微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。$ u. p: |) l! U# _/ b
W! t! A, h+ O* a+ M
: W* x$ {) O% `\api\StatusesApi.class.php
9 b8 A# S( V2 E
2 E$ M! g' e: Z7 N4 cfunction uploadpic(){
+ G; `, z. v+ b) U4 [ if( $_FILES['pic'] ){( ? G( H' B/ j, B7 P9 y
//执行上传操作
: q4 o' x/ `! \6 @. w$ h" b ?9 S $savePath = $this->_getSaveTempPath();
. e4 T6 I/ Y( y8 J $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);8 r/ v5 f; o1 Y( t
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))! h& @. h3 h- s0 r6 J; W4 G4 P! _
{
3 A! g" R) [0 M J; `+ N% V* N $result['boolen'] = 1;! Y8 g& ^ T, `
$result['type_data'] = 'temp/'.$filename;
, _3 M) V9 Q, ?* L ] $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
A" {# H6 I* c) w, W' j } else {+ M F4 G: H3 R( ?4 O; H w7 ^
$result['boolen'] = 0;; I: {% E( `* g3 [. \8 `
$result['message'] = '上传失败';
( i. W- @7 e3 L" ]8 P9 u _8 \ }6 L9 j0 l2 T7 v( M- v/ S
}else{+ {, T2 y6 x# W2 c, B* W1 o
$result['boolen'] = 0;
8 L! C* v' F, x9 E $result['message'] = '上传失败';
5 q: L8 o1 ] Z- `# i }
4 S* }* y; U1 ]: v6 S! Sreturn $result;
! K6 A- P5 h" a6 T8 f }
$ Q$ o* \2 {6 y' v9 k# Q5 Z% H) runloadpic()方法没有对文件类型进行验证
( @* e6 B* l) f! {4 c" g7 @
( r) O; F9 T" v1 r6 Y2 i5 Y+ L可以构建表单, 选择任意文件, 提交到
2 h, m8 [* ^( q( P/index.php?app=w3g&mod=Index&act=doPost4 Q( m3 [* T# X! w1 B
0 U- l7 Y) A* ?" z
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)1 \( x' J2 ]: b4 P
6 ?& [6 B0 |. a
7 \" _+ T4 _! l" _. \
在登录thinksns官方微博后,
$ |! Y5 ]$ A. ^5 N构建以下表单:
6 D4 w! R" }5 W. [* W$ ]& q
- Y. q2 M0 J- ^& _% D3 i<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
. f8 L2 e; }2 b+ M# y9 ?, b9 x<textarea name="content">test</textarea>
L7 @, B- b; T; _* C5 W" _ X2 H$ }file: <input id="file" type="file" name="pic" />
* z' i# c% |, |& Y3 `* T3 x5 L' l<input type="submit" value="Post" />, B. O J/ {4 e/ M
</form>( N8 b6 p# ^& ~- h9 o
去掉缩略图的前缀(small_ )
, K9 U" F' Z% `修复方案:
, f9 x3 ]: o- B9 N" v j, ~" W4 L$ }) o' |
4 a: q7 g6 U h' F
\api\StatusesApi.class.php
( R5 h- z/ J& ~* [# ^2 W' z3 N + [- q" V3 k- M+ g$ c" k- D
function uploadpic(){* j* O) _9 q7 o* w
/**& W6 G$ i# C1 W0 ]' r+ j: ]" c
* 20121018 @yelo
8 w* N6 d4 `9 N3 B+ `) ^ * 增加上传类型验证
4 O5 i; y! y& }+ G */& v+ [6 E+ N5 c
$pathinfo = pathinfo($_FILES['pic']['name']);
( J( ]( Z0 r+ E/ ] $ext = $pathinfo['extension'];
/ V+ K V! e# W: y" y2 l $allowExts = array('jpg', 'png', 'gif', 'jpeg');9 b/ d9 S0 I) ?2 R8 F
& D( m* p4 y; Z. I $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);0 R4 v( [' o' o8 b
" b5 N- }# m( [: J( M5 D. F; L if( $uploadCondition ){
! S) ^* T. h5 [' M- o# _ //执行上传操作$ l! M9 k# J; N7 ^6 p" D7 F, _9 z2 a
$savePath = $this->_getSaveTempPath();" y9 y5 x5 U* u4 E. E
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 [) v" C8 n, N! B if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)), P# o) h) k& z* z
{/ k9 T$ a% f( B7 Z
$result['boolen'] = 1;
( B" m2 J' O9 m. c $result['type_data'] = 'temp/'.$filename;; C( T3 E) C4 v, B) s' o- R
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. ^. g. H3 t! W0 H& A- _' ]
} else {: U. W5 m. }8 B) m* ]; q
$result['boolen'] = 0;
n4 s; ^8 M0 ` T* ?- J $result['message'] = '上传失败';- Z# k. |, H6 G1 ?) m
}. p6 ]7 J$ s0 Z. A0 _ d4 l
}else{
( E7 S" M( e$ U& N* K# \ $result['boolen'] = 0;
$ s3 K1 G% g) Z$ k" ? $result['message'] = '上传失败';( F+ `- I7 x- \& U7 y4 l" L( A
}' A3 m0 t, V9 }
return $result;- [; B6 S5 Q1 A+ n, p, E# Y5 ]
}
/ x5 P2 H+ L% Z. m! J6 ]
( W) \7 F) Y! b z9 M. g; }/ Q* A( P# C* X8 B0 |
|
发表于 2012-12-4 11:12:30
收藏
支持
反对