微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
8 l, c: E0 S1 N7 Y+ F: n# W6 S
* m+ A0 D! c- N, o0 k . d" y. f) N" `5 D) j
\api\StatusesApi.class.php$ R& H6 o9 @* M8 m7 D/ b
/ }4 t" `/ z% @: _* E1 S2 h6 Mfunction uploadpic(){4 f' f6 f& @8 Y, R% J' C, |
if( $_FILES['pic'] ){4 I U/ E. f2 N) A
//执行上传操作
% Y5 G/ t- x: q/ [& U $savePath = $this->_getSaveTempPath();
! J! r q ^9 o: ^ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);! [8 Q0 Y! `5 k1 n) T' S
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))2 l# d C- l8 X- e8 E
{
, ?8 J; d0 z0 S. X" T0 O $result['boolen'] = 1;4 j6 K' U# L# M4 T
$result['type_data'] = 'temp/'.$filename;
$ b9 I9 n- x4 x $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
0 }* U* u# G) L: ] a+ } } else {
; J- I8 D: h B D8 w# `: W8 w2 B $result['boolen'] = 0;
" c J0 W9 p0 m $result['message'] = '上传失败';$ \1 F3 H. W; l
}
4 A5 \4 p4 p# P. @; G+ c }else{
: S' m0 O5 i/ s' R $result['boolen'] = 0;
+ ]1 f0 `. l( _3 v $result['message'] = '上传失败';
, n9 k6 l8 g, ^4 m }
' T, V# y& H w6 lreturn $result; x* ^/ f% W2 I G4 M# Q
}# s* f: ^! K5 s7 K
unloadpic()方法没有对文件类型进行验证" ~" d, y1 A4 O. D8 R* w& Q: |
* g; V" U" z% W! j可以构建表单, 选择任意文件, 提交到; e: J4 D, N4 z- Z- J |, J( i
/index.php?app=w3g&mod=Index&act=doPost
! ?' x: A, k4 F9 H" | 7 y& t$ R @; o. |% G" A- K
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀); K8 p8 j) N9 d$ k- y* a$ z! S
d7 A; Y3 L/ F# S- B! ~
9 r# \; x. Y. r4 g6 @6 W% H( P在登录thinksns官方微博后,
+ w( K3 W* |# |8 i( h1 |构建以下表单:- i% R% r" P( g9 }8 {+ n% o* P3 q
( i! Z0 a. D3 u0 d2 f c) L<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
$ T% E/ E, J7 }9 R- G9 }<textarea name="content">test</textarea>
# r/ Z( X1 k0 Q! `file: <input id="file" type="file" name="pic" />/ ~% M" B- a; v$ ~
<input type="submit" value="Post" />, S; p7 D% n3 ^7 @2 B% I; i
</form>1 ^3 R# r& B9 A3 l1 Y# F3 u; r
去掉缩略图的前缀(small_ )1 Y: V5 {% B4 {4 _; s6 C
修复方案:% Y/ @ Q G5 A4 {
1 Z7 v4 `- h+ M
' N7 k% b7 V! ]3 ]\api\StatusesApi.class.php
_+ [: y4 R3 T) `+ \ # T# ^" b. ?9 Z1 }; h1 E4 o, W. d
function uploadpic(){
; l0 J3 E- P; ]" v0 ^1 P9 \ /**4 Q5 k6 n6 u; _# J; J
* 20121018 @yelo
4 Y' Z) d) Y" V0 e1 Y- Y" a * 增加上传类型验证
1 a8 S6 t: ] e# ?4 D% X* F */4 G* n7 x& q" R4 w5 M# J
$pathinfo = pathinfo($_FILES['pic']['name']);
( J, r8 m! C7 j: k+ ?: o $ext = $pathinfo['extension'];
3 F5 T8 d: s3 q/ m$ y( `4 ^3 K. u $allowExts = array('jpg', 'png', 'gif', 'jpeg');
6 e! J0 {& ?% W. ?9 E1 N
1 ] I8 ?% H2 o; ?# m $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);+ ^. S4 q' i" r6 l k9 `/ B! k+ v
/ C) s, v3 y9 s q `
if( $uploadCondition ){
. m' _ q3 Q3 x3 O0 U //执行上传操作
1 b# a C( Z& M) F5 H3 C- T7 o" ?& ] $savePath = $this->_getSaveTempPath();" s4 s: H# x+ {* j+ i) ]# ^
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);# h8 G1 K& N: T
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))7 u- u9 ?# q& k5 K0 Y
{
# L- A) U% a) i1 e" s; x $result['boolen'] = 1;
1 r+ x0 B+ n* `; E# p1 p* { K $result['type_data'] = 'temp/'.$filename;$ {) F, C3 O; r: \) F
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
8 t; X! R3 Y, f { } else {
$ R* S$ R% G; J $result['boolen'] = 0;
/ H' b) ^0 u% B$ V9 N" [, Q $result['message'] = '上传失败';
9 q8 z* x7 w D }
4 S) h, ~0 }& k* H" W- `8 {9 q }else{
5 v! s1 q5 y" c' d! `$ v [' k- j7 O $result['boolen'] = 0;" Y0 f9 V$ w4 d2 v3 Z# Z/ H9 ?* b0 S
$result['message'] = '上传失败';* d& M) N0 F" s- L
}
* o7 n+ L6 |: Q1 T5 r ~! Zreturn $result;
/ Q, ^2 e9 N2 F' o2 _ }
; A; G+ N5 o1 J/ _, v. {/ K$ z& @- x2 S9 {9 P# x; I& M- ^" c+ f6 B
3 o# P8 \; a- g2 ~! `9 n$ I% o
|
发表于 2012-12-4 11:12:30
收藏
支持
反对