微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。6 X: x7 g2 u% D$ J$ c4 T8 C# C! H |
8 v* K9 ?& v( N, E0 J$ f" ^ 9 E3 V6 z1 [# `5 a4 t
\api\StatusesApi.class.php- `4 F+ P5 j* G# e2 w) B
+ `' F$ E. L _. s" t! c
function uploadpic(){
+ _8 O& Q# i3 T6 ]/ N if( $_FILES['pic'] ){
h. ]4 f* q9 F0 | //执行上传操作/ W! j' e1 A! v: n1 f
$savePath = $this->_getSaveTempPath();0 N _5 E& q( F8 ~
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);( Z9 V0 s P) P) I/ o$ K. H* ~$ G
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)): M& n/ _9 }" ]
{
/ z5 N! G# s3 i" W1 ]! O1 T# A $result['boolen'] = 1;
3 n# l2 ] k9 E. C. E $result['type_data'] = 'temp/'.$filename;
9 @9 u e' q. P) z: T; ]& ` $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
4 U2 M: y& H4 i7 y: L3 S+ g } else {' K) }6 P3 I# `( G9 Y9 f
$result['boolen'] = 0;
/ T+ R0 X) `2 u, R* n, g8 O0 I $result['message'] = '上传失败';
8 \' g9 C1 v) }: y }9 _2 W0 |/ }# C' P1 r
}else{- S# c9 ~& } x8 I" r- U( `% I
$result['boolen'] = 0;7 f) ~8 z/ b) f1 b) ]7 _
$result['message'] = '上传失败';
9 z+ T3 T. ? S }
$ \! H w8 e( zreturn $result;
]9 n4 B" t( X. s }) n1 L& m( }4 l0 s4 l: U
unloadpic()方法没有对文件类型进行验证
1 S. L% x4 s1 q* K . J" F; P2 i0 |0 H. t7 E
可以构建表单, 选择任意文件, 提交到
6 f% n# w. l2 _8 G% {4 y. `/index.php?app=w3g&mod=Index&act=doPost7 |2 b% p3 u( I9 z/ _4 b
0 L( H& b( m# R; F* Y+ I @- R在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
C$ l$ j$ @; C! y4 R$ p! m
; y! l5 |* v9 T& m
! y3 S ~9 W5 v F在登录thinksns官方微博后,- i& d8 q8 i `! {* K+ K: c
构建以下表单:4 S# r4 Q5 R( V( ^% Z' M9 B; {; v
; f9 B% u5 K0 D8 ~0 n( I5 H
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" /> }+ l+ j) [4 a! d
<textarea name="content">test</textarea>8 |2 `3 a! h8 m0 I0 S4 s
file: <input id="file" type="file" name="pic" />, w' Y" B1 V. T& h8 a( i c$ X6 n
<input type="submit" value="Post" />$ l5 P+ h1 f6 I
</form>, Z3 G% `2 |! f8 m: l0 I" i* ?3 C
去掉缩略图的前缀(small_ ) A* Y# Y9 w- _! J$ S' u- T9 D
修复方案:
2 v2 a$ l, ]8 P" u' X9 [* D; b. o
1 v9 D+ d; P6 |# H
\api\StatusesApi.class.php
: d' \0 B" z* @) q% J: ] 3 \2 w) K' v: A' Q" u* l! f: q2 e
function uploadpic(){! y) i9 i" b4 d% K! O' q' h
/**1 y7 a" h) r$ q, z$ Z
* 20121018 @yelo
3 E V! u# h# Z3 @- n * 增加上传类型验证
1 i7 ~0 A" X) r4 }9 P$ _ */
1 B o- t; C7 ?. p $pathinfo = pathinfo($_FILES['pic']['name']);
0 L; e( d/ Z! T1 O: ] $ext = $pathinfo['extension'];; J4 U+ o/ Y' Z& R7 h
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
8 x: X6 C) `4 c$ x3 O ( A: T1 `, b( U! M. r' d) d
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);5 h! L# c5 V) E7 A3 k2 Y
/ _! ]8 D2 U) j# ?6 k, E+ y3 z; n
if( $uploadCondition ){9 T4 @( S, a/ h7 I/ W
//执行上传操作
6 R7 X5 v; q! ?- d- L4 Y $savePath = $this->_getSaveTempPath();
3 F+ @) D- X5 z& M- m7 c: z $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);- J+ a- T; `9 E: q4 |1 f
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
8 o1 E) Z6 [# ? {
( Y6 Q; N/ ]& j& s$ O% w9 Y/ f $result['boolen'] = 1;
/ r. w( m+ S5 T# s4 Q. P# L $result['type_data'] = 'temp/'.$filename;
( q M* }+ l3 A2 A9 w" y* A $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;1 X7 _+ A- _$ j( ?3 Z1 o, D% d" v
} else {2 p C3 E6 d8 w0 D
$result['boolen'] = 0;
6 S3 X% [- C6 a/ }1 u0 H $result['message'] = '上传失败';8 a$ }$ b _$ h2 ?6 H
}. O; M4 q1 M6 H& _# X! k3 ?( \
}else{
+ O' P' k, O) o $result['boolen'] = 0;3 i' n f$ |4 \# |: ]6 h3 F
$result['message'] = '上传失败';. w0 u, _. U: _. X" d! T: S+ A
}& O& h, o& C8 m3 q$ _& s
return $result;: b" X/ i) L% _5 `$ s7 _
}* b- o/ c+ M: I6 w( J6 C
) m2 |) a6 l1 i1 w
2 Q8 O/ {% c/ X& D& J+ p/ Y4 I1 [, V |