微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。+ R- i& ^, g. i( s: S3 ~6 Z2 S' Z
9 ?" T f! u& L3 w! e6 ?4 ~
! a3 v) z8 ~8 F4 R U F/ g& _\api\StatusesApi.class.php
. \4 G1 [! `6 w @
) ]7 C, q- v5 a! {& p) jfunction uploadpic(){3 H8 S: e X4 u: n/ z- I! {
if( $_FILES['pic'] ){8 S( ?% N) v) G- O
//执行上传操作/ w$ L5 L. i7 ^: H& V }
$savePath = $this->_getSaveTempPath();5 Z5 R& m. _$ ~2 N+ M) y" O
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);8 I3 j5 B4 c; W. y, ^/ @# I
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
3 L, H$ i# x" ]6 ]4 s7 k* A {
3 r& Y2 A$ l' [& w, T9 N! X9 x' l $result['boolen'] = 1;# ~8 K9 ]' e; e6 L/ V: f1 }
$result['type_data'] = 'temp/'.$filename;9 T* }0 O' ?4 d! Z8 k6 C' n* j! S1 V
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
- K: ~9 s# ], S5 L } else {
! n; ?1 J; C% @3 q0 K# Q- D $result['boolen'] = 0;
; M0 y+ j# J3 w4 R( [ $result['message'] = '上传失败';* K2 ]; f1 K8 B. e) e
}
2 s) |- g2 Y/ M6 m- H) j' h L$ X }else{3 |3 o, S( f" S/ O [% K# k1 U: I
$result['boolen'] = 0;$ |" i X9 N# u* n
$result['message'] = '上传失败';
6 N n! b. I2 A2 {# \* {: V }1 C# t2 R7 l, S
return $result;
& c o& s% Y) G* J3 u- u" y }3 b0 e, o* W3 D0 q u; z: \+ t4 k
unloadpic()方法没有对文件类型进行验证
" Y, U! g. W% [4 w) A: z& ]
* O4 {( V& Z7 D6 I/ o可以构建表单, 选择任意文件, 提交到; }# ]( r% c5 }0 w
/index.php?app=w3g&mod=Index&act=doPost0 y1 f N/ Y, v. D; n
7 A7 d: o E$ r( h2 R# G1 ~) c7 j在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
( n" m0 ^6 Q% ^, x5 f& J
& B2 h1 J4 J+ I5 _
- ^/ e( R5 ^0 g9 }& e& K在登录thinksns官方微博后," ?6 E9 N/ [4 m) `$ u7 J1 q+ [
构建以下表单:+ `6 C/ J9 b1 a; ]" \. T
" r. ~% a1 r% l+ D9 j7 Z<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
2 R6 ]# ?+ ~& f' e- S" _! U# S) E<textarea name="content">test</textarea>
5 |4 g) @" _, d- Z' nfile: <input id="file" type="file" name="pic" />1 J1 _4 l, f0 }( g$ u! u5 P {7 \
<input type="submit" value="Post" />
: ^( `. N6 W; ]) Q" X- m+ P% ?</form>
/ D) M. M' u# j- C去掉缩略图的前缀(small_ )3 m9 K) [- i" ~8 _
修复方案:; y ]1 Q: Y- y" n3 g; f
5 d# w: Y! Q7 O3 N$ D5 B. L1 z% f: ^6 B' M7 s( q" K
\api\StatusesApi.class.php* F0 C4 V3 K+ X: }9 f
& ^( G; {( e# efunction uploadpic(){
" p: y" E* t; Y- V; V9 e/ ^" i /**$ }8 }, @6 H4 E3 m+ X+ q' I
* 20121018 @yelo
6 }1 [: t/ E& a3 ^6 | * 增加上传类型验证
P2 y9 |5 d L# A% y7 P% ~ */
3 } t. | k& I o. i $pathinfo = pathinfo($_FILES['pic']['name']);
4 f: ^7 ^9 x+ A9 s' m$ `3 P $ext = $pathinfo['extension'];6 [# z6 z- f& k8 L
$allowExts = array('jpg', 'png', 'gif', 'jpeg');0 w& u3 t& M9 H5 d+ v
5 c _: }6 `" B $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);4 h4 d+ b1 D% R* @% j# e5 h
# [* Y/ S; j% ]/ y% b if( $uploadCondition ){$ e; g2 I6 D; ^' g* C7 m
//执行上传操作
- ?* y. u( A7 U( H+ ?( _; h $savePath = $this->_getSaveTempPath();, k. j9 ]4 C4 y: w3 Q' F
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
& g% n6 K/ c+ j if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
: C$ e% Z0 J0 e6 R- g9 g4 [* A3 [ {
4 ^" Z' `* n2 R: @/ j $result['boolen'] = 1; O7 K/ c, S' X8 B
$result['type_data'] = 'temp/'.$filename;# B3 d5 y1 Y$ x i" w
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;% ?) C* b* L! X8 C& f
} else {
! ^% {) T9 c' Z' c* m $result['boolen'] = 0;
1 J: d/ k+ ?3 y( n: A( L! W $result['message'] = '上传失败';
5 G3 H9 N6 y0 R6 r0 }& c n) V" j" e& r }
4 y2 d8 ]3 j+ T! C }else{, X$ j; ?7 _) F1 f
$result['boolen'] = 0;
8 y6 Q4 A+ d+ ]6 f$ S $result['message'] = '上传失败';" W4 T. c0 b% r+ s8 u
}
) j( g- S7 d% o* Kreturn $result;
) c( T$ ?9 x' T2 H& i8 ` }4 l/ ?% c1 }7 N2 C3 e! |$ Z8 I
) v' p, d1 b4 S; Q
( w% D9 l/ s9 b& Q) f9 o1 t
|
发表于 2012-12-4 11:12:30
收藏
支持
反对