微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
& a/ C" V4 W! T0 C7 ^" X* _0 Q
' M& x, t3 O2 a3 s 7 e1 B* L) y! d, g4 c; q
\api\StatusesApi.class.php# g' `/ W8 w: I) Z7 O0 A5 g# w
7 ]5 }" C" ^. r) m- y* t+ D& }" S6 ?function uploadpic(){
: @- Q0 Q5 e: P( O" _$ t if( $_FILES['pic'] ){0 ~: v4 t( f; J7 F# N. ~
//执行上传操作/ w" f \: p! ?4 i* |6 Y( I. d' Y
$savePath = $this->_getSaveTempPath();1 a0 B- b1 u2 d* A9 J; p
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
: [) h9 m! o M" e0 J if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! o3 f3 y' ^4 R9 q {* i) k- {! U2 r5 m; W. ]
$result['boolen'] = 1;
% p* V# [# x. i2 t0 {" E $result['type_data'] = 'temp/'.$filename;
3 v; x4 \; I0 @) n5 @9 h $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename; z# l0 V! R' M& e& S3 ]
} else {' }% U9 U& m6 I9 ]+ S) a2 E
$result['boolen'] = 0;
* f. _+ | P3 g+ M- x; ?) [; w$ } $result['message'] = '上传失败';, j. Y$ `) l- R" Y$ U& A
}
, p. W5 D6 x" |5 j# P% \- a }else{, |$ Z+ o4 q( r F7 f
$result['boolen'] = 0;1 @8 Y5 u* m0 g L6 u' R3 b
$result['message'] = '上传失败';* r# M. f7 v: F* l
}
, B3 H" r3 M% p7 L X4 g, Treturn $result;
( W8 F; q. \7 {9 s/ j# W }2 u+ a0 ^, ?, |; u9 j- f5 I
unloadpic()方法没有对文件类型进行验证$ @/ o, T% ?1 g' f+ M, |
. K! S3 n5 }/ J$ ?; o( W% \可以构建表单, 选择任意文件, 提交到
. [( a! g* K: Z8 N( }5 P( C/index.php?app=w3g&mod=Index&act=doPost( y, V! _7 {7 L/ K
, R1 v# x' F3 K. |& E) [6 f在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
3 D; s# N9 I" k( j9 z
4 Z: e& M' ]3 d. ~! r" v' w3 f( V+ q+ P; X( @
在登录thinksns官方微博后,3 [8 K& T; x' w& V6 [ I, J( x
构建以下表单:
8 A" _6 y; P$ |/ J
; J0 _% z8 f0 h9 j) M( C) ]) @<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />1 }9 R" |% o" `( c5 m; u
<textarea name="content">test</textarea>
7 i; [' ~, m# \& w. f L' l; Bfile: <input id="file" type="file" name="pic" />1 [ w: l0 \/ r
<input type="submit" value="Post" />
" V" G7 C! E2 e$ ]% }</form>' w, ^7 j3 i' j% e# D3 k* E
去掉缩略图的前缀(small_ )
+ m( T/ M* `" g) G9 [) x9 k' x; _$ `修复方案:/ A2 v6 h% `6 ~
' W/ w; I# t1 w1 {; G7 ^
$ D) M; K3 |7 B. i2 g) _
\api\StatusesApi.class.php
" e2 P/ J8 q+ q7 l$ t q ; ^# T& \4 [* Z
function uploadpic(){) }5 K7 n7 `8 _( u# x& M4 ]
/**
) n7 [# H8 G5 P0 s * 20121018 @yelo0 Y. u5 {/ p; ?0 @
* 增加上传类型验证
5 V1 u& w2 r; ?5 K+ `: J */$ Q5 z; Y$ ? ]8 Q: |
$pathinfo = pathinfo($_FILES['pic']['name']);
0 r" T, [9 h0 X. d1 V! r $ext = $pathinfo['extension'];
V1 z% S* {, { $allowExts = array('jpg', 'png', 'gif', 'jpeg');
- M# h. L u& X7 E9 K ) I* a) s7 N, O
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true); l+ K/ F1 ?$ j4 Y) I
1 |2 j' j. Z, N, x if( $uploadCondition ){) D2 b6 q {) `% w* h* e
//执行上传操作: `. b+ O" p- K: d; }5 |2 e( ^
$savePath = $this->_getSaveTempPath();$ }; `* `: r- B4 D8 y8 ~0 a7 I
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 {9 p' s! o* r' G, L if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! y2 T n0 G K+ K {
+ S( T- K2 N. Z. o7 j) a+ C4 l $result['boolen'] = 1;
0 R; y9 s6 O& t( l; o/ p7 N $result['type_data'] = 'temp/'.$filename;
) m" ?2 x) p3 @* ]% _ $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;+ N! k. C1 A0 ~7 Y' c7 v' N
} else {
+ ]' e% ~: z- I" `" I* v $result['boolen'] = 0;
7 _* b G- K, o2 [. u $result['message'] = '上传失败';
. N5 T% \1 |4 [+ }, e5 {3 L( j }" v% D' f4 m; k; F9 u) O& x0 \3 c. j& J" X
}else{# h2 h( ]8 L9 V2 O! K
$result['boolen'] = 0;* y- |+ ?% ]2 r# B
$result['message'] = '上传失败';2 e7 h6 Q* K: [3 \6 ^
}
9 e/ Q9 i' d# y. Breturn $result;# Z( V6 x7 Z) ~1 `
}# v& f2 o2 x' z3 G
8 C. g8 V: Q$ a9 s
! X( Y. L2 Q6 n4 W' H' j6 p
|
发表于 2012-12-4 11:12:30
收藏
支持
反对