微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
$ q0 }% f* d& z6 O' A2 V* U+ y
# v: R& Z" a7 J7 O+ A' S1 x, m% K
\api\StatusesApi.class.php d0 G0 k) I& l O' s0 M1 [
0 B. U, [/ d3 [5 M& W6 @function uploadpic(){7 z7 D/ e% \& D! P2 Z
if( $_FILES['pic'] ){
/ P7 F0 g- s- @7 i) H //执行上传操作5 F' [$ l8 Y n) M# ~1 C# h7 u! y
$savePath = $this->_getSaveTempPath();* n- V- G- q$ E3 n6 b
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ M3 l) h" L% }) h+ z1 \
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
# _* T9 {1 E2 c3 `* w# N {
! }: h, Q% {& R. Y% z! Y $result['boolen'] = 1;: V# [, s# q6 T' B0 Z
$result['type_data'] = 'temp/'.$filename;# H4 _3 `7 w6 q9 C3 U! d
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
. Q; p! P) t- c1 m% y } else {
. _& f* o X* v $result['boolen'] = 0;2 |0 ~2 V3 i4 s& @; B! p
$result['message'] = '上传失败';+ t h( B$ z) [8 p- j2 i: Q! h
}" r+ r* \0 J+ y# S9 J W. X
}else{, U( u2 v- k0 n; y Q- ~
$result['boolen'] = 0;. O" i/ K$ O3 F! l7 o4 c0 P
$result['message'] = '上传失败';; y1 G& P( w0 e) ]+ X7 q
}4 S% j8 C9 B: I( `) }
return $result;
, g- g- L9 ]8 O4 k" m; p7 J }
) E0 W% y/ C' s4 L: u: munloadpic()方法没有对文件类型进行验证
0 L: {, w P; N: }1 U" B9 Z 8 U/ l9 Q' t7 r- C0 ?; T
可以构建表单, 选择任意文件, 提交到& M. p# W' p, r& Y ^; e
/index.php?app=w3g&mod=Index&act=doPost
1 {& |. |2 Z7 r! _7 e! p
6 H5 W7 K; q2 a, t% C在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
. x" }5 ~) D4 z6 j/ \5 W1 H0 M* \ a2 t( C1 W
+ h% E. T; F( y4 |7 m/ B在登录thinksns官方微博后,+ S( W2 c0 c: H' F& M8 z3 R
构建以下表单:6 c3 {! x) q. C" A* O" Y; P6 _5 F& @
R; m8 g/ ]6 [+ ~
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" /># e6 G3 o. t( v* q3 l3 a' |
<textarea name="content">test</textarea>
j, F3 Q4 O* r2 H* c5 ifile: <input id="file" type="file" name="pic" />
- q: C8 ]& K2 O3 W6 r& z<input type="submit" value="Post" />
7 p, k8 b; C- V- S6 M8 L9 E</form>
, O% x4 S( Q3 f4 f去掉缩略图的前缀(small_ )
) N% Y& s0 X) n' Z8 j7 _, {% u) @修复方案:
( D6 C* k v2 J
1 ~, f. n/ b5 ~5 Q2 M( V, R( X6 R4 N0 B4 t: ~3 [
\api\StatusesApi.class.php
6 u4 v. N! {4 D; u' l: c( g
; p2 r) g) ?' |6 Cfunction uploadpic(){
+ G1 Y) U1 n; g& V0 Z /**/ w& h) W1 G- f) o R
* 20121018 @yelo
+ ^5 k2 L) A: K% i5 f8 y0 j g * 增加上传类型验证: Q! f7 L9 G' }0 D* l" j
*/3 k2 L9 E) R5 p4 J5 i
$pathinfo = pathinfo($_FILES['pic']['name']);
|: [' E4 B# ` V8 t$ r! J- h% a $ext = $pathinfo['extension'];
. r, Z2 m- a! v: [# ~) \ $allowExts = array('jpg', 'png', 'gif', 'jpeg');
% a8 {9 e5 V/ W2 w8 S/ O : n8 T2 g7 x6 O
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
" g& k4 j% _ T! E% Y8 p 9 q( O' R, E/ t/ ^3 [
if( $uploadCondition ){
! U) J+ G J, D) A6 w //执行上传操作5 w0 \/ h* s& p1 `2 c" B! E( I
$savePath = $this->_getSaveTempPath();
8 ^, t$ N# C2 c& K% A $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 N: @) C" i4 }& T) x* P( n, o# w2 z if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
. V& g- q: p1 p5 ] {
0 {1 x( e6 o' g8 z4 c( W) q2 w $result['boolen'] = 1;
( }/ k% {8 G5 ]) C ]+ J9 c $result['type_data'] = 'temp/'.$filename; G8 M6 C* B8 U5 ~) c7 b
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
! X3 Y, [' k' f, g) ~- G! Z } else {
7 [% Z9 y9 r, _+ a $result['boolen'] = 0;8 L' _& M" B" }
$result['message'] = '上传失败';
9 _# L$ k! U& L, d* i- Z7 |( } }
4 m. T, j( _, m8 ^! M/ h7 u }else{( J2 i" R$ |' h9 e8 y* n+ q. p
$result['boolen'] = 0;) e. j2 X5 u& A* I' G* e. {
$result['message'] = '上传失败';) x' j, V1 X& H2 C6 @7 K
}0 K2 y+ {' T8 f$ |
return $result;" O: O g0 z) X/ @; Q, S( q# @
}: {) R: Z" { X |7 M/ _
# ^; j! z* B' O) n" J1 h% P; @$ z
|
发表于 2012-12-4 11:12:30
收藏
支持
反对