微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。6 u& u: o% F+ e) B- T3 f; o
f) y! k% I, r2 t' c
; w1 x$ z9 B+ c& @\api\StatusesApi.class.php9 P4 t" u( P9 M1 U
0 n' P+ U& D; n3 x/ Ofunction uploadpic(){0 d9 I6 q0 r0 b5 m8 u6 ~1 m
if( $_FILES['pic'] ){
: D+ k/ [' m; C+ p5 n# V //执行上传操作- J. z A; O" D7 n6 @8 [& a
$savePath = $this->_getSaveTempPath();1 i# z8 C0 u: s
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
! d' u @( T# x! W5 I3 M' z if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))$ v5 P9 [. x) Y/ O" ?: t; I
{
% _9 [" m! _" z ~, C $result['boolen'] = 1;
, F2 i( g- P5 i0 U $result['type_data'] = 'temp/'.$filename;) W+ D3 ~9 u: h6 ?7 V; y7 x' f
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
/ g. k& o1 O$ ?% g) n2 ^- n% X( m! _ } else {
* `. T" b- i" a: ?6 R C! g$ h# A $result['boolen'] = 0;' r( P( G% E; g. u! V* E0 w9 k
$result['message'] = '上传失败';
4 P8 k) F/ U5 e1 f }7 ?! O2 \2 \. `- g, t2 i8 L
}else{
/ h" B" N, H( e0 {' |& L" n $result['boolen'] = 0;, x# N' N! X* g' {
$result['message'] = '上传失败';
( W! c( N9 S, b& x! z! f }) n3 w' X9 n( ^, J' V
return $result;
& b% t2 m; @+ V/ h& p/ O+ q" e }
+ ^2 W8 g3 J! t( Yunloadpic()方法没有对文件类型进行验证
$ x6 p: E$ ^- l; Z+ J2 |. J- J a
, ~, x( \3 M/ H$ F- G u. ~9 P( w$ K可以构建表单, 选择任意文件, 提交到
* |' D* r5 _2 F7 @. Q: b b. t/index.php?app=w3g&mod=Index&act=doPost" P, W" {' c E
4 A' Y, _* N0 ^0 Z) J L! C
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)2 _. O/ ]9 u4 P2 }- M. }" ?
6 H2 j0 g2 \! i& T. a5 T" {5 M( \: I: q& G% {
在登录thinksns官方微博后,
" }) ]' S9 J) B: ?) U" P( ^构建以下表单:
0 r" e2 d' r# k0 f' C3 y
' H7 `0 o6 e! x5 H/ I9 ?$ a<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />( |. j8 ]9 p% B8 d* F! S* @( d: t
<textarea name="content">test</textarea>1 w3 a% `* _# R$ H
file: <input id="file" type="file" name="pic" />6 W( f% X3 ~2 z
<input type="submit" value="Post" />% N% G- N2 g& ^+ K" h: G9 i; {
</form>
1 b) h; c: M* W# }/ y4 z& Z去掉缩略图的前缀(small_ )
4 ~' P2 }9 l3 a! x1 P, t4 j* G修复方案: E4 d7 Z o! h- e$ F5 U8 f9 g
G |2 @! w. H. W5 p
! A- @5 k2 L) l5 N1 T\api\StatusesApi.class.php* M1 t- H2 D H# [, x1 G2 `/ C
+ Q) T8 O. g- W' l o
function uploadpic(){
+ _1 j% F' q7 P0 T4 W! g /**
! f0 p5 ?6 ?5 Z$ d * 20121018 @yelo
% y/ `2 w5 i5 f! M! V5 L- M * 增加上传类型验证: }. j9 o2 v1 F" ]: H0 o' v
*/
# j' ^! j& ~0 M$ R $pathinfo = pathinfo($_FILES['pic']['name']);+ r% f- ~ h/ u# s- G/ n+ T( L
$ext = $pathinfo['extension'];
! o( o0 }9 Q/ E. `& n $allowExts = array('jpg', 'png', 'gif', 'jpeg');
2 v5 K- h" O0 y! l7 _
; j6 @1 c% G6 t) p6 \: k% Q6 V" E $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
\( l# E' U* G! J( ^$ c0 r& V i1 n8 v
5 i1 P% a4 T% I0 \2 T8 Q! t* Y if( $uploadCondition ){
; q h' d9 a9 q/ e4 |% ^8 ~9 U //执行上传操作9 ]& G, h( Y; j3 L2 G8 S
$savePath = $this->_getSaveTempPath();
' T p1 J$ E8 B4 M# u, }' N" U $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
' ~ w4 T+ Q5 e2 p# W4 X, w' i- r if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
9 P: d& Y! d* K9 z" y {4 s. h: i' T" ^! P- Q9 }
$result['boolen'] = 1;
! }( d3 O' J4 M i# X $result['type_data'] = 'temp/'.$filename;
. ^0 H& W1 o- h' h $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;# V/ O3 G" T+ H" _
} else {
: C8 N. p( K' N# F3 d $result['boolen'] = 0;
/ M6 Y% i! s$ K {( h) g $result['message'] = '上传失败';6 Y0 _, h3 P* E6 g/ y
}3 {5 A. Q3 I# q% Y N4 a
}else{7 o: f$ [. ?& J( w
$result['boolen'] = 0;
- b0 t3 g* ?/ W% T/ p% c $result['message'] = '上传失败';
1 C; x& U8 w* ?6 v, ?+ x }; z4 L# ]& R1 p7 n! e
return $result;" C4 B% J0 |( _' V+ p" d s( X
}; u2 ~ K* m# k; M* `
7 J9 I# _$ R d
% k9 v9 |, j1 A* R |