微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
8 ]; w$ m/ P6 C/ r9 J E+ l! w" ]4 {: c7 P
$ v: b, @# b* d! U6 `\api\StatusesApi.class.php
( }9 A4 [" Y6 Y; O $ W9 j/ J% ~5 w1 t
function uploadpic(){
0 e4 _! s; w, i, C5 V3 }$ P' _ if( $_FILES['pic'] ){) G) p2 Y) @6 W' u" i
//执行上传操作
/ f0 `+ {0 Y' E" i* g+ N $savePath = $this->_getSaveTempPath();
* p. P% C$ {" U2 W- ]& K $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 m v% |2 }- L2 {1 S6 `3 P3 Y if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
" w$ d6 J% N5 t {
6 K/ @& l2 g5 d $result['boolen'] = 1;
5 U0 c3 e8 r2 i. U4 Y: F' C $result['type_data'] = 'temp/'.$filename;. I* s# ?$ J2 p8 r1 t2 f8 b
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; b4 C7 y" Y: P* z: K. L/ q5 C } else {% n C; l- f5 e$ z# _: u' Y
$result['boolen'] = 0;
y" l' }$ I3 q b0 k3 {" j $result['message'] = '上传失败';. E- p/ D6 ]+ q/ f
}
" @8 v9 b2 d! z4 s1 b. L) @5 V }else{
- `9 V0 E4 ]' F1 R5 L- o $result['boolen'] = 0;
% A6 n% h) ~9 L v7 Z9 L $result['message'] = '上传失败';
+ z7 ~4 i8 A3 Q" h( W3 P. w0 N' S }
2 [6 U, \, ^9 R( ?: T; N Rreturn $result;
, g! F+ y- _. I+ t D* [9 _ }
4 v T& V3 e5 I% L6 Dunloadpic()方法没有对文件类型进行验证* p4 j, T% Q0 s; \& z& S, u1 J$ ~, m
/ a) g8 g) A+ R% E1 G/ i! ?7 N可以构建表单, 选择任意文件, 提交到
3 F9 |' t- c( v! y/index.php?app=w3g&mod=Index&act=doPost: E% j U$ q$ V, z1 N
4 O0 e& w8 f* [* X" x( P: L1 m" ^
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
( {4 f. I# d( x- D7 h" |: ?4 J' e$ u5 F9 ~
, V# J7 c' D1 M( U% f, ^. a
在登录thinksns官方微博后,
6 p1 ~7 F9 k; E! b: i' ~构建以下表单:4 f) B5 Q+ Y. J- H! F
% N- {4 z' H+ K
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
% d+ ^& Q+ ]( s* H1 h' c4 I4 e<textarea name="content">test</textarea>$ ], c% Z4 x! C8 n( j
file: <input id="file" type="file" name="pic" />
& G5 h$ @; D5 Z3 }<input type="submit" value="Post" />
0 a; T, m J, u7 {</form># k; N9 x) T+ j l; {# W
去掉缩略图的前缀(small_ )
3 ~+ s8 i# q1 s2 I7 s+ A7 T0 U修复方案:" ]; V: ?. m# H& r8 A7 J( }
0 m6 W6 Y- F! Y0 K: g4 t% z: a, a
' l& @- h: I( V( g# K
\api\StatusesApi.class.php
7 B8 a' `0 h$ H# b$ q 3 u4 _9 _* m' z& o1 l# B0 G
function uploadpic(){! A! J1 L* Q3 y: d
/**+ z8 x/ H& z- t3 T
* 20121018 @yelo
8 x. ]9 s h6 y$ V) k( W, {1 ] * 增加上传类型验证1 J9 s) d- `. R7 R3 `+ F# c
*/ ^" \/ p; T' Y" o; F Z
$pathinfo = pathinfo($_FILES['pic']['name']);# V& T! `% [# E2 G5 l3 m
$ext = $pathinfo['extension'];, @' i0 k) K. L( J
$allowExts = array('jpg', 'png', 'gif', 'jpeg');5 i; r% ?: [$ Y
1 j0 S, d; @( O* T2 T A! M
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);& A9 ?( S) ?( `
+ n/ ~- `+ x% k& n
if( $uploadCondition ){
' I" b! H; g4 ^* P( Z //执行上传操作
& r0 P& h+ g) g( k: F9 e* o2 @ $savePath = $this->_getSaveTempPath();& B9 j. u" b6 h* k* _2 B
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);/ n% e+ c0 B4 T, U6 B
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))" c' c% r3 e. J/ ~/ j
{. q9 ]7 A( P& e; l1 S1 M, s
$result['boolen'] = 1;8 E$ a9 J6 X; ?3 L& ~4 r
$result['type_data'] = 'temp/'.$filename;
- o3 _3 f) @2 \/ j# v$ D $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
6 a/ k, r& z! o, b |; a9 A } else {$ @7 T' r9 G' L% K2 n' G; p
$result['boolen'] = 0;
" ^- ?) @: ?1 O; G: x, v) s $result['message'] = '上传失败';
* i/ @) j7 m5 [8 \: P0 |6 ? }
5 j4 @. r; @4 r4 _$ n& m7 Q }else{& }4 f4 `( b* ]' @& E- {( d
$result['boolen'] = 0;% _, r3 _# @" I' o. ~4 f4 n
$result['message'] = '上传失败';
* V" p' Y7 z9 X3 N B) O }0 ]2 r6 B$ F5 \( p
return $result;7 o, M, t H& w; s A
}
/ x% b4 W. {. ~% ~ B( }7 R% a
* O0 Q, `' O8 h+ h0 I" l8 a% J
s( B4 q. J4 ]9 L2 S" _% F |
发表于 2012-12-4 11:12:30
收藏
支持
反对