微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
. P; k$ v" }5 W$ c8 s
7 Z0 U' T' B1 G6 p+ E( r - C9 }6 j9 p6 j/ z6 s
\api\StatusesApi.class.php& C" H& e8 t1 _; w# X. \. d
5 `% D! q. n1 F5 V) x6 ]function uploadpic(){+ y) r J8 d) i* G, _- j' R; t
if( $_FILES['pic'] ){% u) W- i O, T9 G0 r$ F4 c& Q+ o; V
//执行上传操作
8 Y5 e3 L3 K& q- E $savePath = $this->_getSaveTempPath();5 r, ]" ]: J _4 ?. b, [, |, V
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
2 R6 L* d3 {2 R1 i: N9 M3 _8 x if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
/ i6 W* T% m" q& Q {! e/ b$ h) g5 q4 Z! e
$result['boolen'] = 1;/ S5 l; Q) _% B7 o) T1 \$ J+ A
$result['type_data'] = 'temp/'.$filename;$ Z3 Q# R' D; ]! T. m4 R* v
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
, \, [: C/ F+ L$ _$ J7 v- o } else {
" V$ E% a; N0 K( s( `: Z8 t m* s $result['boolen'] = 0;8 ^* f! T$ i- f
$result['message'] = '上传失败';
( G5 t# j/ k0 D, q1 `8 v1 i- J C }
- m4 k5 A. V7 R5 J }else{
# r. `0 ~8 Y) S $result['boolen'] = 0;
! M* X/ }! `* Q1 p1 |# Y+ S- E $result['message'] = '上传失败';1 O+ C* q0 I3 K3 P
}
* V* G# \6 c( i- mreturn $result;
8 b3 _1 ~* V! r* m. u! p" o }8 S \! e& s; Z+ k6 q O! v" U
unloadpic()方法没有对文件类型进行验证/ x. `, o' K0 ~) Q* F3 W7 q4 L, E+ b
* ]3 D$ f* \5 \( i4 _- M9 ~
可以构建表单, 选择任意文件, 提交到
& t5 b, L# X( i8 z/index.php?app=w3g&mod=Index&act=doPost+ Y; j7 \& ?1 M- b7 A3 l1 q' [
L2 ^( i- N0 y. {9 s+ f& I' L4 \: ]
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
* I7 v% i& @- H/ {* f% O7 q* c* o' M+ P4 |1 A1 R& W4 j
% ]+ Y& ]2 r, s: D( J: Y1 I
在登录thinksns官方微博后,( w7 P% T. b9 @; {8 p2 u
构建以下表单:
9 [7 o; n( z9 \4 X
( s! c! C3 W! x' ], d7 x6 e" ?* [<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
# v$ u# u* |( }* F8 G9 K. |<textarea name="content">test</textarea>0 S3 p D9 t2 X; E
file: <input id="file" type="file" name="pic" />
4 `7 u5 Q2 J+ n4 d* M, f+ K<input type="submit" value="Post" />& E8 a5 S& k4 E* J7 T* Z2 f* @
</form>
% S( U6 ~- V8 t$ E, n0 h$ D( W去掉缩略图的前缀(small_ )
u7 o6 t" p6 {! T% H# L$ L1 _修复方案:+ v' a% V7 O3 A+ H! {6 q% b; d9 p2 _
+ p2 N( g: K4 k u' {# f) @
Q. ?/ m' q# U- g* y\api\StatusesApi.class.php1 ~' r9 E; o+ f9 i- |5 D7 p
! x& A8 E) D3 K, V2 o, y+ L/ gfunction uploadpic(){
0 R- `6 j5 Q; `. ]5 i /**$ z. f- i7 k o6 l- j1 z/ s) \
* 20121018 @yelo7 M; S+ O( L; k# J4 s+ u
* 增加上传类型验证
/ z( Z# V) K* E+ t) x" l+ M: t */
# Y" t4 s) Q2 r/ F% ?5 p $pathinfo = pathinfo($_FILES['pic']['name']);
+ q1 g* l; e, P; g: m1 x7 u" n/ b! E $ext = $pathinfo['extension'];; r; j. A& B' Y7 q' u7 k
$allowExts = array('jpg', 'png', 'gif', 'jpeg');; x% B* b! F) @. d' P
' J- y% ?7 b i% y$ ^ $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
) t* ^$ S8 h+ Q, a; N 2 l0 c( t5 r Z3 r, J
if( $uploadCondition ){
# R4 G5 O4 o9 s: W0 Z //执行上传操作
% Y) r; \8 X4 Y+ x% v $savePath = $this->_getSaveTempPath();) l5 W( x5 p! u! \( G
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ ^6 i) _* Q/ E/ O. \+ a
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
; ?1 c$ Y2 L, P" u/ r {6 `5 z' b7 t% w" N; _ _) c
$result['boolen'] = 1;
) z& ]0 j$ x$ x6 [+ A $result['type_data'] = 'temp/'.$filename;
$ u( x3 Q- D! f $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;8 M5 ?- L* C, i, {! f L5 R7 {
} else {
; z. Z0 d' U7 h, ~% d S. ?" S $result['boolen'] = 0;8 n7 }' v9 X* c0 E
$result['message'] = '上传失败';4 z5 _/ }: A& |/ s: l6 o% a
}$ R0 O7 P# c+ i' Q1 ~, q
}else{
; n; G' Z. O* w5 _* o4 O' F- l $result['boolen'] = 0;
) u, k7 p9 @( M0 c8 d% p+ V $result['message'] = '上传失败';8 i8 z5 q/ \" W. ~* o, r/ U
}
6 @* l5 `/ E, E" Zreturn $result;
8 r; d6 d) e5 ]+ n, ` }( ^* U5 G& }0 _& B8 s, m
7 V" N$ I7 B( B" l" {
1 c7 q/ E* h/ k( X |
发表于 2012-12-4 11:12:30
收藏
支持
反对