微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。' U1 B/ z1 I" y4 j
7 M M3 D Y+ R w3 e% k: @2 a
% P# y1 [. g/ I5 r- {( V\api\StatusesApi.class.php8 O+ a5 h- t/ ? ` `( n
% ]; J2 ~* T8 F% L7 g2 Dfunction uploadpic(){
3 b- F# U: K' y7 |% P) y if( $_FILES['pic'] ){
( X7 w$ v" ~+ I //执行上传操作
; ^! R5 H8 p1 \% }! ~: _7 T: ]' |% R $savePath = $this->_getSaveTempPath();
+ h! A% D0 K. R8 q0 O" Q $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 C) U$ M5 w- L) o5 O- l' u; W if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
0 q V4 E2 {! ~' ~$ F/ d {, A9 l% c" C( W
$result['boolen'] = 1;6 K& K9 U0 r" g9 J7 H+ X3 S; q$ k2 b/ A
$result['type_data'] = 'temp/'.$filename;% m, M" Z: {. }7 W) u
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
" e; m, ^# _2 X, f } else {
5 m& R3 Z6 H' W/ Y- _6 ~ $result['boolen'] = 0;
7 n0 ^5 t, J5 d2 d; W; T" m $result['message'] = '上传失败';
" F; ^- |+ h/ i! m2 H }, r8 E) U4 e% w! z. r: T/ r: B
}else{
+ w2 d* g, N: G# b7 G $result['boolen'] = 0;. T$ q7 c+ ?, r! J9 p9 ~( H- J, {
$result['message'] = '上传失败';
* e3 y1 z) H1 x } K. O2 p' t% z6 G& g2 R( A
return $result;
# B. D& d2 j' B- M( X }9 M: b% o* Q' E, V" C1 M6 B0 E
unloadpic()方法没有对文件类型进行验证
3 |6 {( i+ q- @2 |( J. I! Y
7 q$ a% r3 h% W4 e可以构建表单, 选择任意文件, 提交到
; Z6 \+ ?5 g6 Z) h7 e/index.php?app=w3g&mod=Index&act=doPost# s: T/ y# O- j/ D- I
1 [( P1 v" I2 j
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
$ c: o3 q1 ~; W+ ~0 x# B4 f* M8 ?$ Y' r
4 ], h% t5 y% J9 g
在登录thinksns官方微博后,( e! U; [9 s' n5 |. u1 o: G
构建以下表单:/ c' ~) o+ n' v
7 ?* Y. [# R0 f! C( X* |
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />3 g8 `0 Q! ?) |# L& ^
<textarea name="content">test</textarea>
: i( h' w# m" L$ }9 p' N* @ Kfile: <input id="file" type="file" name="pic" />4 v! y. z2 M+ c& L5 p) r
<input type="submit" value="Post" />
! ~, |7 l. K: n/ k+ t</form>
, C, R( ]% O. Z4 U' b% |去掉缩略图的前缀(small_ )
0 A- }9 h3 W( i& ^, X0 o: G修复方案:* \( g( E8 v% E6 o4 e4 m
& w4 E: E! `& g! i- c5 M8 f
; [5 I4 n9 J* c4 g\api\StatusesApi.class.php* C5 ?9 S F' L& U, A
' y; _8 D+ }) f* a1 Q5 vfunction uploadpic(){
& U# B+ K, m3 | K: E, ?, E0 m; S /**
6 I3 y1 V0 u! g6 D. |2 l# {. B, e * 20121018 @yelo% ]- s; |- w& ]
* 增加上传类型验证5 D3 B& I9 m7 w: z% k: y3 |7 l2 m
*/- S e* ~3 i: C4 }0 E
$pathinfo = pathinfo($_FILES['pic']['name']);4 u% \. ~- `4 Y( x- E7 F- U# O& |. I6 E
$ext = $pathinfo['extension'];# p. ?" }0 \2 F4 x) q
$allowExts = array('jpg', 'png', 'gif', 'jpeg'); S1 u9 u2 C6 ?- r! p0 e8 E
2 ^7 b& b/ f4 g4 J2 K/ j# A! F $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);" X5 |/ C7 Y3 x
: I5 E _7 g8 N; ^) T; k3 ^- v9 a if( $uploadCondition ){
2 g$ e+ b9 A- y L4 P0 Z5 f //执行上传操作' H) o H9 Y z E+ a( }- E
$savePath = $this->_getSaveTempPath();3 A# C" y- t6 ^/ Q; ^3 G- j5 I4 z/ K
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
/ d; {5 Z, K& t5 A1 c7 k; m if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
- x1 f5 g" i% }6 [ {2 w, \' _8 J$ ` ?- o8 Z
$result['boolen'] = 1;
4 l* B1 N; M" k# f9 k) n4 s $result['type_data'] = 'temp/'.$filename;( @- w4 V9 X" g% {5 T
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;* K# W; @- }% z# Y
} else {" W: J* M z9 v0 ^( p* `
$result['boolen'] = 0;
( Z+ B' p5 }* X. U, w9 E& P9 K$ r; W/ S $result['message'] = '上传失败';
" k* x% A4 D2 C, u# x6 [( r' L; R8 b/ y }
2 B1 P, Y. n: {" U d }else{' ]' V, j, m1 N
$result['boolen'] = 0;9 \% m. G1 Y7 ?$ _' R0 p) Y
$result['message'] = '上传失败';
+ T# I# Z+ i4 O/ w3 d& U x }% z1 O1 r% L7 X/ g: i' r
return $result;
! |9 V3 \& Q) l4 \8 D$ P; O }
; `& z1 j' K# `1 |
: ?& V7 n+ f& Y1 ^& h6 I/ ?( l8 m2 X# ~ A% J
|
发表于 2012-12-4 11:12:30
收藏
支持
反对