微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
$ B0 h* f7 t! r3 c; V8 @1 K. n! Y( N* m8 i3 t( H3 `
- i6 n) d0 [0 r: e\api\StatusesApi.class.php
+ [$ Z$ {, K0 @0 h
9 v: L |* z+ ]+ k. sfunction uploadpic(){: s: O' Q7 y" F; }
if( $_FILES['pic'] ){6 [5 d7 C" z# }% n
//执行上传操作
( x y$ J: l- b9 u $savePath = $this->_getSaveTempPath();
6 A! b7 v: E" Y6 r& t $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
: Y C. ~" G* M4 K if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
+ U* `& w) g# z" c {" B' M7 R# I0 W
$result['boolen'] = 1;9 \/ q b1 u3 j
$result['type_data'] = 'temp/'.$filename;- x* |/ l6 R8 m! h$ ~- [
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
! b; Y3 C* ~( u+ V5 ]2 I8 M } else {
2 X# |) @4 I2 ` $result['boolen'] = 0;/ G' Z5 O0 D$ |
$result['message'] = '上传失败';
# |! j5 G6 B( I+ X1 r, B( L }
+ p0 f7 L1 b! b }else{
) R5 z: V6 J, v8 D* W, ? $result['boolen'] = 0;/ x. f' K6 I2 M" n
$result['message'] = '上传失败';- w9 v: k; R' b: u
}
; C6 g" M7 h, z5 areturn $result;3 ^$ y! \9 c2 D. _0 b
}3 H: Z0 h- O% N" `
unloadpic()方法没有对文件类型进行验证, V. g0 ~5 U3 R2 g. x5 d. _! `. ^2 U
' U' d# F5 b& y可以构建表单, 选择任意文件, 提交到
5 t+ o4 d2 ?# | L) q/index.php?app=w3g&mod=Index&act=doPost# R3 r2 U# \$ I% C6 w% u
* k3 ^ {5 {% |4 d) O在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀); } M1 I" s" C* ~! q
; T( Q3 g+ T# _- U% [6 R' \, \3 T! X' s& Q8 W/ R
在登录thinksns官方微博后,
* V, b1 Y3 t; L% d构建以下表单:4 L% @, f4 Q$ x6 e! T
; m; u# H; N5 H( y<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />1 M/ i- h2 W" N8 c% S
<textarea name="content">test</textarea>
) b* Q, T8 M2 }! u2 _. bfile: <input id="file" type="file" name="pic" />
4 K$ I/ v0 j6 h. j<input type="submit" value="Post" />
s' d3 H9 W' ~7 f; M</form># s3 r7 x8 A1 D; u
去掉缩略图的前缀(small_ ); D. W) c" k8 H. U) ~$ c" F! K
修复方案:7 u& {5 e7 ?" h( O$ J
4 `, C1 B' [: a
" _2 L% r. d: ^8 _
\api\StatusesApi.class.php
# ^! Q( W( }: [$ i- P % H# X, B& E* M7 A
function uploadpic(){
, M1 _- I7 E- \6 z /**/ O$ L4 O) V: \% @
* 20121018 @yelo- `, `/ k7 E6 m1 W. j3 |' i9 Z
* 增加上传类型验证0 |! n3 Y) q" R! I9 N1 Y' S
*/3 A; z* [3 ~; c5 m
$pathinfo = pathinfo($_FILES['pic']['name']);
* t0 K7 }" o- M+ Y0 D/ U $ext = $pathinfo['extension'];
) ~! g- W6 Z- j' K $allowExts = array('jpg', 'png', 'gif', 'jpeg');
( g' K1 @- P! E3 h j * [* I, z2 Y8 |( t P# i
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);& m: {/ c' m! E! U1 C
& S" \, U3 B3 o; m& Z if( $uploadCondition ){8 w- X% S( P# I F5 A$ a; N! Z
//执行上传操作- Z5 C9 \4 O* @8 q8 c" e" o% I* m
$savePath = $this->_getSaveTempPath();2 w" \" r* C: ~- s% q
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
; M/ F( a8 ^. w% |% F; X& V6 m if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
( c* X. O+ ^, m) L1 n {9 [4 l' e$ i4 J% ~% J
$result['boolen'] = 1;
6 i$ o3 B9 M- j $result['type_data'] = 'temp/'.$filename;
4 T' e' d, |$ u' ] $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
$ b" r, B8 Q4 N3 q } else {
& D2 F, A$ Z& @& g& J# D $result['boolen'] = 0;
5 d2 n7 i. I9 ?' A- ~7 z $result['message'] = '上传失败';
& a3 M- U+ M* F& u/ y }
- ^4 P- O1 U5 `& Y* i) G }else{
8 v7 H/ F5 C0 y: b9 G $result['boolen'] = 0;
5 g4 b( J3 x7 ?6 P x $result['message'] = '上传失败';
: M$ u$ N/ Z( ] }
5 R4 ^8 m3 X P5 J4 zreturn $result;2 L- X3 c% |" n1 G! ^9 h, a
}2 T6 P8 g! t' q( a- J3 k
3 m# G1 M9 w' e: I
7 \ R+ h$ n- e6 e2 b |