微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。" i$ u4 `) s6 \
/ `* t& c8 T8 V" m- X: i + m9 E0 r$ S2 o4 Y
\api\StatusesApi.class.php
9 v: ^5 ]" }. _; j3 Z% I M+ X & o% o4 b v/ J( X
function uploadpic(){& F3 `# F1 F/ {- c7 B1 r6 w
if( $_FILES['pic'] ){& q- D9 K9 t4 _( U9 Q
//执行上传操作8 s* t- F, ?* h
$savePath = $this->_getSaveTempPath();, B. q, Q! @: ?
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);5 ^: S( n+ G& X$ F+ o: U6 v8 q
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
1 m; {' N: k, b6 i# }. A9 A/ I4 ^ {
0 L. d! X& }" G $result['boolen'] = 1;
4 } c- v: M( I7 _/ a $result['type_data'] = 'temp/'.$filename;
, H( z* V# q' S8 c- C $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
6 k$ Y1 O5 |& [2 [ } else {
1 ?' z, v( f" J5 N" _! V) H $result['boolen'] = 0;6 N) @9 X3 Q% Z
$result['message'] = '上传失败';
% t8 A" D; z% I( P& {. s, t( F I }% @; \* ~7 ?* h
}else{
( T- y0 t& W5 [2 m; }1 i- R $result['boolen'] = 0;. L' x- X& F0 U; j" N: B
$result['message'] = '上传失败';" C( d3 U. I6 g3 [
}% s3 n9 a; N% p- c: ~- h9 c) u
return $result;
8 t% n; d6 d2 ?# t0 S } X1 e. | J( {) i$ n8 X7 M
unloadpic()方法没有对文件类型进行验证
: _! j, o a \8 a, L' f( O, u. A 7 o4 ^8 P1 B9 w! j4 {% b
可以构建表单, 选择任意文件, 提交到
' \# G) \! o% R/index.php?app=w3g&mod=Index&act=doPost6 }# { _3 ~; c+ t1 M/ A* I) q F8 y
, h( \+ U( C, \! g( T! v! X在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
$ m+ M2 R$ W& ~# M1 A' y3 w8 j( m1 d; K; L* a7 R" y( o. w
& }1 W9 t a, o7 |% X
在登录thinksns官方微博后,7 E7 ?. I% V5 L
构建以下表单:
0 j. k. M0 S9 {2 M # W9 B* I |- i5 ?5 P% @! o
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
/ u& j7 z& {. ]9 {* K' m<textarea name="content">test</textarea>& {' f* U' ?1 ^( v
file: <input id="file" type="file" name="pic" />
& M' e+ Y( o. @ r1 i1 a. P @% |: G<input type="submit" value="Post" />
' C# p6 o0 o# B, N</form>
8 `3 |4 g3 \+ N去掉缩略图的前缀(small_ )
5 x- y! Q! ]) b, _- P. P修复方案:
D; x. x1 ]) z2 G+ |, L7 w( E
. {1 ]/ M+ z; j% `0 _, ^# O; {! \) z& X
\api\StatusesApi.class.php3 [5 }3 V4 [) ? X( b2 f7 [' w
h+ j4 j( {/ u+ L2 W$ |* Z) @function uploadpic(){$ _* X e6 R, R+ l4 ]
/**
+ C& o6 o5 A1 F+ S/ D * 20121018 @yelo
3 m) N# p; n( u9 d( E5 E, s * 增加上传类型验证) S6 c6 ^- r, y2 Y
*/
& h- u9 H2 E2 O8 m9 K $pathinfo = pathinfo($_FILES['pic']['name']);
. W o) @+ n9 Z* B6 K $ext = $pathinfo['extension'];
: f! o% e) r, N6 o $allowExts = array('jpg', 'png', 'gif', 'jpeg');
1 V( ]6 p( b. V: Q% ^2 Q
& r, o L- T. p, R $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);8 [9 B' _( I# Q. E- `! ^
2 l5 J2 b" a# i V. I( L' ]: K2 v if( $uploadCondition ){2 e. e. a# x! J5 m1 v/ `
//执行上传操作, N( n$ K- r$ s1 a$ B6 O1 b
$savePath = $this->_getSaveTempPath();
7 g X$ O# u/ c1 U. l1 o3 M8 S/ n $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
) @& A4 x* W" {7 v1 [ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
5 i& T) N, S Y" ?9 z7 H {
2 l5 V8 F0 M8 F' L& A $result['boolen'] = 1;4 u M8 |7 K* z D
$result['type_data'] = 'temp/'.$filename;
& n$ i8 G+ M7 l+ f $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
1 U( I1 u2 Y; W } else {7 `2 o4 [8 S, _% L- w
$result['boolen'] = 0;
+ X% S0 O1 X& z2 v- S0 A $result['message'] = '上传失败';
& T' H' P/ U7 E Q }
- M7 p( L! d7 z) \) G" q8 A }else{
2 f+ Z( G1 U% i+ p% G $result['boolen'] = 0;
, c% M5 |% Q/ n3 A4 P' O/ M2 w% ^ $result['message'] = '上传失败';
$ `3 @6 K9 K, B) m0 [/ c; F( A% C }% D' h H6 b7 I- S z
return $result;7 O& x. d( j( J+ b2 t# n7 B
}
' O- g W# P( d1 O1 W
, x* @% ^' C* x7 H& c
& P" x8 M7 ]" y! }: r |
发表于 2012-12-4 11:12:30
收藏
支持
反对