微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
9 Y* Y2 I7 Y" I8 ]- _. ]5 y# Q$ F; x5 E+ N- Y% P
1 k/ ^. ]' H# _# J* j8 ^9 G( G* ~) f
\api\StatusesApi.class.php9 Z0 @+ Y8 D6 g! A3 h5 B$ x
, l6 j5 p' d! D/ jfunction uploadpic(){4 F: `4 ~9 v# S9 j6 U( @; B
if( $_FILES['pic'] ){
0 ?* [: `: P) B1 y //执行上传操作
6 R8 z+ D- q) B- K $savePath = $this->_getSaveTempPath();. u" A# W- a' {: ]
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
( X- L& `# n3 G: E3 I if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))# n9 r6 p0 d; w0 u# ?" Q, D8 r
{. C5 z3 m3 f& `7 l
$result['boolen'] = 1;0 |, k/ p C, ~: R& V
$result['type_data'] = 'temp/'.$filename;
+ P+ t! K1 h2 P4 V( s9 { $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;1 U4 T& u4 Y+ ^4 R( V( x8 t
} else {
# g7 G6 s1 X6 ^. ^' ]7 l $result['boolen'] = 0;
( E- G2 F5 B* Q9 S $result['message'] = '上传失败';, I3 `: k# I: v3 X6 {
}
5 P! B- b$ H' j4 n/ R" ?. k }else{& F( F, G" R Y% A
$result['boolen'] = 0;
9 m0 w, N2 C/ g6 ^" l' \; y) n $result['message'] = '上传失败';* x8 t. z( E3 I7 _
}; i- U: ^, `; V. K) p7 ~
return $result;
+ o# j5 y. R% ^' W: R' @ }
- ^# i# F' u5 X9 Bunloadpic()方法没有对文件类型进行验证 |2 ]% C/ O4 l$ ]$ C6 L
+ ? b2 x- J( T6 J7 G; C7 c8 a7 J
可以构建表单, 选择任意文件, 提交到$ S: Y/ X7 Q6 z) n
/index.php?app=w3g&mod=Index&act=doPost
) j5 P" @3 {# i: h/ \: S( Y
' i+ r# E& t( }" ]4 Y' f' p6 X在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)( O7 W6 w+ O; H5 c
" t6 k; \5 H" [9 R2 G
8 C) a7 U t* E$ \4 ?0 E在登录thinksns官方微博后,* n5 }" m- ~6 E; K7 N$ C
构建以下表单:/ O' J' T3 T7 t8 Z- A, _
6 W+ B7 F" I( k- u
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
- F! U I6 X" [* a" |$ Y<textarea name="content">test</textarea>
/ M' N( s7 [: S8 f- @' C7 r9 gfile: <input id="file" type="file" name="pic" />
* j1 l, o. Z+ C7 o: F9 V& G" _6 g2 G<input type="submit" value="Post" />* j5 R0 @& h% u3 Y& l' j, H
</form>/ C2 v3 h( S9 @1 _1 R
去掉缩略图的前缀(small_ )
0 s5 C c* m- v' \' Z" M修复方案:) Z+ k4 N: p h! z
8 w% Q. T5 Z* C$ U/ N: w( {% c# {, e( R" _# V3 Z8 V
\api\StatusesApi.class.php* b. m. T+ l+ d) c, g& W% A
1 Z0 W5 c7 N1 R! r: k
function uploadpic(){
: s9 M( p4 s7 I8 @( r; @ /**) D0 j l- S% O" a0 G/ @
* 20121018 @yelo$ G' j: M& p1 @# s
* 增加上传类型验证- G) U- y) L: p7 ~& f0 P$ ?# ~( B/ _
*/
5 n7 m# E. L1 T/ ` $pathinfo = pathinfo($_FILES['pic']['name']);- W! x9 u0 J& E9 V3 y
$ext = $pathinfo['extension'];6 w6 w9 }6 d4 B& |; x
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
0 q- o: q* ]* T7 h, R `8 ?! z: ]
2 y B- U4 a4 n% E1 _* Z1 D3 F $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
. z% _0 J7 I/ y) ?! D 5 Z& o7 ?1 B& n4 p4 C; A
if( $uploadCondition ){7 {' o7 Z% J! {# g. P2 B4 ~
//执行上传操作
4 t% H' _6 ~8 `/ l* E3 O; i6 A' R $savePath = $this->_getSaveTempPath();
) n% K+ Z+ e( C+ T0 e $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
% j B/ ]& _# V- T( O! d7 ]# A0 l% v6 v if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
4 V& F& ]1 P. `6 k& w! ~1 F4 v { h: W0 F' G7 W- a- S% C/ f4 w( ^
$result['boolen'] = 1;8 T0 ^8 j- H9 Z* w9 }. I: b
$result['type_data'] = 'temp/'.$filename;/ N2 n0 I( V2 q+ M: G8 f0 H
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;+ G$ A! v: q. J! p/ t2 J. ]
} else {$ t" R0 Z/ j5 }% N3 v
$result['boolen'] = 0;
/ ]; M4 `& p2 E/ f" D $result['message'] = '上传失败';
& P0 u) p- D& H }
; |1 p4 h: J1 ^, C3 R3 q }else{
@6 b4 Z L- y $result['boolen'] = 0;7 ]3 \4 [& e4 b7 e# ]$ ]
$result['message'] = '上传失败';
; Q- Y: L4 ~5 N4 v }$ \8 Z' [; X* X1 m
return $result;1 _' L! L9 X! n$ K- a
}8 A+ } G! g! t
! w$ H E2 C- v& c0 _
+ `. D! F' N9 [! Q
|