微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。, H3 M+ Z7 Y6 ~$ S, Z
" k9 I5 o+ M/ i7 p* K1 i2 O
9 B4 s% E7 o; k
\api\StatusesApi.class.php
' _9 n) }* N( o% y9 i2 ~/ n p4 f
3 a) m! ]% e0 f7 l7 o% p9 [7 e) Vfunction uploadpic(){
+ N: l4 }: k& m+ P* A if( $_FILES['pic'] ){6 E$ d. }( e% f3 J* t
//执行上传操作9 Y: P# p' J& t! {% J
$savePath = $this->_getSaveTempPath();* ^. x( {6 c5 D( z D$ U* `
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
- s- y+ o8 j! L/ S- I1 c if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))0 l' E, F7 w) g' R; c
{
8 S$ Q4 u9 Y& t8 d3 Z1 C0 m $result['boolen'] = 1;& l6 N: e! D7 [6 u
$result['type_data'] = 'temp/'.$filename;
- t4 s! d0 {% W, u' N' v- M $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
& ]5 {8 ] s' m+ q& C } else {
- ~7 h! [; H: N( q' N) Y $result['boolen'] = 0;
) A" l" r9 `4 G. G# Q5 n4 v& i $result['message'] = '上传失败';/ y9 V' I2 H, v; R! I6 A0 P d' e9 ]
}
) x: ?: Z# C) |# e, I& z' @: e" V }else{
! }9 K8 ]/ W3 ] u $result['boolen'] = 0;+ M# i0 T E% C. f+ q
$result['message'] = '上传失败';
0 P# X4 Q3 a* p9 |' A }
$ `9 o+ ?# T) \3 [return $result;
! a; M! q1 S5 @) p5 o" o }
* {( o6 B$ A( O7 z2 m8 m7 B& zunloadpic()方法没有对文件类型进行验证
' X7 E0 f2 R5 H ' w; R& u, o/ i) z2 |+ c, \
可以构建表单, 选择任意文件, 提交到
2 [' V! p$ _5 O) }. o. K. D" H0 N/index.php?app=w3g&mod=Index&act=doPost
1 r; \9 _# [; ]" W- M; T8 H& f. C% S" a, { 4 F \6 \: A$ Q* I0 G" a2 `
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
7 `9 c* n4 r, L* f% t$ a! w) M6 t: V, e8 O; b7 G% }
# W- H+ z1 G) @% U/ ]
在登录thinksns官方微博后,0 w8 _4 B1 A" B6 x
构建以下表单:' l1 |* ]' A$ @4 c% ]. V+ |
W4 t* W3 e9 }<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />5 }& Z4 A- ?; d+ Y' {
<textarea name="content">test</textarea>
8 _: V" G7 [$ d. b6 Y, `1 hfile: <input id="file" type="file" name="pic" />" G# _# r1 ?8 y, L5 B
<input type="submit" value="Post" />
) o7 |, R# h/ b+ J' R s2 i$ I</form>) f$ F7 ] c8 q: B d4 y7 n
去掉缩略图的前缀(small_ )
: z6 o; r: l) t, A+ ]' i修复方案:1 b# z6 I7 C7 T. E7 k% n; C8 Q
9 @8 v" F. I: ^% \# ~3 k9 G2 c$ B8 w
\api\StatusesApi.class.php5 \. p, `% x, b& E' v
6 N8 k" A; f3 n6 z" T7 }0 Efunction uploadpic(){9 K" d! V. M, x R
/**5 Q( f% ~2 N0 p& [
* 20121018 @yelo3 t+ R/ b- K0 y- O' v4 t
* 增加上传类型验证
" S8 _* {. c2 b8 X% A9 m; } */
& b O6 T) G8 U/ } $pathinfo = pathinfo($_FILES['pic']['name']);
5 ~! r& \/ _6 P" ^ |# l $ext = $pathinfo['extension'];
0 Y. N: J+ a7 }9 U6 B, [+ m $allowExts = array('jpg', 'png', 'gif', 'jpeg');
0 H4 m/ U" t5 K/ f9 W) ]+ X! c7 g
1 O6 F. D6 p6 l: Z8 ` $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);: @0 m" T9 q1 ?5 A2 q5 d% ]; W6 c
7 ~, o" ^7 U3 u; Q" c/ O3 v if( $uploadCondition ){7 \7 Y& d( p' Z& u
//执行上传操作
- C, D; K& m# [/ y7 q Q $savePath = $this->_getSaveTempPath();
/ X+ x; H0 t$ A $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
1 g& a. P6 e" S5 w) |$ f if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
8 g6 n! \( R6 t; {* t+ E {% S5 k) C/ D) `# Z& \4 u. n7 j
$result['boolen'] = 1;0 m N _! Z& n7 M
$result['type_data'] = 'temp/'.$filename;
# I6 z& N% y2 r0 h* Q: |! M $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;+ Q9 r! t9 G+ t9 D; [
} else {
) I" O$ G# x' b- Q; s $result['boolen'] = 0;
, C1 z$ ?* r2 d- H0 P( O $result['message'] = '上传失败'; y3 }+ F* c5 ^0 P, D6 P% ~- n$ b
}
0 i5 H- r J& F2 `2 i# v5 W' V }else{2 G8 B) y9 \7 [8 T
$result['boolen'] = 0;' S) x7 |8 u# H* p8 `+ Z1 x
$result['message'] = '上传失败';4 j" C7 f+ Z, e, o
}
% @: V+ K- z! i" F* r, Wreturn $result;) @- \' g9 r3 P: |2 }) `
}$ I9 O0 r) H7 s
0 c' w5 B. N5 w- f% f* p: U: v
2 ~' c3 p, }7 b* E5 } |
发表于 2012-12-4 11:12:30
收藏
支持
反对