微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。" N7 X& B; J, X" @$ d) g( T
4 G/ u4 K4 v0 `% ?( u 7 N% i+ Y3 ` l
\api\StatusesApi.class.php
. u4 r, R3 T" p7 ^
" ^# z/ n$ C0 j( Dfunction uploadpic(){
: M* _& b/ O$ p, F& y7 C0 | if( $_FILES['pic'] ){
! `& B f. {& t6 e: G6 [. T4 a //执行上传操作
+ I& L. [2 ~, h+ {; k4 D9 [ $savePath = $this->_getSaveTempPath();
$ i" }6 [ P, [9 d: b $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ Q0 l; z' n3 G2 d
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
/ f7 \+ N, A1 d& ~0 i. ] {9 y) ]; z' a$ X$ a7 W" W( ]9 E1 y+ {
$result['boolen'] = 1;/ {! v6 e: z9 C! L3 n d
$result['type_data'] = 'temp/'.$filename;5 e2 L( W3 }- _" y/ q, d$ R
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
. {4 Q3 Z% O7 W" D1 b6 n } else {
3 S- {+ w' W5 ~5 n $result['boolen'] = 0;
3 M- @+ w) I* D2 h/ v3 F" @6 q8 y $result['message'] = '上传失败';. @6 K+ g1 y0 H4 T2 F0 h
}: Z# V: X$ p/ |; g) v% `3 i! ?
}else{5 w/ Y; R( O- {7 ]7 y
$result['boolen'] = 0;2 P$ d( Q* B: [- Q- N
$result['message'] = '上传失败';8 e3 P8 x( I% V, r& p
}7 U6 M. S# t5 ?* D9 e7 w v
return $result;
. p" d/ U) G! e$ f# P1 S) a }
. {3 N" }; z, w8 [5 ^% Z! M+ _unloadpic()方法没有对文件类型进行验证
1 l7 ?' [/ \% c4 z9 @
# ], Y! y1 @" i; F可以构建表单, 选择任意文件, 提交到4 i9 e$ L- C M5 z' P* D
/index.php?app=w3g&mod=Index&act=doPost
. e w4 t. ^4 ] D. t; K2 d, D
/ |/ d. b6 Q% }" D7 ^ f在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
/ G9 ^" F5 T5 ?
7 c2 d; v: g$ i1 l" Y! Y) Y# E6 W' l& G% T; F9 |7 k) t; K3 d$ Q' z' x
在登录thinksns官方微博后,
5 c5 g3 Z! [+ N4 Z" O1 i构建以下表单:
0 {- J: p `/ I+ L P
! N- W, ]( b4 V8 ~9 j/ |; C. r<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
& {8 G1 c) \3 \, }<textarea name="content">test</textarea>
, y7 y1 }, D4 h0 W- vfile: <input id="file" type="file" name="pic" />
9 K" n5 d& b) ~$ ?5 t3 b" A, z<input type="submit" value="Post" />& j1 o" @6 C" B) t
</form>$ @, W1 ]4 `' M$ H! A
去掉缩略图的前缀(small_ )
' n/ ?+ w" `6 {0 X0 z修复方案:# U6 g( u1 T; b& B! j2 \ l1 Z) T
& y* H! B; }4 l( {0 F D. }! K$ d1 K) A' ^/ i4 c
\api\StatusesApi.class.php
- ?/ T4 L1 g( H* F% P- k. D9 o E. Z7 e
, f: s3 \/ H; Q: g% ?9 Cfunction uploadpic(){; S7 c: q: N F1 ~. z
/*** q- ~; N7 M1 ~+ O; L9 P! f9 D
* 20121018 @yelo/ u! D8 O- A m+ N, x; U
* 增加上传类型验证. g) y) e; ~) N4 q: @# { k
*/
- e8 l, I/ B' X: T $pathinfo = pathinfo($_FILES['pic']['name']);6 S9 N# \2 B# O3 J, S" q" E
$ext = $pathinfo['extension'];
, _5 z2 j# K' y2 F $allowExts = array('jpg', 'png', 'gif', 'jpeg');3 l; }. G7 g" J& i( P
! \. h. G/ E' @9 a' A' |- x
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
% f7 o' h& L" n8 m' }
* U0 M/ V- G4 o H if( $uploadCondition ){
$ _1 z9 x9 }2 p/ C //执行上传操作8 n" @8 b6 f7 E. V. M
$savePath = $this->_getSaveTempPath();: l/ n, s) i D a1 \
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 f6 F6 K# t/ @+ Y if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))1 M- G! t, q' Z/ x
{, J P5 n+ m$ S Q
$result['boolen'] = 1;
( \' i! Q: J' c+ h# z; x1 x $result['type_data'] = 'temp/'.$filename;
4 m$ d1 E' O; e6 }5 c. x3 n: A $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;( Q% N! l2 `$ J2 o# d* h6 l
} else {2 @3 z9 T9 @$ x
$result['boolen'] = 0;1 H* w( w" T+ s; K* s- F
$result['message'] = '上传失败';
2 t2 ?2 e: L1 E }
! Y, U0 D5 }2 ?* B( h }else{
$ V0 P0 j: k5 I6 p; z $result['boolen'] = 0;
/ O2 s9 ?! B4 g0 A$ g $result['message'] = '上传失败';4 N$ e! O5 j \% I
}; x/ P: s7 L. H p1 r; u3 [3 S2 _/ c
return $result;
1 f! J, Z" h% Z4 P. U }; ~$ E# F7 J, P7 ]' W/ e0 H( d1 E
% w* ~6 V8 ]- s
9 w# |" F& j% t1 B; Y
|
发表于 2012-12-4 11:12:30
收藏
支持
反对