微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。 ~$ |! j6 w c6 u6 s: H+ @2 i
* A; [( ^" n: `! e
+ Q& T8 y. P$ }& H& Q/ q8 ?& d6 f\api\StatusesApi.class.php
+ r& ?! b E. s0 I8 }4 | * z% v& D) U" T, \
function uploadpic(){* J7 u- w( i& y* M5 i* a" ]! l) f
if( $_FILES['pic'] ){9 _$ K; V! F+ h' G+ X D
//执行上传操作8 f* {3 d [3 k: K7 R
$savePath = $this->_getSaveTempPath();
9 v! m* c- x3 P8 ]- x% r4 C $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);, v) F, {4 c/ S( V
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
; O" D @# q; ?' Z {
3 C; c, v! m4 q: [2 ^ $result['boolen'] = 1;( X+ m' `# L# _! W7 T$ L- x4 @
$result['type_data'] = 'temp/'.$filename;
A0 h4 Z S: d# S $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
+ q+ r1 }2 S: Z1 H4 z' h } else {
; ~( W, ]8 q% K1 S- L- ] $result['boolen'] = 0;
, ~( x+ W* H" n, b& O: m" m $result['message'] = '上传失败';% U n4 d9 r6 N! O2 \1 L- G3 [2 d
}
$ \, @/ C6 l h, W& G }else{+ g! _% C X( ]& v! o
$result['boolen'] = 0;
1 t% I! }- s) g $result['message'] = '上传失败';
$ l' }3 h- W8 k9 [1 I9 t }
% s# I& Y+ y5 M" a, Lreturn $result;
5 J4 D* `$ _; M- T( Q1 k; p }+ K& I5 X* O' V9 x
unloadpic()方法没有对文件类型进行验证
0 o! K$ S( }; t! Y# s0 r / K6 g% {, C8 X/ _5 J& d8 } o- X, |0 k
可以构建表单, 选择任意文件, 提交到
& M) ^* s3 b( V& [3 ^/index.php?app=w3g&mod=Index&act=doPost
6 H$ @* j6 K% z0 |
' s1 |& z- \" Z6 a' P, v4 l# I2 ^在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)5 s# z2 M, \/ L( h
Z% M; q m( _. m
u" ~9 V7 [4 X7 R
在登录thinksns官方微博后,
' r8 Y1 o+ o" J9 E构建以下表单:
( L: P( |3 f" K
2 G* b2 g% E. C5 {2 g4 d/ i! l) D1 n<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
1 ]! {4 J; ]0 O2 R; W/ Z7 w! N<textarea name="content">test</textarea>- v9 A* n( H- V* u5 ^7 `; h
file: <input id="file" type="file" name="pic" /> g/ G3 S8 [9 s
<input type="submit" value="Post" />
* V5 N$ X) i8 K& E4 S</form>
) c8 _, j, t% H& P1 o- K去掉缩略图的前缀(small_ ) S0 _' {9 N: H, j
修复方案:( ~1 }6 j! Z( U0 G
1 \" l3 E0 Q' a( q
& ^2 k- V) w; W. d4 L' }, ~\api\StatusesApi.class.php
5 v) t/ c* X! A, [2 ~9 h/ r : k( F" [0 @& c; q i/ T
function uploadpic(){6 u1 A$ I! G) f, A- G6 X+ G
/**
5 N$ _3 d0 @% y/ ^) q1 E1 X6 H * 20121018 @yelo, S1 l2 y" h& Q3 l) a% m
* 增加上传类型验证
& S4 S2 e* A) u0 P! o+ ] *// p0 J* W0 |$ k5 y a3 O$ ]
$pathinfo = pathinfo($_FILES['pic']['name']);8 [% n' H4 ~, U' J9 C. K
$ext = $pathinfo['extension'];+ k" M$ L. ?1 d" J, j; l
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
1 B6 b* m# m) f6 j) I; U0 K
; w+ }) U$ B5 K" D- x/ I4 _- G $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);) r2 g8 }* v; d- N, V
4 M' C9 G3 h! I e if( $uploadCondition ){! E$ N$ D+ J- U1 {, _
//执行上传操作
) x5 S4 h( }* r: {- d4 B $savePath = $this->_getSaveTempPath();1 P% X5 t# z1 f2 p$ N$ W
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 R) \) m# u# ^; G( T: L, @. H: N* i
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
5 N; l) |* @4 T: Q% U4 {" b8 Z {
. Q9 q' m' T+ X2 r7 l- S$ J $result['boolen'] = 1;
7 ?+ e ~4 k" H; w6 b $result['type_data'] = 'temp/'.$filename;
! t; l- w0 K8 O, m, i $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
7 k e( i+ I) O0 D u6 } } else {4 ^1 j. A) z) Q
$result['boolen'] = 0;2 `% N2 W# c$ y$ O- [
$result['message'] = '上传失败';
$ R9 p W" Y. A/ D$ n }8 B, h2 R9 T; z; B! _
}else{
! y7 H" D" M5 \2 N4 e$ t $result['boolen'] = 0;1 R/ [7 ]4 n" x% O, ^
$result['message'] = '上传失败';( T% c: \ s) _
}
$ _. _' Z; O4 ]5 treturn $result;- z G5 n; J7 W( I3 \1 l
}+ k& }6 x n4 V+ m: n
: J+ A+ l( v) n+ I& H, ^5 ]
% t) E s2 P3 i
|
发表于 2012-12-4 11:12:30
收藏
分享
支持
反对