微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。( n, H1 c1 \. w# d: r3 ]! ?1 z# ^
7 v- Q5 Y1 b. ^8 l
$ U9 Q6 I+ d4 N/ b: K. x% K\api\StatusesApi.class.php2 P& v! P9 K8 Q0 ~6 `2 i1 W
# b8 n$ U+ l' ^5 `: I
function uploadpic(){& u# Z; a, c3 P5 j) @4 J
if( $_FILES['pic'] ){
. _; M2 G9 Y+ J0 [4 E: D7 ^5 v- c //执行上传操作
' f% w, Z- l% c; f8 j( D $savePath = $this->_getSaveTempPath();
$ V) ?5 y9 X; _. X2 |* Y $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ |0 Z# S) q' l/ M9 }8 C# ?
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
1 a# Y% H: c& G$ V! @' } {" _2 c6 a; H$ [7 D( E1 ]
$result['boolen'] = 1;5 A; `, H* R% Y% J+ [& H9 S
$result['type_data'] = 'temp/'.$filename;1 L5 }# K* U: D2 p- c: N3 O
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. E' {& J% A4 S5 A7 t. h8 q
} else {; u. g5 ~, g3 M7 l# |' a) Z
$result['boolen'] = 0;
7 D/ X+ ~, n3 T5 [6 w% f3 D $result['message'] = '上传失败';
; h9 E0 K3 z' }" k1 @4 N2 Z }8 E3 q0 N# a8 r
}else{4 z! ^. G9 Z3 d- J
$result['boolen'] = 0;
1 c8 b4 q' A& \7 x7 g $result['message'] = '上传失败';
/ I/ x# G1 m4 _/ h3 @ }! n+ Y8 }+ z- _8 j
return $result;
1 S# }! c+ [5 @$ F4 n }8 E! o6 Y7 E% |$ i; _, [% W
unloadpic()方法没有对文件类型进行验证* T C/ S9 a/ l/ a
) f" s: h3 O' E; k* M0 a! d! T可以构建表单, 选择任意文件, 提交到0 d0 G; S6 y; ?; G# J0 B, C
/index.php?app=w3g&mod=Index&act=doPost
& N. V, g5 T3 I , z, ]% k6 e/ }3 n6 L5 H0 E
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)- k: u( ^' v% |
2 J r% s. k/ E) j
# l6 G. K X0 l, p7 a* U
在登录thinksns官方微博后,
% P5 L* w! T' s. ^) x构建以下表单:
2 f/ X2 y5 o6 s/ R& v# X% n0 M 4 Y( T- r, X# o( O3 @, P4 e
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
% b4 O* V( t4 A) n<textarea name="content">test</textarea>
! p; Z$ n3 \: a8 q7 r, C8 Ufile: <input id="file" type="file" name="pic" />
/ s7 R& S2 x3 M<input type="submit" value="Post" />
* \5 {$ d4 S9 M; r$ q0 `</form>: J! i5 c- N4 a j' Z7 h
去掉缩略图的前缀(small_ )
c# A$ o6 e/ f6 B! m8 C) z修复方案:
/ t" _' m& ]1 W+ T X2 O! ^
0 d" f5 r3 ~1 O
2 f I1 j( T8 n8 I+ x\api\StatusesApi.class.php+ e s* k7 R! \2 J4 m( b
* ~' |- |# _* @function uploadpic(){
6 H! o- u% [/ v, t /**& i6 P- |% i! B2 G
* 20121018 @yelo4 j# E! W5 Q9 P& M2 w. b- `0 Q; R
* 增加上传类型验证
# R8 P4 ^" P2 y( Y+ n) b */9 r( ?3 l! E7 c0 E5 s4 I
$pathinfo = pathinfo($_FILES['pic']['name']);
& H5 z8 N" t, P$ ? $ext = $pathinfo['extension'];7 Y( Y5 C4 K: b) l
$allowExts = array('jpg', 'png', 'gif', 'jpeg');3 I! {% h9 l, j9 V- E7 m/ a
0 b& N# O$ [' ?8 p, P
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
1 D, o( R2 o) T# q& v9 ` - w" B9 Y# o8 m! G3 c1 B6 f, Y
if( $uploadCondition ){
G8 f. f' j/ | //执行上传操作
& m* Y; r( H k4 X: F$ a $savePath = $this->_getSaveTempPath();
( X4 m% r5 _8 Q$ h) {* a O $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
9 ^" f. `' i0 Y7 { if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
- ~) _4 K4 @4 }% P {
i, A! g" ~2 m6 U0 C $result['boolen'] = 1;+ G T$ {( H" e. w$ F: a. _. Q
$result['type_data'] = 'temp/'.$filename;
& y. x0 u4 R K! M $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
% h) M" b, N y! R5 D, U2 ~ } else {
7 U5 Z3 J e# i' i $result['boolen'] = 0;
0 D$ N1 k* p8 Y$ ~7 h# Q G. u $result['message'] = '上传失败';" O3 E' i( C" `! i$ T" b& h
}
3 S* d8 a0 t4 \: \5 C8 u; g C8 f }else{
O0 f$ }, D2 _ $result['boolen'] = 0;
5 ]) f! n ?, p4 O& ` $result['message'] = '上传失败';8 A8 m. G/ F- v9 M* s8 ^
}
h& p5 `! x; }: @return $result;
8 Z1 P% `9 U4 Y1 ~6 K: m; a5 C }. ~7 G& c5 k: U$ G% ?6 o
2 Y* |( Q( u' _. K$ ], M5 P9 H4 U3 }% E. z" }( _" i
|
发表于 2012-12-4 11:12:30
收藏
支持
反对