微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。% ^; i+ c7 L, m: ^1 X# P6 Q
" u5 V4 I S7 t4 s
4 M' D! c" U* I, X' B\api\StatusesApi.class.php
" @; h5 z" U2 b# t2 H2 F5 |
" l- ]4 }5 L2 M) ]# g: S; E: Ifunction uploadpic(){
% N* e( l; Q+ @% G) t if( $_FILES['pic'] ){
8 W" h$ t: \0 d2 A* J( Y //执行上传操作
- ^8 L# V7 Z' r; v; B J $savePath = $this->_getSaveTempPath();
+ B8 D. [4 r% W8 j $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ Q2 D/ v. i& j( K) W' I
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)); I, E' X9 N7 s5 \
{5 I) [1 i2 o9 n2 ] t: ` n( I
$result['boolen'] = 1;3 i" [$ C# Y5 O0 a- e5 V
$result['type_data'] = 'temp/'.$filename;
5 U6 i$ l p$ g( x) }( F $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;9 t2 t* }/ h3 H3 s3 W
} else {
: G7 H: c( q2 q0 u# Y% z0 J8 W $result['boolen'] = 0;
9 p( \4 D6 Z4 E0 I $result['message'] = '上传失败';
+ ]) ^% _( z/ W+ l: B x }7 z2 J1 B' \- |+ g$ G3 o& o
}else{6 ?! Z' f- l8 ~- x2 R5 }4 d
$result['boolen'] = 0;/ \2 l% w" J+ Q% G& B' R. B D
$result['message'] = '上传失败';
2 J: k0 R b; |( R5 J& P7 L }
" K2 g; j; W- {6 O; m, freturn $result;
. D, H; y: G# T! F6 ` }3 x3 J4 Y0 V/ L7 v
unloadpic()方法没有对文件类型进行验证
8 o3 J' v9 Q7 w" p Z; o: Q2 E $ W0 g0 H1 f M% x- `& B7 l
可以构建表单, 选择任意文件, 提交到
/ e- C8 w1 U0 R# C8 ~/index.php?app=w3g&mod=Index&act=doPost
4 h* ~0 S8 y5 v# v1 K
5 S! I! c1 `( q ?9 e) H1 e在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
$ ]+ ~4 V9 B$ Q: E) X" L4 H( d$ d( X, I; Y4 e/ a! [) h
7 V$ X& s" h7 J5 m
在登录thinksns官方微博后,; u* _0 M( M$ W
构建以下表单:
/ N" O4 i3 Z, u3 w; w* c
t" _4 h$ b) A# }- }6 h<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />$ e0 _9 O$ | ~$ b0 _ ]
<textarea name="content">test</textarea>; R2 F/ Y2 P9 M' r" |
file: <input id="file" type="file" name="pic" />5 ?( x, G+ i' c
<input type="submit" value="Post" />
6 L# X3 {3 y4 n; h- ?7 G</form>
) d2 T+ [' V s+ R0 Q. \9 Y2 P去掉缩略图的前缀(small_ )
* B4 {1 |% @5 e: [) H% r' M修复方案:" e" v: k. h& X, [
( M+ W+ _; f8 v( Y. A
+ Z& |' ]. {$ U- K6 [; H. k* j\api\StatusesApi.class.php, w) T( U/ [" B. y8 R
1 ^0 X* J0 o i8 L7 i
function uploadpic(){& x* G! `8 F1 [3 A$ I& I+ u$ C
/**9 L, {% c% ~) T- V5 f
* 20121018 @yelo
9 d3 X0 ~; |) @" a * 增加上传类型验证
, Q4 f4 e+ F% {/ e: H( I; s4 Y */
; {7 T/ @# k$ x. s' c2 L" P; f $pathinfo = pathinfo($_FILES['pic']['name']);" A& s2 q: F4 `+ R$ v: Z4 C2 D' \
$ext = $pathinfo['extension'];
: e5 _% p; J" E5 a% y+ a; m $allowExts = array('jpg', 'png', 'gif', 'jpeg');
! w2 r6 Y& D# E1 i, H* o
- Q' Q, U4 c. I r $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
7 I, W6 l% y! L8 Y6 h |6 [6 h8 ~ # x3 k( D+ O1 ?5 s& D4 L
if( $uploadCondition ){
& {" w4 M$ g, U7 E |( S0 [' Z7 _3 p: j0 b //执行上传操作8 w1 z% u& _, D3 `
$savePath = $this->_getSaveTempPath();
6 P( k) Y) U% ], ` $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);4 ?' Z2 [/ c- f7 G Z5 K8 H9 u. D
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
$ x L, ^1 ? w, z8 T. @- g {
6 v1 ~5 ?' k4 D( e5 ^# B5 z( |& O $result['boolen'] = 1;3 k! L8 U* z8 Q1 z. X9 S) _
$result['type_data'] = 'temp/'.$filename;
( l- l. m; P( T $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
8 L) @8 K6 T$ `' d+ c } else {
2 l% I2 _% U$ Y $result['boolen'] = 0;
- J" O& r4 u' w [: j* h. x $result['message'] = '上传失败';
1 g. ?% ]: l* ?+ B9 M5 L$ I }, O8 l4 Y$ M9 z4 | _0 [" b
}else{
: x9 [7 Y7 E7 x $result['boolen'] = 0;& |: g# ?' c. G- r' n- `2 i) T+ f2 j
$result['message'] = '上传失败';/ x% O: e: o* o; M
}
z/ y5 M5 b. E( r1 jreturn $result;
, @5 I. g* N- w" j8 @: u8 Y }( ^7 R- z! N/ Z6 H& _9 R
$ H$ ?. C+ }' C1 y+ }( m4 A- }5 K
- F6 h+ n# U+ E
|
发表于 2012-12-4 11:12:30
收藏
支持
反对