [
在登录thinksns官方微博后,
8 S3 C/ g4 M6 i& f. g4 h; [构建以下表单:: C8 {+ F- o8 N
) m4 W% ~$ l! p% g: N
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />$ x4 ?. @# f! [" J, ?5 H
<textarea name="content">test</textarea>
" b, Q+ b, M4 \* Ffile: <input id="file" type="file" name="pic" />- j5 K2 U2 G- H" {
<input type="submit" value="Post" />
. x# H S) I7 @* [0 X! _, G. J</form>
4 f& l4 M$ r' l1 X6 Y6 s去掉缩略图的前缀(small_ )
8 A2 K5 o# k. j1 [修复方案:
# X! v, n9 Y: X% l$ v9 r
4 i+ ~$ f, K; z& @ M- n
. M" `8 `) [" K\api\StatusesApi.class.php2 v4 l& S. v* r; A+ E3 }
: g; _: n& A- j. v. `* d
function uploadpic(){8 C! g s/ P% W) {" ?" G) ^
/**7 X% C$ C) D6 Q' ]& h( w" K
* 20121018 @yelo3 P: ]' |1 p! B. T( G
* 增加上传类型验证9 H9 F2 ]' i/ e" j P4 T" F1 M/ R
*/
, g4 b+ _) P7 }1 m( \6 C* g$ k $pathinfo = pathinfo($_FILES['pic']['name']);
! n# x' [; A: p W- y1 J4 \ $ext = $pathinfo['extension'];
+ g/ P8 P. ^6 P% N' q $allowExts = array('jpg', 'png', 'gif', 'jpeg');3 c8 z h3 x. U4 @
+ W0 g/ a% q* y% q( o
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
2 r- V( O0 m$ b x7 Y/ T
7 ?9 w8 i0 C+ b: r if( $uploadCondition ){2 D& c% e6 B; f0 J$ L
//执行上传操作
% s3 B. D7 S8 W3 o/ z6 z0 C8 y $savePath = $this->_getSaveTempPath();0 f8 [' r2 s# U& c3 `. u( v
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);5 v6 g, F7 i; G( W+ ~; o8 h
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)) c, {/ T) R+ O% q& x' T. s
{
. Y% X" l+ o; {' t0 _6 I8 d $result['boolen'] = 1;0 t" \/ q6 D }$ s Q+ X
$result['type_data'] = 'temp/'.$filename; x6 Z# V) w$ N1 @& {* z- D$ g
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;# @ m" W9 g* w2 x6 ?5 o
} else {1 ~2 Z" s7 n% r! \: g9 O
$result['boolen'] = 0;
, ?" N) q- N* d $result['message'] = '上传失败';2 l5 Y8 Y j0 j' k M/ b
}7 B( H3 O* Z' c& h
}else{7 d( k. J2 ]: Y: q
$result['boolen'] = 0;& U; `9 m2 e% t! I9 j' `0 n! [* m$ @
$result['message'] = '上传失败';
9 u' |* T5 a8 Q7 |0 x }$ M x% B" B3 P7 q; O3 A
return $result;
. T7 m- O$ p |9 ] }
0 P8 S7 ]/ j! N2 i, u, A9 S4 t9 T8 h, E6 a& i9 }# p1 u1 y& E
, N7 X: K m) u" ~. \+ ] |
发表于 2012-12-4 11:12:30
收藏
支持
反对