微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
0 W+ |( S5 I+ `$ Y7 n& `. s
* A1 m! A9 t7 b1 J& D7 @
# z- D0 M9 g, r1 Y2 e' Z3 U/ u\api\StatusesApi.class.php
0 V* O4 F9 L" i. C; P
8 l% B* K* H4 D2 @0 p/ Vfunction uploadpic(){- R0 m& f) D% q/ s, D4 g
if( $_FILES['pic'] ){
3 T* Q$ I) v9 \ //执行上传操作2 K: g. f8 J; h0 g9 b2 @; e; e9 l- v
$savePath = $this->_getSaveTempPath();5 m r, g6 A4 x8 F* A8 w
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 `- j- b; S& y; z2 s
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
) d: z0 [/ w/ C! P: R" ~7 y& |% s) k {4 S, h! g1 a1 N
$result['boolen'] = 1;
/ G% y1 C% ^6 i5 C0 I1 o6 n+ _. ~ $result['type_data'] = 'temp/'.$filename;
! U, p4 v; x3 T% } C {1 v, c $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
' b" T3 S/ U9 ?' T6 x+ @ } else {( S; D+ v: N3 p4 P
$result['boolen'] = 0;
$ m5 M; V, M5 X" H5 ^. o% F- u $result['message'] = '上传失败';: D" O- n; b) |- K: B5 n; B( A/ n
}0 E m t5 {" {% K
}else{4 l6 O& W9 i: f6 |* A; K
$result['boolen'] = 0;
4 h+ K1 C3 E/ k9 B! n $result['message'] = '上传失败';% X( ?" c" d3 s! B3 V
}2 d; H7 ?) Y* A# }5 W8 b
return $result;
5 [5 a, m5 o/ O+ g7 E }$ d: \: Q2 t6 {2 \
unloadpic()方法没有对文件类型进行验证) \$ c& P- c; A; Y
( n' d1 f# S! R9 N. A$ N$ }: N可以构建表单, 选择任意文件, 提交到
h3 a1 H7 [$ W# w) r' Z3 m/index.php?app=w3g&mod=Index&act=doPost, b: i( {7 p- f
9 }6 r) `# ]' S8 j
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
6 z+ Z1 u" p" @) |$ A4 r$ V& W, r R
( C+ H! j# S+ d O. I
在登录thinksns官方微博后,
: Z! {# G+ B* K. A/ h* O构建以下表单:3 j- \& I; z% e$ [7 [
/ L& ~: P# x( c# e y6 u1 m6 q
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />6 T8 d) B1 U' w) N) e( e+ r- e
<textarea name="content">test</textarea>
7 ~, D' D+ ]! W# [% Hfile: <input id="file" type="file" name="pic" />, ?- F1 C, z- O3 ~' f6 }$ c8 }
<input type="submit" value="Post" />
! p0 e+ p- s7 N: ^* b</form>
& T6 J( g1 n* S5 x/ A! |3 Z4 w去掉缩略图的前缀(small_ ), a1 Q4 M5 w4 N9 e/ ]7 p& @
修复方案:9 t' `8 S$ R/ h4 J1 B' n
0 S' [7 m( u: \+ d( Y6 }, u- t! g5 N5 j0 t1 P
\api\StatusesApi.class.php: {# _6 x- i2 S# Y2 F
: [0 R) W* Q( a! ~6 K
function uploadpic(){
1 t/ H8 x# P+ T: k R, Z /**
o% i+ e* w# K; Y3 r% y * 20121018 @yelo
! H0 ^* y$ O; {/ n/ D7 l9 O * 增加上传类型验证
/ ` q3 F' T( F- ]* N */4 v! K4 J: Z* }4 Y* _
$pathinfo = pathinfo($_FILES['pic']['name']);
, c- N6 B4 s' H$ E $ext = $pathinfo['extension'];
& P6 ^* L8 i2 M $allowExts = array('jpg', 'png', 'gif', 'jpeg');
- i! E' ^7 k# A # y" `+ L+ r0 N! w
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);1 k( j5 {. i- H" ?3 l; P5 E% ]
- r: d0 L0 g, f1 ~ if( $uploadCondition ){5 f. | @0 Y) ~6 z/ n, V6 j5 t
//执行上传操作
5 [, ^" i" z2 M; a $savePath = $this->_getSaveTempPath();. g M8 B5 A$ }( Y1 e, y& j
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);0 p% r% [- A7 T" ]* f
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! _# C8 H) B+ U9 f5 Z. x {9 Z3 x8 d- Z& K0 B% ?3 E8 i" J/ }9 o
$result['boolen'] = 1;
& o0 R1 T! q+ s& k% ] $result['type_data'] = 'temp/'.$filename;9 z. {) o% i, y( g& t# ^& }5 g
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
~3 `, I. L, N } else {2 w4 e+ v9 ]. e) |3 ]
$result['boolen'] = 0;
' `7 C. [7 C2 |, a2 X' s! i! S+ Q $result['message'] = '上传失败';
' j; ^% d. D# H4 V }9 d: ^+ T( G2 Y/ _+ o5 y9 [) }
}else{
; X+ [2 M8 k4 q7 D $result['boolen'] = 0;1 l; Y6 Y5 N% u! n
$result['message'] = '上传失败';3 ?4 Q7 y3 Z k* W
}+ g/ k& {" J' _* C) P& m g
return $result;. d6 @4 g& v1 v/ i: y- l
}8 \( g5 n1 @$ k2 x* Y+ Z
; U4 B1 v! [2 P3 V$ s
6 N6 R6 [) p1 ^' o |
发表于 2012-12-4 11:12:30
收藏
支持
反对