微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。 G- `* t6 D' ?2 g+ `7 I
- o i2 q* L! v% I9 c " a' a& l8 V) T5 W7 Q
\api\StatusesApi.class.php% [+ q/ z: |9 L& b) e2 S* l* {% S4 k
$ K7 P+ p" k# R6 D. Vfunction uploadpic(){
* ]2 u0 b+ \; g& ?$ S) K6 C if( $_FILES['pic'] ){9 J0 j) Q, O& U$ C
//执行上传操作* q! i7 S# Q# |0 X5 c
$savePath = $this->_getSaveTempPath();' S' r1 e. r/ @+ W* w# p( M
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
. z( @" d& E; R: ]# V4 a if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))' z2 e% z; i$ l6 R ^+ e* H: N
{
y2 W5 H5 n: C& \) P $result['boolen'] = 1;
& B) }/ a9 a, m3 V $result['type_data'] = 'temp/'.$filename;
! p8 Y1 L t1 p2 G! k6 M $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
8 X$ m! V; e. O4 F5 } } else {) v, }- c: W6 f
$result['boolen'] = 0;
e* w( J# w. W# C4 K $result['message'] = '上传失败';) a9 e: Z1 Q- u1 T
}
" ?/ X" s" V0 F }else{7 d4 a7 F" I) A, G5 C* O
$result['boolen'] = 0;, q" x; b4 Z) f! Q
$result['message'] = '上传失败';
; F# F5 g' K. n9 J* I }
0 R% I2 V/ p" j- u. T( u! E" B9 Kreturn $result;4 m5 Z( |5 b% W
}
$ s. F3 F* m. P. U1 aunloadpic()方法没有对文件类型进行验证6 \) P% h5 `; S, K. |9 Q# m
- G+ E; }7 Z3 u" w' `
可以构建表单, 选择任意文件, 提交到$ ~' m) j, O! @! x8 K8 L
/index.php?app=w3g&mod=Index&act=doPost
0 x9 g8 z* R) A/ H* {0 o, R6 X
' p+ x% P7 F( D在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
0 I5 o. D7 h2 ]+ }2 i) ]3 M2 ~# x: M# Q' u$ R# O
5 z( n) O1 p( A* \6 |8 \0 J \# c
在登录thinksns官方微博后,
$ y7 g$ h% W* Y. o; j, J) c# o构建以下表单:$ B7 ^3 _. D `
# y& u, h" U M% w/ E
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />. a0 @6 h$ D9 G6 t6 k4 U% `
<textarea name="content">test</textarea>
5 g: r' E) N% ?* j5 |file: <input id="file" type="file" name="pic" />
" u/ i2 Q6 w7 g w; t<input type="submit" value="Post" />* @7 n- _/ D6 w
</form>
/ R' ?$ O$ x7 Y J# `去掉缩略图的前缀(small_ )
7 r- X! f, G, K& X3 ^修复方案:
& _4 P) a7 ^1 R! ^2 n v; C" _- A' z$ D
- g; n8 R5 f2 z5 u: O6 S
\api\StatusesApi.class.php* P, W% g* P% D- L e1 z3 k6 o
3 r+ D# V& d$ F) l" Ofunction uploadpic(){$ B! y# q5 H* i9 J7 c; U
/**
! C) u) _9 y, N& q, N5 [9 r * 20121018 @yelo2 S0 | {# r3 W' T9 y" f F
* 增加上传类型验证( z6 }2 w+ L4 J) r
*/$ L1 i1 E; \7 K: n3 h2 ~, H
$pathinfo = pathinfo($_FILES['pic']['name']);
" H0 s5 a2 j# k9 @) }1 j2 P6 p $ext = $pathinfo['extension'];
( u3 v0 X* @, u4 p* W; Y $allowExts = array('jpg', 'png', 'gif', 'jpeg');
7 }9 l2 s2 @: F+ @1 p
d5 _0 o4 J, I $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);2 e5 T4 w& |4 ^
; S* Y1 j! f& b% S if( $uploadCondition ){
- }* X" r) ^* h# n7 x- W //执行上传操作
7 R/ i9 I( n: b6 P2 r" G Z0 F $savePath = $this->_getSaveTempPath();6 U& s3 ]9 @ h7 l( A) |! ~
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 F# ?/ |. A+ } Y if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
* M7 O: U7 \: O+ w5 w {. A/ G M- D5 V# A! I. \
$result['boolen'] = 1;( o$ }# M; G% O, B' I5 J
$result['type_data'] = 'temp/'.$filename;
3 Z! k! m3 [/ n' d% t7 J3 A $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
Q/ _! d- s3 c. R. Y: u4 i# W } else {0 ` {' L3 Y: X/ Z& e4 x! e9 ?9 i
$result['boolen'] = 0;
D: G1 |' C X+ C9 H $result['message'] = '上传失败';0 U u* f b6 X- m4 W
}2 v$ Y; U/ i. L$ r4 N' i% f
}else{
5 r6 k. y$ x1 q $result['boolen'] = 0;: P* S a) N# i( o6 K, x
$result['message'] = '上传失败';
; ~' P( `) q8 a) g# m }
9 x0 |9 e% H/ `0 U6 \" y2 h# M1 L% Hreturn $result;5 E* | @& n0 N) X/ g/ h" U I
}: \% ~0 {) \) I/ v
+ Y% h- O) P5 u" c1 ]2 ^- K
7 ?$ P' @& E$ e. z |
发表于 2012-12-4 11:12:30
收藏
支持
反对