微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。- p3 l3 J l: }& {& q; _. i( K
* i' d0 S- [3 o
+ i2 O, k/ }3 `- d1 V\api\StatusesApi.class.php* _8 Y% q8 z$ C# f
. x- B8 h& r& ] ofunction uploadpic(){
8 o* t' E' S2 D+ a; S if( $_FILES['pic'] ){6 q. V7 x3 K' J$ G. X, u+ a
//执行上传操作6 L i$ d& M) l% h& o3 n% l, W% l
$savePath = $this->_getSaveTempPath();
& A. ^: X, i$ g; h$ s $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
) m. B/ s& e, u; S. N7 b3 _5 o if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))5 S5 D1 X4 b5 y: Y8 R! [0 ^
{
: ]* I/ k6 g7 Q" Q# \- p* X $result['boolen'] = 1;: r1 }8 e, |4 {: D. r0 d
$result['type_data'] = 'temp/'.$filename;
4 H# {% z) u5 k% p. E' | $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
# P* @- V) S9 h- `1 F4 y0 _ } else {* o: x8 V& X9 y- {3 B9 n! H
$result['boolen'] = 0;
1 ^7 Z! h" _, s$ l' N8 f! S# N $result['message'] = '上传失败';
1 r( l* [& K; }; l) v- r- ^& ? }6 ^/ r( u: e4 I \
}else{
# X# I1 X0 T( n5 g: t $result['boolen'] = 0;) J. \; j1 G, D4 p
$result['message'] = '上传失败';. _; S/ d3 z1 ~
}
' E4 k a* j4 l) F4 t+ yreturn $result;
' u0 N8 ~6 i% I* U" [: ~: | }
& V- D; T, _/ i( j# bunloadpic()方法没有对文件类型进行验证
h% M3 Z' l% l6 K# ^* d" c
3 ]* Y' U* d$ r+ y4 K可以构建表单, 选择任意文件, 提交到6 M: V I( {0 P b" a; T
/index.php?app=w3g&mod=Index&act=doPost
! N0 h" [( e" R1 P. t* c ( ]. V2 f; y2 V( L0 A2 u
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
8 E, U) A1 | T0 m
! ?8 C: Z2 f& \4 e
M& q+ I0 C% l7 X- i- k在登录thinksns官方微博后,
' X( ?, ^& |! n% H2 C* s构建以下表单:& z9 |) r2 }$ `2 C* Y/ A& K
0 j! Y. I$ I& S5 w2 {+ g
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
- t6 W; ?* }+ H; }2 n# p<textarea name="content">test</textarea>% ]: B& P/ R# C7 I9 ~
file: <input id="file" type="file" name="pic" />+ f- l' c; @: X5 V! a
<input type="submit" value="Post" />
: N' m) g0 p3 |3 g& `5 R</form>9 H, ^) y8 R( L& }0 U
去掉缩略图的前缀(small_ )# u9 o( O$ j% P/ ?1 X1 H: a# s
修复方案:% Z, w! P" M1 \& f s+ m
+ y; L( I; X2 r& L$ c$ u$ `, d: q. H, ~8 W1 \
\api\StatusesApi.class.php
% a0 o2 X" _) ^
# C( H5 J; B8 }2 H8 \function uploadpic(){
. a; H+ z, P9 g' Z8 v+ A. X$ Z4 l9 M$ l /**
- c1 g' s4 W1 `! z6 C8 x* U8 p * 20121018 @yelo
6 g" q. C, |; y4 M * 增加上传类型验证5 k% s/ t& T) g* Y
*/
) W5 E; n6 u: B3 \. I $pathinfo = pathinfo($_FILES['pic']['name']);
1 x& \5 y* c" C' h& t $ext = $pathinfo['extension'];! S0 F0 V4 ]. S6 _' f
$allowExts = array('jpg', 'png', 'gif', 'jpeg');: @8 i, x6 J) n2 {0 `& Q7 g
* g; ^4 W$ d4 h) ~3 H
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
8 y D+ X; ^7 X4 A* Y$ V$ J
# a" {- d% Q7 M4 r if( $uploadCondition ){# m& q) O5 i" D# j5 L# y
//执行上传操作
7 I" J1 ?, e" v# H8 q: k- A $savePath = $this->_getSaveTempPath();
0 ?2 V4 {/ l( x3 f $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);( a6 L) Y% w k
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
# y u% {7 @! D* J { }: T8 f) u5 k9 q
$result['boolen'] = 1;* Q- T" V" V7 `1 C; B5 b* f
$result['type_data'] = 'temp/'.$filename;" l6 N" j6 g3 x- Y8 j
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
' N7 T% t9 n& a2 t; F } else {2 S; g- G8 _# G9 z( {1 n" c
$result['boolen'] = 0;
/ T3 S3 H9 L6 _. } $result['message'] = '上传失败';
" g: L3 M8 @! g% g }3 h; k3 l+ u* T
}else{1 m2 V4 c) }3 t+ T
$result['boolen'] = 0;
4 ^% X! w% C1 C& C! j6 [% }' E2 Q $result['message'] = '上传失败';
" `, F6 X5 N" W( B" O' o2 } }
* t1 q2 \* ?; W2 a+ t oreturn $result;0 D7 J1 ^9 n- E% o* M
}3 y. G! z0 ~& y: z4 U! S
% j! p: x; J6 p% {5 [/ W- f
5 e0 S1 j9 M: a4 X3 ~! F |