微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。2 p+ R+ w7 x1 @/ D+ K e
' N5 N( F/ W& Y
7 `$ ]- R0 f3 z! n2 c2 Z& o\api\StatusesApi.class.php
3 g3 |, D! Y* H& n
7 f4 v$ T8 W5 x: y$ R" Y, yfunction uploadpic(){2 u) t7 |3 V+ V2 q4 x1 F5 n
if( $_FILES['pic'] ){, i6 D9 w* L0 X9 A
//执行上传操作
/ v9 o# o1 Y; L- n, T $savePath = $this->_getSaveTempPath();
7 i5 m9 z. Y* @6 p. A $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 m) v7 O P; w8 D2 z; r
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
, g* I8 l: ?* Q {0 {5 e! P. K* `1 Y; M$ X
$result['boolen'] = 1;
; E6 Y4 E0 m( N- l $result['type_data'] = 'temp/'.$filename;% X7 [4 e. @7 u) g0 y6 Q7 S" a1 p* C
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. l6 k) a2 g( P
} else {; T* G8 e. [' @% X9 a- W6 X1 _
$result['boolen'] = 0;
8 l7 j3 j4 a" s3 U $result['message'] = '上传失败';( e' C" e, k9 l/ j: o: X* I4 d
}
3 g: B) @4 p' Y2 V- \8 g: J+ X }else{
9 T5 C! R+ @$ n0 h $result['boolen'] = 0;- P) y6 w- M4 z* {; a
$result['message'] = '上传失败';$ T6 B8 G O( H( J* e. ]
}) i5 d" A0 F( ?
return $result;
9 Z, b! `) A1 ?3 R4 t }
) Y! [& Q3 e/ S6 K) Punloadpic()方法没有对文件类型进行验证8 o3 n4 U' a" C- Q* E* ?( ]: W
% r4 P) \+ f- a# S; [! j可以构建表单, 选择任意文件, 提交到6 F$ W/ w, D0 b! L3 j$ z! _
/index.php?app=w3g&mod=Index&act=doPost
! w [' u3 F# V$ J) T 1 G1 `2 S$ x6 R* O, i* v+ M- s* u
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
1 P# Y, r7 d1 O
" U& p: n. j! p2 s* \4 q D& j$ d" V" v) M% R2 A
在登录thinksns官方微博后,
/ J# n+ g! T% O3 G0 g/ n构建以下表单:
( |! S9 W, g4 g8 B+ Y) Z3 k
0 |8 m! Q3 ~- |2 F" v<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />5 Y0 I- D' c( }* M
<textarea name="content">test</textarea>, P/ H# Y) i$ I$ s: `9 t w- Z) R
file: <input id="file" type="file" name="pic" />
8 B% Z# C* t# b L<input type="submit" value="Post" />
M3 n- N- [3 c) t& Q' E</form># O/ R3 n7 L2 ~1 w+ N |9 \& m
去掉缩略图的前缀(small_ )" C9 ]4 l5 R) U: {3 H0 ]
修复方案:
( V7 Z" B' S5 T4 J+ j# E7 k3 K6 X3 X4 V, ^* @- y* R6 Z4 k
; c. [% g3 |% x" ]2 n
\api\StatusesApi.class.php7 j& Y+ \; u* A9 e7 X w# C7 J x
- C6 s' u+ J$ {4 ^; z
function uploadpic(){4 n/ V$ x. z. P m2 f
/**7 B# L2 @5 r O2 Z1 s! m: Z7 k
* 20121018 @yelo
, t r S) V' Z/ A: F8 J- j8 X * 增加上传类型验证. q* }( \7 S7 Z
*/
4 c; q& g' E' q0 w $pathinfo = pathinfo($_FILES['pic']['name']);4 ~( U8 V7 S" c7 U8 o% }
$ext = $pathinfo['extension'];# x9 V* p6 q( a, @1 P( L1 p( y* x
$allowExts = array('jpg', 'png', 'gif', 'jpeg');: x8 u. E( k" o2 f, y/ t1 E
" I, R" F S1 _1 }( f( T- i: v- [' G
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);* [ p* V$ z5 ^! Q& p5 p( l
7 D1 ^- v2 q" }' A$ h! e* o
if( $uploadCondition ){. `& b6 d' ?" Q2 L
//执行上传操作/ {9 D2 }7 `; ] G: ^; S! C5 z7 A0 n
$savePath = $this->_getSaveTempPath();/ t) N2 F$ v8 i9 O
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
) ~7 _* _! ]$ W1 ~ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)), O& h/ ? q& @
{* }3 q7 D& g" C* M* ~. ]* \
$result['boolen'] = 1;: |" P0 |( O5 A5 R# q
$result['type_data'] = 'temp/'.$filename;
5 c7 \( f1 x1 m$ ? $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;9 @' a: b; ]+ J; B7 m
} else {1 s+ A. I7 l6 w
$result['boolen'] = 0; g. }3 O+ c4 p7 ]( o7 @
$result['message'] = '上传失败';8 d1 u2 a1 z( W9 @* [; ?4 w* B7 G
} l: \' {! _3 ]
}else{% e- o) r7 Q R( {7 [
$result['boolen'] = 0;5 j! V& W! N+ q0 o% s% R" @
$result['message'] = '上传失败';
: p9 H& f9 p, a- D7 u; i }# v" a/ B' m9 L& e3 Y
return $result;/ `5 _0 Z, B6 U( I2 B
}6 \1 Z" p2 _/ v3 C2 x( w
0 ~* u0 t8 {( [ h2 k+ m) n4 e
- r/ F+ ?- U* \' ^ Q |
发表于 2012-12-4 11:12:30
收藏
支持
反对