微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。( E! O5 X! N0 h1 i9 {
/ t4 Q4 x, \* d8 _' v4 q4 ] % f5 _# `; M* ]2 g3 p
\api\StatusesApi.class.php
: B4 @6 H5 s) I& `8 B* E7 t
. d4 o3 z$ p& f/ c s @function uploadpic(){
5 G" ~5 {7 W5 S; t4 W8 A if( $_FILES['pic'] ){
8 x& k9 x" ^7 C% {2 V! S //执行上传操作) z5 T) m+ A \4 `, C" y
$savePath = $this->_getSaveTempPath();+ d! v/ `+ @& ]) ~9 i7 {
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
- s0 O- n) K* {# N2 Q* F* ^3 Y if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
% M, o& H8 {) f( p& J# ]5 S* ` {
! u% r, F1 H- z, j8 v $result['boolen'] = 1;8 o& T: G8 a5 W
$result['type_data'] = 'temp/'.$filename;
# v8 W" D% K* K; ~ $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 W; ^: q2 M' R" x' q- x+ F } else {2 T$ L0 w% U) b$ Y, v5 u
$result['boolen'] = 0;/ Q/ E( X; {: ], b7 H' _
$result['message'] = '上传失败';
) y. O4 s& C- o& O" q }# A& o0 m1 Q p( d# T
}else{ U- r: o E! \1 P
$result['boolen'] = 0;
% x% Z4 t. I; D& [( Q8 s $result['message'] = '上传失败';
. w' n# r: j \( r. l) [ }+ z; V$ H; K4 {& r; J2 y) v/ i
return $result;
) M P5 ]3 `+ I3 y } A* u+ Z4 N0 y3 N3 x# h
unloadpic()方法没有对文件类型进行验证
/ x! i+ c9 p6 Z" S; x J6 x
0 x& [% x# A) U; |1 `可以构建表单, 选择任意文件, 提交到
" ?2 M% t. J l: e% ^/index.php?app=w3g&mod=Index&act=doPost
, Z) M1 z+ L+ C
8 I7 ~# ?8 J7 d3 ^$ a在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)' [4 w: _% F& M& I/ c2 C
9 }. |# G1 _' w1 \: I# ~; g5 X; r: P
在登录thinksns官方微博后,
6 i! D! p* A) t- ~+ V5 A: |构建以下表单:
1 t9 O4 M9 r8 r : y. k- w9 h4 h9 q/ l0 @
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />) z9 Q. `2 U- E& ]3 t
<textarea name="content">test</textarea>) {8 X/ q- `; v) K& u0 V9 c
file: <input id="file" type="file" name="pic" /> e! q* @ A# E9 }" k+ Z
<input type="submit" value="Post" />
& x- I- j4 s: d% o</form>
i- f6 O) s! q" s) o+ C去掉缩略图的前缀(small_ )# u3 N4 u* }4 O2 M
修复方案:4 c& ]8 a3 u! w8 b
4 Z4 J, g! a% i6 K6 L( L' Q! O+ p/ W1 g7 j& o
\api\StatusesApi.class.php" s6 X1 Q6 r' C' s* x4 I N
, J1 X/ @' t( p9 Z4 H& e1 P
function uploadpic(){3 g* U# D. {8 a8 L4 Y" V: e( V) S
/**
$ I, x3 S2 F' O2 g" I * 20121018 @yelo
' ^; Z8 r; f5 E# ] * 增加上传类型验证+ d! R' G1 v( P/ M0 y+ t
*/ b! a7 ?- x6 T* \) B
$pathinfo = pathinfo($_FILES['pic']['name']);
" Q$ p& L, v( X* b $ext = $pathinfo['extension'];
# ?( ^% H( {9 B/ k. s $allowExts = array('jpg', 'png', 'gif', 'jpeg');
' `+ \1 l4 A* E c$ m5 n* }/ u
- ~5 m# ~( ?5 x0 K5 D! G $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);2 Q( E# Q3 V. S5 ^
4 v! N% I* T1 \' Y5 y if( $uploadCondition ){* M: G; ]3 g7 O
//执行上传操作
$ [! R( K) L% Q$ f: a) L- K $savePath = $this->_getSaveTempPath();- Y! E7 `7 P" ^ N' M
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
5 P" n. \& N& ]2 J( t/ ^' E if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))% V1 g8 g4 k$ C j, A7 n m9 g
{
Q' K, d6 n A' q1 W. ?$ g8 j6 v( Q $result['boolen'] = 1;- c* ^5 K8 g+ M3 V7 R
$result['type_data'] = 'temp/'.$filename;5 C6 p/ w- H) s# q4 Q
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;0 U0 u1 P4 {# h) d; o) j
} else {
, m( i, D0 _' E/ S+ c ~, Y $result['boolen'] = 0;. l. M% n' O" j2 z# ?
$result['message'] = '上传失败';
/ R# w+ J4 O! n/ Y }9 \! L2 J1 V: ^, A
}else{
% S( e+ @5 R* Z" a/ F7 {( S. T $result['boolen'] = 0;
# X8 S% B! P: Z7 ^ $result['message'] = '上传失败';0 }" Z* U+ G* _; s. `( ]
}
7 @; e" L4 z7 W8 R3 ^return $result;+ d7 |( V* i# h7 J9 d" B! R
}
8 M ~5 ^8 F8 U. `+ i2 \. v% r$ i4 p: G
( d- \) e* M9 H a6 @/ s |
发表于 2012-12-4 11:12:30
收藏
支持
反对