微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
3 f A# G/ n9 v
2 z; ] u0 G2 D' O: V
% L5 G* w1 `$ C' _* F/ x\api\StatusesApi.class.php7 A0 M* L7 I1 m& ?& Y$ C- H# v
* H+ w7 K! M9 P4 c: y* bfunction uploadpic(){
9 e% r+ y. E2 P+ p ]' x if( $_FILES['pic'] ){
2 @5 f6 v" X* O6 w& U! _" Q3 @6 y //执行上传操作
- X9 j8 k/ g2 H- t $savePath = $this->_getSaveTempPath();. c9 b N- x- K0 Q
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);: H6 ~+ U+ C* J/ V( ^0 [
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))! ^, O! n S5 e1 r( a( m5 W
{+ O" ~' v) u3 q. h, p/ T9 D
$result['boolen'] = 1;. o& |1 K0 c. {. v. {- ]
$result['type_data'] = 'temp/'.$filename;& v: w' G& H0 f" o% Z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;( Y% J- O4 t ^# Q0 U; W- l5 S
} else {; Q# I, M' c' D0 M
$result['boolen'] = 0;
: O$ k0 s, V2 Q $result['message'] = '上传失败';* D5 @* O" r9 a0 C! L- T
}
$ c9 s2 }" Q% G/ K& n+ U# ~2 ` I }else{
$ r8 K `3 c. b1 _! m $result['boolen'] = 0;( _' M" p: h& P, X2 K5 j
$result['message'] = '上传失败';
+ m8 Z5 ]% q* M" V& T% x }5 L& {6 g L2 b2 h! `
return $result;
. }0 P' J% K* w2 K! J }+ D# D0 w0 `" \6 V
unloadpic()方法没有对文件类型进行验证
3 N$ x& \& g8 r3 q8 `, ~' E
0 B$ Q7 o0 V: B可以构建表单, 选择任意文件, 提交到
+ B5 h$ y& T- \1 d. y) Q4 B/index.php?app=w3g&mod=Index&act=doPost
8 G0 z; [! z3 m- Q& v. O& R
- z1 e& M" _3 m) ?2 ^在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)7 {, Y5 i3 `) v3 i) Q+ N
5 c7 Q0 {; y( ^, H) z" w
& u* J7 v( m* y1 e6 q4 k在登录thinksns官方微博后,
$ q0 d) R3 `* n2 |; v构建以下表单:4 I8 v* H4 H9 {; C% t; Z1 ?5 R
' y4 ^' Q# t# |% r* i8 e
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />) U. K$ I; K9 e3 f' n- v) y2 h
<textarea name="content">test</textarea>) [/ [# R6 ^. p% S# J! H. z6 W, g& d6 C
file: <input id="file" type="file" name="pic" />/ Y6 N* v/ ?5 {6 T" |+ U W
<input type="submit" value="Post" />
6 @* t/ L5 @; o- ~& W( E</form>4 Y7 Y4 V$ ]+ u! N1 a3 v& X
去掉缩略图的前缀(small_ )
& ?( c& p& Z4 c, P" k6 Q& L% {修复方案:
) | {: h( R; `) J D2 B/ E6 p( `$ V; H6 P( N
E! {# a& u$ K+ H6 R9 M* b1 y
\api\StatusesApi.class.php9 a% t `# N( H3 B; ^! d
& `; _ K8 G- E
function uploadpic(){
- ?2 [; \! U9 Q/ _# a* ]! s /**& z: r N+ x+ y H- @# O
* 20121018 @yelo
0 A" A* o/ w" I$ a2 Y" y * 增加上传类型验证3 z% F- k9 ~5 ?- P4 }
*/+ U6 g. g5 V& r8 D2 P$ J
$pathinfo = pathinfo($_FILES['pic']['name']);- K1 M. R, f! V1 T
$ext = $pathinfo['extension'];) W" k$ q2 o" L2 D
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
3 M" c$ K! E7 h( @# c$ Z( B! a
3 @3 V1 |, F! Q $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
9 R% u! K3 I, Q& r& J8 x" a6 R
, u+ @$ R6 {& l( o9 F) G7 t. ]" @! N if( $uploadCondition ){
( E/ s5 K- W) {1 D% E5 N //执行上传操作/ ^; @: D! S6 N$ l' C$ n; }9 c
$savePath = $this->_getSaveTempPath();7 D- ^( y, ^0 s& |6 x+ B. z& o
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);! m2 e$ x, r: G0 T: S+ l0 G. c) m
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)): Y" s7 @3 n! C
{
. P( z) l; e0 [; |% Z0 b' V: T4 R% k; f. h $result['boolen'] = 1;1 [3 B* K5 L! j
$result['type_data'] = 'temp/'.$filename;* F. `* u1 ~- s' L! K
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;% Z8 u J. P$ {% U! b
} else {" ^' ?6 Z" P1 d& D
$result['boolen'] = 0;
3 T0 h- F) J4 _+ F+ L @ $result['message'] = '上传失败';
$ b& Y- ?4 Z6 f' t' b }
; g: Q2 G. k" I- _9 v( M4 m( G" l% T$ d }else{
: L+ }+ ]9 J7 Q# \: W) E0 f( }) ? $result['boolen'] = 0;$ [, V- ]! K6 v: o% E. t; x% @0 r
$result['message'] = '上传失败';
- f0 X& P$ ]6 V' G; F3 R2 L }4 i- k( D; k6 L Y3 G2 J
return $result;
! S6 ?0 z1 x. b; J! P }
4 c {4 n4 m k! t# Q4 G4 [, E
5 ?2 y+ J ?3 L- Z7 t, Q( P+ E" ^8 U+ d8 @2 i) z- z! Q8 X d) h
|