微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
8 z' w V% g- `: T
% n3 ^; C% b3 d$ a 8 L# W/ v6 s# w" u6 ^
\api\StatusesApi.class.php! Y; D5 j* E% t: A# E& h
* k% G. w: W2 X: x& t' x" i2 t
function uploadpic(){
+ d2 O1 X* ~: Y e- m# } if( $_FILES['pic'] ){
, ]6 l5 L7 m# _" E7 g, V2 o9 x //执行上传操作
2 _8 m& m( F# h4 ~/ v $savePath = $this->_getSaveTempPath();
/ c# x0 A4 f0 m: z7 X $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
( a) {% v$ O) ? if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))0 H; I/ G6 j) T- t: r
{
J) q. R' O7 `9 ^ f& b' w/ Z $result['boolen'] = 1;; ^/ y! o* ~7 f) H7 ]' t
$result['type_data'] = 'temp/'.$filename;' E: s1 X2 b% ?' b) O. j L& x, g2 r
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
3 [9 H l% g. h4 g- Z6 h& P( I } else {' c+ h$ ]' u- e, _' n; _9 }
$result['boolen'] = 0;1 S4 G( g/ x: V5 {
$result['message'] = '上传失败';
6 d" \4 [. y/ d2 R( Z6 {( s/ \ }
7 \3 N6 x/ _5 O, d- `" y }else{
: r0 m+ O5 l3 H! {& [: k $result['boolen'] = 0;
' u7 G9 r4 x( T5 s: F, e5 Q; w $result['message'] = '上传失败';
3 q9 X2 P0 q2 O0 G }0 y8 [+ x0 |3 \1 b- m7 `( C9 Y4 y
return $result;
! l& a$ a2 Z4 a }
/ R; M& _- H/ j& @: T& }unloadpic()方法没有对文件类型进行验证
- W7 M7 @8 w) Z- a$ [2 Z ; ~ p% ^# h/ y2 K$ m! o
可以构建表单, 选择任意文件, 提交到
; }6 U8 J5 y+ b, f8 G/index.php?app=w3g&mod=Index&act=doPost' q. v% ?; H4 c8 M
5 R1 @1 i: H; _; T1 C' f
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)- g6 g2 ^. j7 u
, u/ M7 g2 ~* F) `& j! o; _
0 I y3 t/ Z9 ~% G9 w
在登录thinksns官方微博后,
) l5 R% t0 T" J3 J. Y& y构建以下表单:
+ Z+ D, l- X. [' Y4 y; i( {
) ^9 y/ q6 ] `<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />- Q) e/ v! ]' ~2 P" U9 N) e' ~
<textarea name="content">test</textarea>+ u Z, i( W! A4 \+ d
file: <input id="file" type="file" name="pic" />
/ Y8 N3 S3 h" k9 l<input type="submit" value="Post" />5 S8 T2 y+ N7 r; ?& b
</form>
2 n3 p" K3 X* c, W, l, k. L去掉缩略图的前缀(small_ )7 f0 ]9 d5 }1 ?0 K! K4 \& A( G, U
修复方案:# q0 M% }+ s! U* n+ a6 G: o. s
9 x- K3 ]7 e7 H, |* X
9 N7 O& z/ U1 p( b D\api\StatusesApi.class.php
g7 C5 I! X9 N: U! W4 A! ?
! i; N, Q( K! Q# O, Efunction uploadpic(){
5 D, F0 ~& o' E) R5 N; \ /**0 V2 S0 _0 Y* q' {& @
* 20121018 @yelo
6 @' A1 u5 Q% T7 _! W * 增加上传类型验证. }# v! E( M1 d% j
*/
- g$ g P2 k; a7 i# Z6 f s $pathinfo = pathinfo($_FILES['pic']['name']);
, u9 E! a8 B" s5 s j0 J* C. r $ext = $pathinfo['extension'];
5 S! n5 J) e' ` $allowExts = array('jpg', 'png', 'gif', 'jpeg'); ~* t: u* c1 _0 ^- h
5 V4 z5 N. ?8 u7 E3 c $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
1 m+ a, a, N# [* ~# W% v% b9 y y5 y5 K7 e" s. ^/ R
if( $uploadCondition ){9 V0 d/ ^+ O% p6 n. D$ j
//执行上传操作
5 i' L) r# v8 N; Y2 L7 _ $savePath = $this->_getSaveTempPath();* \% O: \# o. m+ n
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ R* s: q8 P" b, q8 v
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)). ^/ p' v! k6 f, E
{+ }" y: |" J% N' C. [1 s
$result['boolen'] = 1;
- V& B. P$ Q' j$ Y$ a $result['type_data'] = 'temp/'.$filename;5 v4 e9 H* l( b' }* [; J6 r# N! K
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;" x4 @' w- G( Y3 ]+ i+ V
} else {1 x! M* P6 ]$ l! @/ C2 u g
$result['boolen'] = 0;# [. a a9 J+ u# J) `8 o8 R
$result['message'] = '上传失败';
/ s" ~' L( s! ~" z }
# B) l! a3 W, ]/ N }else{
/ G7 @5 b- ?. k- w K/ t3 L# H5 A $result['boolen'] = 0;/ P0 R; B% P3 L6 t# \9 U
$result['message'] = '上传失败';. U( g5 I9 I& ?0 o; Y& ]: ?2 U3 |" E
}
: _% R0 o' v* R- Wreturn $result;
, z9 O- S6 f" q) t% L' e" N }
7 p* E4 ?8 k% v! r4 v: w/ `% {+ ?! K% M+ r
& `# {4 Y' w% {: C2 }/ s
|
发表于 2012-12-4 11:12:30
收藏
支持
反对