微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
/ _. Y1 J7 ~: x) S) U; b
6 W+ [. v0 d g0 Q( M) O, ? }
9 @9 S! S4 ^8 ]8 j\api\StatusesApi.class.php
+ D. A# G, I% c" s, A0 q: J0 j
) d+ ?% D T- q8 Rfunction uploadpic(){
$ A! E0 J* U- j0 t3 i% A if( $_FILES['pic'] ){2 ^4 q3 M9 Q- g! F
//执行上传操作1 j$ s* f1 l" C9 f$ |
$savePath = $this->_getSaveTempPath();. D. T* v6 D* `6 s$ E" d9 n2 ?
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);" G" f# O6 ^3 _( ^; T& D O. y/ w( Z
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)); V7 X; |8 q: X( [
{
) }3 ^# S$ G4 \4 e $result['boolen'] = 1;
# i4 s/ H7 V4 R- z- J* f4 P8 M# j7 \ $result['type_data'] = 'temp/'.$filename;9 s/ i7 q4 m; P% Q- Z' ] k- }& Y
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
3 m, |; ~. i9 i1 G: e* } } else {
( o* W# @, R% t $result['boolen'] = 0;3 G4 q$ |1 r! m; c: C: F3 q9 h9 |
$result['message'] = '上传失败';
0 t; d9 d5 ^& Z }
0 S7 s3 \8 i5 U" ^5 M! K8 `; W' Y }else{ d& V L4 U- [* P! l* U; @$ C
$result['boolen'] = 0;$ G! N% ~% [8 ?6 {1 Z
$result['message'] = '上传失败';7 k4 ~! }* R" m! n# `
}
, d7 K) D/ g/ k. x7 ?5 lreturn $result;
% \- X0 [7 v: v0 n8 \9 v* m }* u) X% @! P( C, G; B. ]& J( U
unloadpic()方法没有对文件类型进行验证
) W2 D# {& C, x" t0 e( n5 m & ] {, Z5 F: [
可以构建表单, 选择任意文件, 提交到
7 ]' ?& Y0 I/ h R/ v2 f/index.php?app=w3g&mod=Index&act=doPost7 V, ]; z/ J" x# _2 R6 s: x5 _0 L5 {
1 `* Q6 |: Y( n) E4 z" H& J在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀) v# P2 W9 O$ I( o& M v8 i
U- H( D7 [1 S4 r6 z6 D) _# f+ D1 j7 U) N( |0 i
在登录thinksns官方微博后,
! ^' Y6 {: [4 m1 U- i2 v9 G4 s M构建以下表单:$ S, n$ K" Y7 a% a; i* N
- o8 e8 r: n, x5 s; G<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />1 G& h: s' E# z" Y/ n
<textarea name="content">test</textarea>2 X4 q* m" Z. u/ }" A9 F3 ?5 k1 J
file: <input id="file" type="file" name="pic" />
; s' \5 U+ ?4 h" J B6 |2 X; z<input type="submit" value="Post" />
$ n1 P {' q9 e4 D; _</form> E! ]" Q( q( _7 q- v5 p8 D3 i
去掉缩略图的前缀(small_ )
4 A1 Z6 M" w& g" ?修复方案:7 y5 `( Y1 ]0 |" Z/ O' n
. x' @1 Y& |; c2 r8 _8 T1 c+ L/ |; N; M6 y
\api\StatusesApi.class.php
1 }9 p8 I: v+ ], B' V+ }
8 W) v6 ^/ M8 ^! A9 qfunction uploadpic(){! `+ R6 z0 B+ Y d
/**1 o# K" j8 Y/ ]9 U% P
* 20121018 @yelo
) w' M* ]" k, `% I9 x: P/ K7 {7 F- f * 增加上传类型验证
! r' c7 g6 i6 P, A- H */4 @+ f, [7 L2 q6 O: P7 T* }
$pathinfo = pathinfo($_FILES['pic']['name']);
8 H3 p5 w; T- _0 J. q5 a* g $ext = $pathinfo['extension'];
: n' I0 E, P+ V3 o $allowExts = array('jpg', 'png', 'gif', 'jpeg');
( @ ^1 I+ ^- | ( B) t8 a+ o0 h$ {, ~
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);5 b$ N) g7 e' X* D+ Z; @
: Q0 U) ]2 G" }" m
if( $uploadCondition ){
2 {- u. y& d# J3 x4 w$ N- I //执行上传操作
( i% ~: \+ l: K- ~0 e, a $savePath = $this->_getSaveTempPath();. A) R2 x- T) m3 J
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 ~6 b4 B; I: D) _
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
8 S/ o2 F2 A3 i/ T0 u j9 W {
* s5 f. `1 W N( A/ X" g; S+ `+ l $result['boolen'] = 1;# _ n8 t% S' z. j
$result['type_data'] = 'temp/'.$filename;
! d6 o: O7 f! m5 P5 p+ Z1 U x& u $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 s/ f) f5 J# D; g Q: e$ y } else {
# C' a8 \9 M. U3 x- E. v" T $result['boolen'] = 0;
& Z+ f2 a& | v. _2 Z) f2 c( r $result['message'] = '上传失败';. ?- b, W1 `) f U* {5 t
}
7 J3 i( L5 x! F! O6 I4 z" K) z2 f }else{
; E8 P$ I1 d8 n; R7 p $result['boolen'] = 0;
: E! j. f8 P- m $result['message'] = '上传失败';* {0 X( I& t5 P3 N. d
} q$ r* M3 L& ?+ L
return $result;
3 W9 C% B. L& X+ d/ q" |8 D; m }4 l. G1 { G% y! x5 D* x* x
+ V- \6 E; B, A% ~( v1 I
$ S+ A$ b1 l$ B& u |
发表于 2012-12-4 11:12:30
收藏
支持
反对