微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。8 Q' f6 {2 V: L% w+ u
* |6 {, k4 g# C+ Z& g
2 W" ~* a, M3 l# l\api\StatusesApi.class.php
; W: k6 a! v. @" I8 O 5 y, t3 X5 B g; r9 G9 Y) l
function uploadpic(){
4 V) Y1 @5 H. s0 ~0 N6 j if( $_FILES['pic'] ){
- n' ?1 ~) ^8 I$ P4 `2 b; E8 o //执行上传操作# e/ K3 l* @3 N4 ? e8 ^
$savePath = $this->_getSaveTempPath();
5 w0 a; U3 J @8 x3 c' S- c $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);, H# q7 z7 x5 R k: H) P; k
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))9 P; M: @. ]& m
{* X5 h* U4 [! Z
$result['boolen'] = 1;
0 N% D: B$ H' Z: ^' A7 y* {) t $result['type_data'] = 'temp/'.$filename;& }8 Y' T; Z% N, k
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
, q& n* E" C+ t* t } else {
! @: B2 B) F7 Z $result['boolen'] = 0;8 |8 O" s L A ]- U X% I
$result['message'] = '上传失败';$ ~. N3 A; x( |- w: h H M3 q5 u
}- I. {0 U- U" q; d4 D
}else{" q% g \+ x3 W
$result['boolen'] = 0;
) H! u+ J' T# N6 P $result['message'] = '上传失败';$ p; x) U- F+ @6 A+ t
}6 {8 h' J0 e7 n \, J
return $result;1 E" p9 M' E1 e7 C+ a; l6 U
}7 I! O( ?+ ^- F( _- d: z
unloadpic()方法没有对文件类型进行验证
+ @1 _4 V7 ]/ U( x0 N u( z : g1 h S4 B4 d5 }& b) A
可以构建表单, 选择任意文件, 提交到
( K( q6 ^; T/ g z: R; E( c/index.php?app=w3g&mod=Index&act=doPost' d: F. e- [; F* B( R1 k" ?
% U$ |+ v& G z2 G; u在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)* p* M5 D- K- w9 J4 q0 {" m d1 r( D
|% S/ y1 W2 Z+ @7 e, j
_* \" k+ f! B! R: C2 X
在登录thinksns官方微博后,
; w9 d/ }, m0 |+ `6 g5 E& {构建以下表单:
$ F/ r# ?" J5 z+ d; W7 G
) w6 `# D3 B, [<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
# |( Y" t: G2 n" w; m5 h<textarea name="content">test</textarea>) S# g9 F! V& d. l- F: ?
file: <input id="file" type="file" name="pic" />
" B4 j8 C' A- b/ Q5 |. C<input type="submit" value="Post" />
5 J3 T7 Y/ a" `. W8 }</form>0 ~. W# P! d+ w; ?9 W9 W
去掉缩略图的前缀(small_ )0 o, t8 H9 M2 H A& [$ j1 P
修复方案:2 {$ G$ m7 U/ l! l& s2 ~5 U
& k, n4 a8 `% R# @- U
- E: p# w& r# ~9 h5 u+ U# z\api\StatusesApi.class.php
5 D$ k5 D6 ?; R3 \% W8 U6 b4 E
( }8 |+ g2 r9 ^function uploadpic(){. I( ~; z- l/ J* I9 F1 f
/**( ?: o- N; ?5 @" H8 Y. y! ] q7 U. {
* 20121018 @yelo
$ d3 A! l9 K( o V4 T * 增加上传类型验证+ m* q$ ^% ^" y
*/2 B6 b2 r% q' W
$pathinfo = pathinfo($_FILES['pic']['name']);# d2 S9 S3 P( U+ w9 [$ X1 T
$ext = $pathinfo['extension'];; \4 a; {8 a7 o3 C" `
$allowExts = array('jpg', 'png', 'gif', 'jpeg');+ X( U5 u6 k% Q% G+ i, j# ]
* B6 M) p7 U# Y6 L# N4 q9 P6 v2 @# @ $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
! M0 H% m( n9 N ! C% A" m- z4 m, ~; H" ^
if( $uploadCondition ){% o. I+ {, @' U/ E
//执行上传操作
/ b8 K% J) L: L) e $savePath = $this->_getSaveTempPath();2 b: s. V3 A% U2 L+ L! k' t
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);/ T, n6 M: d) T
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))2 _4 ]) h) A/ q* w. A: ]2 n$ q# B: @
{
9 M' x( d9 m; L! L $result['boolen'] = 1;7 p) I3 `5 I- F6 r
$result['type_data'] = 'temp/'.$filename;
4 K; {, }& D- t" q1 G) ]* o $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
" a8 Z0 S7 |3 Z- a1 P } else {3 K. [2 e+ h7 u7 L' W' H# e
$result['boolen'] = 0;2 c% q; m7 O6 }/ u- l4 T4 x
$result['message'] = '上传失败';2 F+ \2 [( W; w9 A, }# M
}, o" }( y5 i; J/ E& ]) G; a( x3 X$ Z5 K
}else{
- N4 R3 w% m! @1 G7 m& u* o) v $result['boolen'] = 0;( c6 g2 ], C4 Q, b; E' ? x
$result['message'] = '上传失败';
6 H( L0 q* V8 X- i+ h; g }
: K: v/ B$ w( A. greturn $result;
! S" o2 H9 z6 v# [, i& M% ^8 m/ H }, h0 M1 T# X( N" n# a
; _+ T: t' M! x
9 P$ n7 n; H* _$ E! F) z6 I& B
|