微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
( u% a' W+ ]( q+ K4 d7 S+ {
) `) N4 R0 [; T G$ L 2 P6 @; n+ R. z$ Z. u# W6 u
\api\StatusesApi.class.php8 J. s4 `4 U5 [- y- X
! \* Q, S: w; d- `/ L* |function uploadpic(){9 i6 z4 Q7 ?0 t" ^" Y( A+ _7 D
if( $_FILES['pic'] ){( o; _8 A( B2 z: H0 e
//执行上传操作
( ]( |4 a8 {1 C9 j4 U# f $savePath = $this->_getSaveTempPath();$ @$ \2 ?) j7 m+ l! s t
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);* b7 [, Q+ a. N; b4 b
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
0 S+ u8 o- E" p7 A3 P# Y+ p, x+ z {
6 M4 P& J4 e+ n8 ]) M4 ] $result['boolen'] = 1;
4 e$ t7 Y. T- y( ^6 i" D $result['type_data'] = 'temp/'.$filename; N' O" d+ W# \6 h6 v8 C
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;8 Z& }: s0 m/ h w& l/ m
} else {7 B, L/ ~1 X% H
$result['boolen'] = 0;
4 n% l# }8 ?$ a( v* x* @7 X1 X $result['message'] = '上传失败';- f7 Q% @+ s8 S8 y6 y) I0 D
}
: o5 v* m* x9 o# n" j3 T$ o5 Z }else{
! s6 R1 m, I; N1 |' L# k $result['boolen'] = 0;0 `, p1 E* |% d0 S Z- @# J
$result['message'] = '上传失败';
# ?) I+ T+ B# @2 m7 O1 I! h2 o }: v# h" [ t) {0 s
return $result;
6 Z8 `' {' I7 T! D8 I }
Y1 K8 f4 d5 [" E5 e. l) P1 bunloadpic()方法没有对文件类型进行验证" I8 @# r) x$ d! t' o6 E! y* T; p5 t
' F1 i( }3 p; Q! R: {3 H
可以构建表单, 选择任意文件, 提交到
1 h/ [4 K5 ]! [9 ]$ T' T+ O7 T8 {/index.php?app=w3g&mod=Index&act=doPost# J& i K" ~/ s
$ J6 S/ D6 I0 r' K
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
- B. G$ }, J% ~+ ] @7 r' V" t, `7 i1 h# M1 A) W' _
: [7 p0 E/ Z6 h, R在登录thinksns官方微博后,/ g: a1 O# t' ^! n+ w$ H$ b. j
构建以下表单:
8 l! x4 t! i( y3 d1 t
8 q% W" P* t9 ?% c: N# J5 L<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />+ D" e7 D' o* _+ d9 _
<textarea name="content">test</textarea>
, a& C) q8 F `. Jfile: <input id="file" type="file" name="pic" />
, C F! j, N/ |1 b9 h1 ?" ^<input type="submit" value="Post" />
$ I( L) Q7 n/ k$ e7 U</form>) {, s6 |) Q0 D* b! v# l* h4 {
去掉缩略图的前缀(small_ )
$ n2 V9 j$ p/ l修复方案:" l. ^% V D! B$ K, Z/ ~3 Y
3 Z; `- X* o8 d5 h. Z, v$ r- c% `
\api\StatusesApi.class.php
2 r4 y/ N$ [1 c0 J" w- c% @3 @
0 j3 X: X; a7 v( A U3 X- hfunction uploadpic(){
% P& Z% m+ v/ n7 z! \3 [5 x l /**
4 z+ n0 p# u Y" C * 20121018 @yelo. f1 E+ }( a6 ~2 k$ z! C
* 增加上传类型验证! _3 u: {7 a. v. X2 S& h: M& F
*/
M% _8 v" b8 I& V: H, | $pathinfo = pathinfo($_FILES['pic']['name']);& b3 m9 E' H7 i0 k3 z* b( M9 S
$ext = $pathinfo['extension'];" a0 F- n2 n, P+ E' U. [1 {2 x
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
7 D, Y5 @1 g B C( c+ ^ i' Q6 t
3 \5 U5 |( Q8 F2 ^7 E' O; E $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);9 Q7 S/ }- A0 C. m3 C) M
# }) o3 P+ x' I7 r if( $uploadCondition ){9 h" |) j% Z. W& z
//执行上传操作
6 ]. M, k5 B7 R' u $savePath = $this->_getSaveTempPath();
' h3 V. }, ]. E, _* A3 @7 D2 T $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
% y8 X% F! g/ s; a2 u4 A- [8 b if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)). Q% N+ L% A5 `( o: b& h4 F, t& z
{4 k$ B" B0 M- {+ ?' ~" N2 D6 A
$result['boolen'] = 1;
$ R; m2 w0 K9 C+ z $result['type_data'] = 'temp/'.$filename;; t: k6 t+ V1 r) r( q
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;% o) T3 x2 ?+ b, y5 @% n g
} else {
" ?: M7 s3 U7 k- l$ i& x+ d $result['boolen'] = 0;* y; c- V% Y- X+ n% r
$result['message'] = '上传失败';
+ n) n( I0 }0 E* _/ X% h7 n0 M4 t }9 P' Q, J) F8 W- i
}else{' c4 F7 @. |! u4 B/ t; ?
$result['boolen'] = 0;
: P% O* Q' j. {! b" V/ N $result['message'] = '上传失败';
) m6 S! g6 r# n. I9 [ }4 Y, e8 o& w1 i( Y3 E
return $result;( x; a' f5 n0 o/ A) C$ [
}' `( M' X$ T% b6 N& j8 N" G1 E
X+ d, T( A! D6 S+ v4 H2 M. C+ b4 p9 p% O7 ^$ w q
|
发表于 2012-12-4 11:12:30
收藏
支持
反对