微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。9 x, M8 U+ i9 x
# `) w p4 m+ S4 ~: U1 T% G; q* \ ; P: g0 |3 v$ s+ W2 f
\api\StatusesApi.class.php" H/ l$ i. q$ k6 V$ F( F) G$ J
$ q8 M" i( ~' n' c7 d* z3 L; ] Ufunction uploadpic(){
) b7 r0 f2 P; J7 Z& [ if( $_FILES['pic'] ){
% d% A4 ]& K- n" g8 ~ //执行上传操作
+ g+ I/ P f- }' t $savePath = $this->_getSaveTempPath();
4 v# j8 U) E+ v1 t. O5 w& A! Q' z $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
/ S/ F! }" |% }% b% |& v- T if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)), x5 m3 O! B) a* o( W
{
|" J7 ]* U$ y! s8 P4 m& l $result['boolen'] = 1;
. `' {0 h% y# f: D9 h5 v $result['type_data'] = 'temp/'.$filename;0 \) [) b+ O/ o! K7 H- S
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;+ k( p" W1 B) m. f6 G- A a3 b
} else {
4 e" N( }4 f- v6 z/ B2 ^( | $result['boolen'] = 0;0 _/ ^) j" }( T1 r# r" A# |
$result['message'] = '上传失败';/ B; s+ s4 i5 Z6 W1 A* f0 p
}
" g' _. V0 @7 U }else{$ ?$ `/ W% H; B3 ^6 L1 v; S* B& [5 W: ?
$result['boolen'] = 0;
) r; o2 g; Q( k" g( s! i $result['message'] = '上传失败';! q; T: ]3 `( X9 l/ v
}
. ? i- M% x& v l9 x/ l2 h, F& r( Qreturn $result;
( M0 N$ B1 d8 ]; N1 H }
' ?8 A& a# a3 d7 b! ?unloadpic()方法没有对文件类型进行验证
1 @3 g" o+ G' o$ [1 a, \
- Q& f4 `. P- B7 r! p可以构建表单, 选择任意文件, 提交到5 H, x# k3 I. A2 \' m. G7 v& O- Q
/index.php?app=w3g&mod=Index&act=doPost
8 N1 q$ f9 h& @+ {: `* R
5 k7 A, e: t. s& M" F# R0 \在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
2 a) n% H( J6 Z; l- l. b# q+ I3 V
7 `+ X" t) q2 X) S$ [9 O/ u4 m2 A% b, u% b& g- {4 m8 w: P
在登录thinksns官方微博后,8 A6 G" b- G p
构建以下表单:
) Y y# j8 m. F% H9 j U
x1 R/ t) t2 ?5 D% }" U<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />/ }0 D; Q( A% s+ h9 z* r# ?" I
<textarea name="content">test</textarea>
9 e( m' _: T' Y- Pfile: <input id="file" type="file" name="pic" />
, Q/ X" g: Y8 t. a: Y8 l) z2 D3 y6 S<input type="submit" value="Post" />
3 Z" q: E! P0 {; c</form>" n5 d w8 U- L- W+ l
去掉缩略图的前缀(small_ )
! O7 m+ a+ a- j7 ?( Q2 Z/ K修复方案:! y0 ]) z, P# p# T4 Y4 s
7 e: i/ y; a0 \* }
! B( ~) l+ d3 v+ x9 k6 `: z2 ^' E
\api\StatusesApi.class.php. d, a$ D+ z4 ?. O4 E& J0 f
4 h5 G% i: o% g
function uploadpic(){
+ R/ N# t4 T, |0 @ \, G8 { /**# j4 }: l" l( J$ y
* 20121018 @yelo
# H" Y: x" K0 p9 ~ * 增加上传类型验证 T# v6 ]5 q6 X% T- d6 K
*/
8 T, H& D x4 V; M) K $pathinfo = pathinfo($_FILES['pic']['name']);
; J K3 Z ?) t0 M9 Z $ext = $pathinfo['extension'];
! W" H* r% m8 E n% T* G) | $allowExts = array('jpg', 'png', 'gif', 'jpeg');
, j; i9 Q. O4 U8 h+ d( I
7 ]. R3 j% ?( }. M$ B( ~2 ~ $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
% Q( k3 m* O% j) X7 J; z
7 X( q# s& q V if( $uploadCondition ){: B2 z- M! q5 X- A: P+ G. e- R- X+ ?
//执行上传操作% }/ R8 B. y$ T8 w$ ^
$savePath = $this->_getSaveTempPath();
: a" ?( r5 H& |& s $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
/ b! j4 Q# o5 f9 E3 v7 W; w2 h if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)); p# ?- G1 \% o! E
{
: p: r3 q6 Z3 ]' S $result['boolen'] = 1;
1 B9 K! r$ h7 B, Z! \! k $result['type_data'] = 'temp/'.$filename;/ F3 }$ M: Y. \4 V- D3 j) U4 Q
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
/ p4 s+ k; q! j2 y& [9 l } else {
# Y1 [( X$ v5 r4 n' N& i4 G. U% d $result['boolen'] = 0;
* N) [1 H% h- j* L3 }7 ~- R $result['message'] = '上传失败';
+ V- {5 R% t. [: W, y8 K }: n, p' M& x; F }+ n/ T
}else{/ b* Z: x2 J3 p# c3 a' Q, v
$result['boolen'] = 0;
2 b+ G, }+ h: v9 O8 h9 j5 ~ $result['message'] = '上传失败';% O) z+ O* V R# y: d3 w; {
}
/ v' a9 L8 ^, ?# c% N2 h& y2 Ureturn $result;
+ s% U! y& h+ S2 R. l, `5 C }: @* S/ H4 ~% m( ]- `( Z* U' A6 M/ v
% D: z% E* I# j" t' b
) G6 c3 Z2 l9 v7 Y |
发表于 2012-12-4 11:12:30
收藏
支持
反对