微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
0 r2 @8 t; j/ o1 D( B+ d7 Q" w, U/ C; `9 f! M6 u/ ]6 j" V# ~
" a8 f8 `2 a- @2 Q\api\StatusesApi.class.php
2 \; s* V" i2 q2 E . @( n1 k: u* B# Q- O& f- E8 u
function uploadpic(){6 a9 Z3 I Z" m
if( $_FILES['pic'] ){1 V6 n4 u4 `- M' f
//执行上传操作
) {: q3 O5 W% H2 S7 t $savePath = $this->_getSaveTempPath();' H. M/ U/ X- c3 S
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);" r9 A5 O m6 g) E2 e3 Z2 |9 m6 T
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
/ |8 o3 D0 S" X {2 H6 @5 n6 O6 T- q+ [
$result['boolen'] = 1;0 m+ a. y0 A- d
$result['type_data'] = 'temp/'.$filename;
" Q8 V1 v; p* y* i- Q $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
4 q2 o" T, K( ~6 H } else {
/ ^% t' {8 b; H- t $result['boolen'] = 0;
4 \7 v6 L6 V- m; o $result['message'] = '上传失败';' {% v' Y, S, q" ^' x9 ]
}9 i; f4 m8 f- J! `1 U. F$ o7 a% p1 Y0 r
}else{
2 _7 J& A; n+ h $result['boolen'] = 0;
. Z& [9 m( b7 ~( m/ ]4 T# e) F4 m/ t $result['message'] = '上传失败';
/ d. X5 o& ?4 B8 T }
' n0 V" H3 J( Q; xreturn $result;6 j2 E9 p1 y) B a, v0 u
}1 ?0 V# D' y3 \# z
unloadpic()方法没有对文件类型进行验证
: q6 o; U4 T& T$ q: m ' J, b# T) V# F
可以构建表单, 选择任意文件, 提交到 f0 R/ A, q3 R. P& ~$ b9 w5 c
/index.php?app=w3g&mod=Index&act=doPost
9 B6 g' A5 l7 e h& \2 D
4 G/ ?$ l+ s0 w* U# Q在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
8 H9 e$ z7 u7 h7 H* k/ C# y
% p7 K; |& J1 Q$ _" ?, Q, c M5 G" |' D o2 P* x) [/ I
在登录thinksns官方微博后,/ q, T" ^& A2 g) C; [* i3 e
构建以下表单:
' c" y) g6 p; I* U3 T8 L# B, l
" y8 G, ]8 A0 ~! t+ f8 X+ k<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />' [0 H$ i- f: P3 O, y- t; v
<textarea name="content">test</textarea>% `! e& O) |0 E/ y3 ]8 O: Y
file: <input id="file" type="file" name="pic" />
2 _( S) r3 Z- v' s% u# u3 `<input type="submit" value="Post" /> ]" H8 l. N+ W3 `' m
</form>% H0 O Q) V. @# K
去掉缩略图的前缀(small_ ) S, ^( _4 ~+ b% D/ l3 ]
修复方案:
a8 D- c! V' b, q: S% e- V5 E& c B, p
: o+ o5 W& o- |8 m6 T& ]9 ?\api\StatusesApi.class.php7 }7 q" w0 @" z) ?& U( L
2 I; ^+ |4 Q3 p% p# bfunction uploadpic(){
0 H8 _" a/ [" Y, C /**
9 o) o7 C+ n7 H; L8 g2 C- n7 U * 20121018 @yelo
' R8 q1 P( Q% X" C" C* B4 P * 增加上传类型验证; e% ?* M7 X z7 J2 D" e+ V
*/; S* S4 X8 [! K8 o; \, A5 k
$pathinfo = pathinfo($_FILES['pic']['name']);
i) D7 t. u* s+ W! c% Z9 ? $ext = $pathinfo['extension'];
: f1 v- Y8 A! r Y1 t1 R $allowExts = array('jpg', 'png', 'gif', 'jpeg');* ?8 _- G; o2 f4 V& j
1 u; d) U. f0 W4 A% Q# X
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);* z: r8 I! \% w/ _. ]
& x6 L/ b- p$ z, d
if( $uploadCondition ){6 Q q/ ]' P, o' T! x$ X
//执行上传操作, q. M) P R! O6 x- O. I
$savePath = $this->_getSaveTempPath();8 G5 h0 \/ u* F2 O# D$ W
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
% H5 a( h2 q8 M* Z4 ^. p4 F if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)): t |/ T. B. E$ x9 k# |
{
0 a7 d, B- d% L; y2 R4 F $result['boolen'] = 1;* l) q1 I3 t5 }/ r. p' N% D
$result['type_data'] = 'temp/'.$filename;6 a% `9 i) f8 u' { ^4 E# |7 M0 y
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
* ]0 H9 E% f- I1 ? } else {
2 p! O+ r7 l- T' S3 w5 ` $result['boolen'] = 0;
7 \( ?- F. f0 K $result['message'] = '上传失败';
+ e$ s. J% F6 I! B2 m R% w+ } }" N% t, Z2 z( _8 p+ J' C' J! Q# ^
}else{
* n5 x' v3 f5 D x $result['boolen'] = 0;3 E' E3 h5 k( P" M5 P
$result['message'] = '上传失败';
- b. s# n* J# j1 _. L! y }
8 c9 o6 B6 k* E2 ~return $result;
: M& ^- W% z v& l6 \ }$ }& Z8 o# Z" s# Y
0 g; {6 x+ e& G9 E2 B
# }4 ?) k" ]5 S% P+ t. h |