微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
, N* k+ j: i. ^- Z ^% X: H9 H- F) B
; L0 w2 Y2 a3 ^. z
\api\StatusesApi.class.php& |# k' y% ^8 a* q' J; \
( y( O9 U% q' {3 A8 l% ?( l" s& ofunction uploadpic(){
0 u7 T/ o* z9 b if( $_FILES['pic'] ){( M- O# a+ L5 X: c4 W- P3 U
//执行上传操作
, p' ?1 t6 _9 s+ V4 u; X7 { $savePath = $this->_getSaveTempPath();" {, U& I5 }# R1 S
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
8 n J* g# J# e+ c- S if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
2 h! ]. u; ~2 V2 h- E7 ]: D2 j, ` {" B% s: u! c- H" A3 F: D: H4 Q
$result['boolen'] = 1; U1 V7 z q( K2 g
$result['type_data'] = 'temp/'.$filename;' O) B; e1 Y+ }& e0 Q% e2 S: j
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
8 O8 d5 T5 d" P2 [* s5 F) K7 Z } else {0 o; g6 H2 B2 z4 N! V$ m
$result['boolen'] = 0;7 C! S5 ~2 h" G& k
$result['message'] = '上传失败';
8 y1 P2 ^ N# S, Y) R4 O- i }
4 d- s" J3 _6 z3 u: A+ t, H }else{
. J4 b- V0 n; U# N $result['boolen'] = 0;0 l) p2 B% w5 W0 c( d; L8 V
$result['message'] = '上传失败'; T1 d! i! H s
}
) m( T& `( _& g, creturn $result;
; ?1 t" k- @" G/ c2 S' y9 r& E8 w }% p- M( Y# u& l) k, @
unloadpic()方法没有对文件类型进行验证 i. }) q( t, u" D0 {; O
% o) t0 ]% Z+ `& e. m可以构建表单, 选择任意文件, 提交到# R& Q3 I0 n9 [/ p' {! O5 K
/index.php?app=w3g&mod=Index&act=doPost5 M% O" }& g0 l6 |0 k) r2 h- g$ }
0 S5 I! x. f3 }: q0 C在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
/ G8 j; |& F1 S% l
! f G( A- Q+ [$ Z, E' h( a+ w/ F$ G& [
在登录thinksns官方微博后,
( N( w* V) p" h% p构建以下表单:
6 E2 y$ p- E" l. \/ y6 B
& C9 v) w+ o, K<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />! P x; z& W7 G2 G% ~- ?& }- x( Q
<textarea name="content">test</textarea>7 Y+ n* a+ D- P! R. r8 I8 w$ z" o
file: <input id="file" type="file" name="pic" />
1 P+ E1 J6 }5 C& K<input type="submit" value="Post" />8 M9 T6 M) A$ |+ c
</form># O% M# C; m8 ^2 m2 n
去掉缩略图的前缀(small_ )" o9 a1 z$ i& O
修复方案:
" o3 i ]: J1 U& ?- F& M7 G: S$ {1 S9 I3 S
- Z( i P: c# |/ l: [- J" p
\api\StatusesApi.class.php
1 U+ Q3 |# q5 D% q
* \& o" A( s* jfunction uploadpic(){
2 T! Y! e |4 e: Q" O /**
6 C, F6 u$ [" z; \" D * 20121018 @yelo* m& X' E) x% i
* 增加上传类型验证
/ U" I2 b" i( z& ^- I+ W */1 @2 l' s% b1 R1 G G
$pathinfo = pathinfo($_FILES['pic']['name']);0 [9 d* h3 k6 @; \9 B( J
$ext = $pathinfo['extension'];# p5 j* }# O/ T( {
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
7 l9 ~, g& ` u; r4 R5 s9 \. b / j6 ?6 x5 b8 C* O
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);4 O: B% g, {, C* B, W( O% B
( y8 N0 h8 _2 ^# v' q8 G
if( $uploadCondition ){1 d0 _9 P8 \* V: Y5 x& J& p
//执行上传操作) e8 B; p3 b% Z l% p4 O* N
$savePath = $this->_getSaveTempPath();
5 s' v: a, ^$ w) ~; B $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);8 A; W" M6 [" w- | @
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
8 e& H" F3 c/ R6 D* j* M {
2 L. ]' p/ ]1 ]6 v9 A: F $result['boolen'] = 1; w) Z/ Z1 [9 g0 B
$result['type_data'] = 'temp/'.$filename;
* O: C' c2 r% t+ d $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;# D: N0 |! }5 y8 T; @6 \7 e
} else {. V( T$ f; |/ ?4 s
$result['boolen'] = 0;3 v+ D$ R. m( g4 G" q4 ~. H h6 w
$result['message'] = '上传失败';3 a8 r# X/ l: T1 I
}" \, l1 \0 z- N
}else{
" |: A8 P6 A' D1 [( C $result['boolen'] = 0;
( f U s" F; R' S" J8 u $result['message'] = '上传失败';* z8 B6 M# K( P8 {( i
}1 p9 M) ~ q) r# n% s$ k
return $result;
% z, ?: s8 \* H, e }
- z" A! v, k! o+ l8 _. h ^; d( U0 p6 o" n; v
- v8 U# y2 \3 b: Z9 i
|
发表于 2012-12-4 11:12:30
收藏
支持
反对