微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
7 g2 U- V. ^ C$ K* [
- Q+ |7 X0 {$ F" O
( }6 C/ H6 x" g; u9 i) w0 E\api\StatusesApi.class.php
_$ m+ ~5 P; x$ Q * q" P4 B% U1 B8 c
function uploadpic(){
$ d3 y z& v- H# q if( $_FILES['pic'] ){
" S0 {3 X4 c9 [4 E9 E4 z! l //执行上传操作
c1 Y; e* f8 ]; U$ q m# l1 e $savePath = $this->_getSaveTempPath();
# b! Z+ I3 d. W. C8 I4 A) B7 r $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);- L* w9 S) c) S1 A
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
1 }9 l$ X% l8 E {" Q. J }/ Z: M
$result['boolen'] = 1;
+ y8 S; q& B ^; o% v( j8 `' k $result['type_data'] = 'temp/'.$filename;$ }$ t5 u2 v- z6 B
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 A( g J; D& l/ p } else {
4 x( n1 ?; c/ n$ U $result['boolen'] = 0;
+ ~$ p0 o9 u) J' m' d5 E $result['message'] = '上传失败';, I! b3 _5 m0 P, W5 |$ y8 |
}8 l7 P( R! V) F' q# ^
}else{" q% B2 Z, X- c. @2 R3 m
$result['boolen'] = 0;- q' j( p9 i+ |2 H- X5 p1 b
$result['message'] = '上传失败';
2 @6 H3 r5 l1 d) J& x. D }
2 z! S& F2 \. m1 v8 {- Qreturn $result; q+ B* e! E; f" Q9 G
}
. d* R; g# ^1 N$ } ~) b" F* tunloadpic()方法没有对文件类型进行验证
+ \# `. a4 v- e( w% U ! d) o2 \ w6 y* G8 p
可以构建表单, 选择任意文件, 提交到9 n# w$ ?1 }5 X' ^- B6 l/ E9 a
/index.php?app=w3g&mod=Index&act=doPost
; Y7 w, B. E- p/ @* b0 T 9 r. |9 |' v! g% n& P* d) s
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)# g- P7 X/ ~% m. M8 o: z4 O6 N- u
: ^9 I2 q0 c* e% a7 i
* |# N4 W$ P/ c5 F- C2 k在登录thinksns官方微博后,
4 K) X7 K$ [" U% z) x构建以下表单:
. T0 F0 B9 l9 J; d3 u
6 j: v. x" F V$ w% N& y% O<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />1 V! N. @. c% F, }% I
<textarea name="content">test</textarea>3 l) @: m; F- U" g' e0 X" D5 z
file: <input id="file" type="file" name="pic" />5 S0 X+ M) H4 Z5 X# N
<input type="submit" value="Post" />( Y3 K: Y* ~4 d! I. P
</form>7 r3 O+ a% }. p7 P
去掉缩略图的前缀(small_ )
; E) U/ H9 m6 z6 [: x" n0 t修复方案:$ `* {! G1 d2 Y' K+ N& X
' r& u. V: J; k& n, j& p3 g3 a
$ a4 ?, b7 X. V* B\api\StatusesApi.class.php
* N6 V4 n7 J6 i' q; ^# S9 M
w2 ?" O7 t' C D" nfunction uploadpic(){' l& A+ ^: o9 I! P
/**
' q% [+ R+ Z6 S/ p" D3 M' Y * 20121018 @yelo
( a5 ]% |: D# r; K * 增加上传类型验证
+ w9 u& Y) e0 W% t& e( [ */' L& U6 X( H' f% h/ G: V, u+ N. f" M
$pathinfo = pathinfo($_FILES['pic']['name']);
" R$ l, Y2 M. } }" L$ T+ N4 E8 K $ext = $pathinfo['extension']; e& O- V& {, \1 }( i5 s; _
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
$ ]& |2 e- @5 P, s* B" r/ M $ k) C K" `& e& e7 @% z% G5 H
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);9 h& f3 }1 h. R
3 @5 D h" L( z! }" f# M# O
if( $uploadCondition ){
- _+ k7 W6 [! p' ]: [/ a //执行上传操作: }* C, Q l8 Z7 L
$savePath = $this->_getSaveTempPath();% k, B" r6 [- m
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);5 ^( o0 q0 ?* g1 S+ W$ e
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
# U, `# _" i8 ?/ b3 h1 H {
7 t% Z& i. \, Z) s" l/ B6 J $result['boolen'] = 1;& V. @1 M, {7 C. b h3 X B
$result['type_data'] = 'temp/'.$filename;
4 R5 G% ] U. B! B; y6 f6 W/ K $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;1 s- m) v2 E+ k& o. W
} else {+ V: L0 o" l" Q
$result['boolen'] = 0;4 n) e& _8 u7 }- L
$result['message'] = '上传失败';
5 ~- i( p# P1 {% `5 W2 I6 r }7 ^0 m# H6 H7 d1 S4 X/ o
}else{
( F; h; m# L' s( N $result['boolen'] = 0;
: Q- c8 x- d3 _$ K' l $result['message'] = '上传失败';7 x2 R+ j3 h8 \ Y6 p& C
}
3 B& _; \! v8 `return $result;/ g2 d, R0 F- S" m
}
8 L( h0 [0 ?) Q! I3 E5 b9 ]# P8 W1 L( I3 ~7 B, N
) z1 i+ @2 ~; `7 S& b8 k2 M7 [
|
发表于 2012-12-4 11:12:30
收藏
支持
反对