微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。, \8 f) o" @" {% [+ d
- c1 G8 Z) A& f4 J* b
0 `( ]' V( E6 K- R
\api\StatusesApi.class.php4 ?$ u" |- @* u2 M! k( c0 d; l
7 I! |' n: ^# j# h5 F5 z, ]* N, e
function uploadpic(){
' t7 C0 c/ c( v. @4 V if( $_FILES['pic'] ){
, J7 ~5 D1 O) M/ T/ z //执行上传操作
) ]9 { K! U" L, p9 A; L $savePath = $this->_getSaveTempPath();+ ~2 _" O- c# F. G4 k% ~
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
7 B* Z5 q: E \2 B6 j: _ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
. y) e3 D _! f! ]' J: \* M6 L {
& z, ]( R2 z3 x/ M- a $result['boolen'] = 1;' p0 l! S! H0 E+ n2 g# j, V3 }# z) d
$result['type_data'] = 'temp/'.$filename;
8 J6 s, y. F8 U: \. g $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;$ B+ B# K( P i0 c Y5 n3 u$ v
} else {' B: A3 U1 U- @- N! y! \0 f
$result['boolen'] = 0;% x0 v1 K& k& h. G$ w4 ^2 z* _3 d7 t
$result['message'] = '上传失败';! _8 Q2 r1 C% i
}% ]2 `$ g- }9 ~: o, C! M
}else{
- i* p& i8 K5 M) x p $result['boolen'] = 0;; @9 [7 t. E4 N3 k2 e
$result['message'] = '上传失败';3 } X- i( i8 R5 I
} u! A. E! K4 h1 c1 X/ `
return $result;2 ?0 C* i0 {& i% [+ {+ M& Y
}
" J. o3 j) L. h7 y% m `unloadpic()方法没有对文件类型进行验证1 G. R* x1 S" }. F+ t: l; u
0 t; I0 f: q8 J' X* ?7 W可以构建表单, 选择任意文件, 提交到6 {! j4 f" r. C3 m# ~
/index.php?app=w3g&mod=Index&act=doPost3 a( C/ q/ ~- y( R5 T
- l* o# r) l3 ]' p2 {; N+ r在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
/ \! j, h# I- _% k( v% x
7 F! l1 j" M m9 T2 h ^- Q- u6 M! K/ t( i0 g8 Y8 c# B+ C
在登录thinksns官方微博后,
( I7 {7 j; o, N' _8 n0 T构建以下表单:1 Q' E* m1 q& e! N: R
- w% z n+ c7 O- o8 O
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />+ t5 b! b N8 G0 w- z. f3 _& q
<textarea name="content">test</textarea>. m- }6 ]; D3 i; ?# I6 k5 y
file: <input id="file" type="file" name="pic" />; \4 }( N6 T+ o/ z
<input type="submit" value="Post" />
0 {! F: L% z4 p/ ] t2 ~. ]7 _</form>5 u$ E- c; M4 C8 K& `
去掉缩略图的前缀(small_ )
$ H4 h6 U$ V6 N9 j修复方案:1 q* h+ l4 v# C0 _* k
2 }" Z. f8 [* u7 T
t2 H0 T4 ]" H u0 }\api\StatusesApi.class.php
0 b; c8 n# d# e
/ H3 q9 i2 B# K3 {, lfunction uploadpic(){% Z6 g5 b# Y- _0 ~4 e; E
/**
5 m. ?" Y0 K8 y" ~# d * 20121018 @yelo
6 i. A& Z: D' ^. `" F) \ * 增加上传类型验证' ~$ f ]$ c: M7 T" }! o
*/
0 m1 V& \ m* K. \3 h $pathinfo = pathinfo($_FILES['pic']['name']);
( e% x, e+ r% X% o, l+ h $ext = $pathinfo['extension'];1 l$ |" k' j2 f! u* X
$allowExts = array('jpg', 'png', 'gif', 'jpeg');* w" k+ c( [. `
M( a/ L+ k) G $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
4 G: e2 [5 ~6 A: `. |1 k
$ j: [; K* U% F/ }- t; ~- Q2 P/ a; I if( $uploadCondition ){: v% N+ m9 p% `6 N
//执行上传操作
3 p1 A- U% g) B( F* @2 `. ~) `/ [6 r $savePath = $this->_getSaveTempPath();) R' r0 Z& k+ X; A' O" B
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);- L4 I8 \7 B) p ~; b
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))9 I Z3 A% [- i2 ?
{: K7 L) K( i# a2 f* o0 t0 A
$result['boolen'] = 1;
* @2 c0 Y) w- k* s% w $result['type_data'] = 'temp/'.$filename;
6 \! e9 r1 I2 y1 y $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;1 V% f$ V- n6 h4 s0 \! a. S3 P# @& N
} else {
6 m3 J" t; l( R& |- ~2 N $result['boolen'] = 0;
7 G, i# y# N8 P $result['message'] = '上传失败';4 ^3 f* m' i! G% L2 v
}% ?/ P7 M8 w. Q
}else{
3 J1 a; f( c5 U* {& c $result['boolen'] = 0;* L* s0 o& m; K- m: C4 i% d
$result['message'] = '上传失败';
% @! c: P5 K8 @ }
% O; Z3 n) Q3 t% Y/ vreturn $result;7 @1 u! i- u; k$ a
}
5 G9 ~) o, c/ L2 q' i; I4 {& E O, r" P+ g* n- A# P
: \3 Y' M2 D; E1 C) y- f" I4 F) ^ |