微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。0 Y6 k( ~6 h! Q6 F8 o& {/ I
; }9 W- v/ d# S$ Q: ?. x- j" P
; E0 b3 }3 M& D/ p
\api\StatusesApi.class.php( U! q4 t8 w% ?( l
5 ?2 `" k& `% u( a4 V& ]% P8 e
function uploadpic(){
; q# Q) u9 X5 k6 ^ F1 Q( { if( $_FILES['pic'] ){8 Z& g1 d! t0 N+ L( C3 e: G
//执行上传操作3 l! W' l) u0 h, S7 B# U/ E
$savePath = $this->_getSaveTempPath();
6 S/ ^. E# Q! S* T $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
& L$ k! J; p" N+ I* G8 U5 C) e- R if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))7 ~. [- ?# Y) Q6 n
{
( W0 r- s: g1 v4 I; ] $result['boolen'] = 1;# i5 ]9 }8 I4 B* B( R
$result['type_data'] = 'temp/'.$filename;. K8 g) ?& z8 y5 l x* z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;# f4 |; U& a6 [3 u* n, _0 T- l7 |8 R) _
} else {
8 F$ S, J4 q* E7 K) `7 Q: e4 c5 F $result['boolen'] = 0;9 K% B& k( ^' D& U7 ^. j
$result['message'] = '上传失败';
, p+ \ \/ \6 O8 j }
& G" ^' u6 v. M0 V( }; P9 [ }else{
, a- F/ V4 j: }% c4 T $result['boolen'] = 0;! X1 x I* H+ {$ i
$result['message'] = '上传失败';
9 g4 c8 w1 i2 r }
$ j7 [. ~1 g6 D5 A/ Wreturn $result;
0 w5 J$ e) d5 u4 y! h) R4 L8 G* V }
0 s. \2 `- {" |1 | [* U$ _unloadpic()方法没有对文件类型进行验证
. S% E: ]7 \3 k$ P: Y8 ^ , E0 b' k. I6 Z: e
可以构建表单, 选择任意文件, 提交到
: f3 _5 r1 L% K& y* j; o. C/index.php?app=w3g&mod=Index&act=doPost
! f4 V# Y0 Y" [
, L' {2 }/ n1 t在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)( F( d6 S5 M- E
' i1 z. ~' x( x) B2 f
! H+ \* G) j' t- M) s" ^在登录thinksns官方微博后," f& u, r' |2 J
构建以下表单:2 e- |6 A) r& B" d. F
7 g. n f- X( K6 ~# U( ?
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
2 A- `% u$ ` w" P<textarea name="content">test</textarea>
. }! K8 E: I4 y# ?3 Ofile: <input id="file" type="file" name="pic" />
7 ]; m4 Y# p7 ?2 M! a+ O1 l<input type="submit" value="Post" />! {% _1 [/ ]! E4 m) I0 C& I
</form>5 e. j. O2 r; L1 G8 S3 c
去掉缩略图的前缀(small_ )
' j/ Z4 ]2 J+ h3 R( W V4 }修复方案:4 h5 o1 `6 B. ]/ M) H$ B/ W$ C' u
( @( t9 @3 T' O. c$ T3 Y+ P7 n2 {( M" |6 s
\api\StatusesApi.class.php
. v/ Z- R. \7 j2 ~0 e& G' {9 p
% K7 B1 y, W; \' x8 I9 qfunction uploadpic(){
8 x* I% P: t2 F& U! A /**6 }' ]4 V+ e- X& b( J. q! W" W! v6 @
* 20121018 @yelo
/ K( ]. D) c: a- U+ R * 增加上传类型验证7 Z5 Z/ Q* z3 ]7 I1 K& i, P: t3 M
*/
0 t" v& u& W. M) e3 G $pathinfo = pathinfo($_FILES['pic']['name']);
- z# R V- Z. G, n3 s' M1 d# l $ext = $pathinfo['extension'];+ Z* i1 b4 p7 x
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
$ h; `" O& L; H- u7 Y: Q1 w7 V
6 ~" v! T% \ B8 ^- b $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);/ X& Q2 C5 w$ j- G8 P# N3 p
+ d. X$ y! m5 W
if( $uploadCondition ){
; B( }3 i- l! O. ^% m# ]9 N3 M //执行上传操作
' E. Z3 f1 a7 ]( K( ~2 ]: V $savePath = $this->_getSaveTempPath(); L, c2 {: q9 @2 C; }+ Z
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
, }* Y' f7 D2 y. g2 l, K1 W if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))! x) X- j& b: t/ G. y
{
, a. \% d' v- i6 ] $result['boolen'] = 1;) u1 t- `: v$ g' |' l* ~
$result['type_data'] = 'temp/'.$filename;1 ?, P/ F: u: M9 K4 l8 ~2 y
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;4 m! i6 L" d: }0 } c8 h
} else {
2 _5 A# X( X y* M& q. G F4 Z( G. h- U $result['boolen'] = 0;- g/ W, w2 ], [1 q' j3 ?
$result['message'] = '上传失败';0 u, u4 M* x: V3 w; V& J, y
}
- _% r" f1 a. e g! g }else{- H4 S! ~- w7 S4 s5 Y5 w$ k4 k; p
$result['boolen'] = 0;5 e" e+ w' N& I. _: @
$result['message'] = '上传失败';
) n' J( U/ l! F' K* z+ v }. b9 |; K+ e, V
return $result;+ N+ c; `' f9 x: x
}' k1 F" Z8 j9 F `
) h. t% d; G3 j$ d
) |/ R+ |. ~# F. n* v
|
发表于 2012-12-4 11:12:30
收藏
支持
反对