微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。5 T- H9 V( I, T G/ V8 B
+ q! g! c8 l. ^9 y O. d# j
" c( Z# Y& E6 ~$ L6 S\api\StatusesApi.class.php
$ K3 A7 Y) y) \0 G: @; f+ @
! R' h9 u# B7 }0 P- @: A% vfunction uploadpic(){
8 t$ T3 X2 A" v4 t m5 L n if( $_FILES['pic'] ){
$ j( V, [8 f. T8 c0 d //执行上传操作, f5 A/ y+ p8 F d# c& K7 X
$savePath = $this->_getSaveTempPath(); d V- j& _% M7 V% f" B5 a5 j7 D
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
$ E, m; [! I4 }' L! }- e. s6 D if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
& ^5 C r0 d5 w/ F# O! r {
+ ^: U: _5 [: N3 [, U- X $result['boolen'] = 1;
5 W( v: I, I0 b& O $result['type_data'] = 'temp/'.$filename;
# R+ R& _9 {3 C& o! T $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;1 F4 ~( h& s8 h
} else {
, e% o) @7 K( g" j ?5 r $result['boolen'] = 0;/ a& G0 U! z3 o1 ?+ _
$result['message'] = '上传失败';
: x$ e3 l3 n7 {9 v8 y }
- \+ x* L! C* i( C }else{+ K% x' L' y) J& f! v' M4 h
$result['boolen'] = 0;6 F( r! J7 r5 m* b- U# O* P3 S2 Z, Y. c0 n
$result['message'] = '上传失败';
- f' {2 e$ ^1 c$ c2 U& _1 g, ]' [ }
0 H+ L) o9 G2 n% r, c' \return $result;
1 L9 R0 U& `. f% k }
. I3 n2 `1 G( tunloadpic()方法没有对文件类型进行验证0 Q1 U; y8 Z0 g' A
& H, Y& F l) c q6 e2 c
可以构建表单, 选择任意文件, 提交到
3 f$ i' \ E9 j/ l+ ^/index.php?app=w3g&mod=Index&act=doPost
" } \7 {) n, T# S. e& h
1 `' r y# O+ {0 ?0 X在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
# n1 r' ?: j1 z0 X5 B$ A ?( H; t" q' g
+ }0 r$ f9 S/ V7 ~. X在登录thinksns官方微博后,- f9 f0 _$ j$ x
构建以下表单:# ?* L- d5 a( p/ b: x
% a% m$ o- w& r7 k. t% \9 n* s; `/ N* j
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />6 S5 K E4 g0 y( T& {7 L
<textarea name="content">test</textarea>
/ A$ X# O9 h. R# afile: <input id="file" type="file" name="pic" />
# Z& H h# v0 Q' V<input type="submit" value="Post" />9 v$ i( n5 `$ n# A4 g5 D9 s
</form>* X7 M% b8 @# q, t, V
去掉缩略图的前缀(small_ )2 f# K8 g d8 y0 @: A- c( p
修复方案:- O$ t& H$ q/ b2 `- v
* F) R4 w- v# u$ Y5 z; t
2 Z( z1 Z% k( Z\api\StatusesApi.class.php/ w* ~6 Q+ }$ M/ E' z. y* U9 P
4 \+ S- x/ m3 Z' @function uploadpic(){/ m: C9 C4 C. e4 N1 m& g# F
/**
* ?% H. `3 _/ a" f% F: a * 20121018 @yelo
8 ~) R3 G9 Q& P * 增加上传类型验证: K) S0 z: h4 _ D: R
*/! T6 V: Q* C8 e/ v J" Y' J
$pathinfo = pathinfo($_FILES['pic']['name']);
' i7 s1 ]& v& x; m $ext = $pathinfo['extension'];
- C: I) a# b$ D4 {" M $allowExts = array('jpg', 'png', 'gif', 'jpeg');8 S) e! y7 F D
" Z, Y2 J2 J& P/ A! z) e $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);" C t& g( _9 j: R
5 ^6 W+ w% I" ], ?
if( $uploadCondition ){/ u0 f U, J {
//执行上传操作
+ I9 b$ @ U# t $savePath = $this->_getSaveTempPath();* }: X1 y% l$ \: Y* ?! E) P; \( m
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);& j# f; C! Y& C0 Z
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
+ Z$ J( ~- y* K9 y+ ^5 z! X {! I% X2 H' M \, C# X. u3 W
$result['boolen'] = 1;
# J4 l3 Z0 {+ o $result['type_data'] = 'temp/'.$filename;
, G0 [4 g w: L: P* J $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
5 H% f2 k6 v( }) O! O5 Y3 B) u! z& Q } else {
% T' Y' e" E) a8 j $result['boolen'] = 0;
" A8 H- Y! R* D; H/ |' \ $result['message'] = '上传失败';0 Q5 X( m" c" a% z) I
}
# w1 k, i. \- M9 c/ q# ?! c% s+ p }else{8 t/ O( K, V9 f( x- g' X
$result['boolen'] = 0;
( o% W5 t) }" y+ T $result['message'] = '上传失败';+ m6 ~# B* D% W3 p- f
}; v& k3 v" u' l2 ^' }% K
return $result;
* V( w4 b0 S) f Q8 A6 M( t }) T: F& e& ^. L: {5 ^
2 V9 [' j! h1 R! m
; M5 R c9 J' U# Y# r, Y |
发表于 2012-12-4 11:12:30
收藏
支持
反对