微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。9 W. w0 O1 j* ]) R
8 z& }' |; c3 D& B' H. [
& B$ j. x3 r6 [7 J\api\StatusesApi.class.php5 ?" y2 @2 y6 j6 g
. L" H& }# t; N) z/ P: ^function uploadpic(){% P. O+ p" M i/ V' s& R
if( $_FILES['pic'] ){! x1 n" Y7 I. Y& n2 I
//执行上传操作" D* ]' C; ~" j4 J& M) ?' n
$savePath = $this->_getSaveTempPath();8 Y. u6 g# ?9 m" ~- i& g7 d- \
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);9 {" a4 T1 _2 w' F$ t
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))+ g( ~# b3 ~/ [, }) _) o) I& a4 ]
{
5 w9 R- ^+ W8 T6 L6 Z: ~8 ` $result['boolen'] = 1;/ d$ B: O6 ?' P: u
$result['type_data'] = 'temp/'.$filename;8 ?# Y) ?" `4 S [ c/ w% |
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;9 N% `$ N( Z' d) I
} else {3 C; p" ? } k; i' E- ?& R5 b" w
$result['boolen'] = 0;" c C! ]( u9 q9 S2 G
$result['message'] = '上传失败';
6 ]$ Y# A: C Q: }- \7 } }
4 n% K/ s5 P3 R6 F* k }else{
~; q- m; }! e' E" B; ^% P) W $result['boolen'] = 0;
! H/ [7 X% l3 H! M) f& C $result['message'] = '上传失败';
" S% E! g2 D, ?+ ?1 N0 a }4 i/ [! o8 l5 {, d4 X
return $result;& S7 Y! ?/ R2 @7 o9 q3 i3 i
}* {, e p5 {: t5 k. n# r/ k& K; |
unloadpic()方法没有对文件类型进行验证: k# ~1 O9 R4 d+ E
8 P9 T" d# Z/ C
可以构建表单, 选择任意文件, 提交到
2 q, T! k3 B' ^! R% W! X/index.php?app=w3g&mod=Index&act=doPost2 ]2 N# s% Y4 b/ d& T1 I# Z
! Y- N5 ^% b. {在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)8 I# {" @6 W- h5 q
~: y* }3 J' t( e4 F. K' m
- m1 M9 x' ]. L4 L在登录thinksns官方微博后,
1 ]7 J& _3 R+ A( R \& N9 W构建以下表单:2 m$ r& y% {' f
( ]$ H& e: m$ r( F0 D8 }<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />$ n9 m! j- g, `3 I
<textarea name="content">test</textarea>+ z: x: x0 Q6 s5 V$ r- g
file: <input id="file" type="file" name="pic" />
2 U7 q: O9 A9 W: Y& e/ \6 a<input type="submit" value="Post" />9 R8 ^$ p5 c, E
</form>/ U1 j' g% } |+ j t
去掉缩略图的前缀(small_ )8 L, ~0 r- {4 V1 l8 K3 f1 W1 \
修复方案:3 a8 ]# ?5 O" {3 l
% w; A9 N6 y/ ?
5 g8 G4 ^4 V3 y3 {\api\StatusesApi.class.php# U3 g; s: \& E, s g$ b
7 w$ q* m: U, z! k, ^5 {
function uploadpic(){
( @2 z n. ]" i /**# P. t) p( j9 V( \
* 20121018 @yelo
u0 y: V/ J# ?0 |4 R5 C * 增加上传类型验证3 R2 B/ ]/ n! } f
*/9 t( U! F# I% E; b# g
$pathinfo = pathinfo($_FILES['pic']['name']);
' o% g0 S: N. O& N& B $ext = $pathinfo['extension'];
- T/ o9 d/ Q0 z7 E, @ $allowExts = array('jpg', 'png', 'gif', 'jpeg');6 K4 E2 N9 D* `" m
' k8 q" ^6 @: l7 O $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
: S7 C" ]6 N a2 H; r" M 3 w7 G3 Q# q( Z- h% e/ a* @
if( $uploadCondition ){ Y: P1 P) j, k
//执行上传操作: |- J+ o1 }2 S. S: E
$savePath = $this->_getSaveTempPath();; t9 Z9 o2 A+ W4 h2 b6 \
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);1 @) G$ F# \; ?
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
, Z7 S1 l+ O( e0 W% J! l {
V. u! r) I. b v6 i $result['boolen'] = 1;( e. C; Q2 Y9 R; Y
$result['type_data'] = 'temp/'.$filename;* I3 Q8 ?: d- ~9 @5 h
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;+ M+ f: t* s$ h+ c* v
} else {8 Q- a( |, {- F* [
$result['boolen'] = 0;
) {( O! H- [8 i" q4 j $result['message'] = '上传失败';4 g; H8 X6 q6 E6 |. R* m! P1 D
} l/ B% Z8 C2 J p& v% X ?, ^% N
}else{$ q8 L& F6 J* ]0 w
$result['boolen'] = 0;
* R" E4 [# K6 _9 O( S | $result['message'] = '上传失败';( C! K/ Z1 f. O1 O: d
} e( I% J/ L1 @3 g! ^
return $result;$ |2 b1 R3 F: q/ q* t, r
}
8 L2 P7 C3 L2 E; S. S6 O h5 d) W. N& o k5 U, `
+ X8 q' B0 C. I2 f
|