微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。. e$ `/ h, }( D- D$ O$ [- {0 C0 V
7 Q8 B( g& U/ z$ g' y: M! [
d( ^0 Q5 O" V% U/ D* i) S\api\StatusesApi.class.php4 _, k, m2 ?& f2 D* f1 v
: A4 W0 s0 S; E; ~1 X- ~: afunction uploadpic(){1 D$ Q4 ]% {7 L/ H' g! V
if( $_FILES['pic'] ){8 T5 G4 T) P1 m" Y" L4 l: a
//执行上传操作
, h1 h8 v7 x+ `, b" G $savePath = $this->_getSaveTempPath();' D5 s; ~5 o! j; ^
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
7 R+ C# J8 p) P/ t" J V. \4 W if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))( |5 }! O. }, i5 G
{0 C# U' l8 f4 o
$result['boolen'] = 1;6 B9 y: w7 ]) i: w6 G
$result['type_data'] = 'temp/'.$filename;
+ e9 x8 `5 I" ]( Y $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
: j$ Q/ ^; B1 P) f% v( A } else {
4 e) h5 N7 L9 [$ K8 h }6 m $result['boolen'] = 0;& ~4 E3 J+ Y+ F0 @8 E( q9 S% V
$result['message'] = '上传失败';5 r; E" A3 p* G# ?, f
}. B. p3 l C% I) @( o7 v2 e3 L
}else{8 Y1 N. w" T% R8 f
$result['boolen'] = 0;, J% p7 K& D# U/ } U0 I
$result['message'] = '上传失败';
7 W \5 U3 ]' h# s* g% V. [% u2 |% a }% W4 [' h& C' @. i/ C; b* j' q7 Z
return $result;. C! Q; E, X8 b- i' h! h+ @' T
}
+ n, k4 W& l0 j3 d5 R8 s& e" ?unloadpic()方法没有对文件类型进行验证
a& H/ P+ W0 w+ a: ]) j( k7 k
& c1 {8 I- L& h; g) X4 C- K可以构建表单, 选择任意文件, 提交到3 v; D0 c% d u) `5 }, U+ E' l
/index.php?app=w3g&mod=Index&act=doPost
* m7 o% p" b( A* |5 |9 j! l * ?! a; Q( F5 E/ ^& @9 q- w6 c
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
# L/ e! `& |) ^2 S5 r0 F; v
9 u! K2 n8 B/ ^7 i
" e3 i; Z+ {, h s在登录thinksns官方微博后,1 ^1 K: Y& k' Z5 S" t
构建以下表单:8 p s( I% L2 t
y* B% h; m8 L, q3 B; ~: Q2 G
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
( x3 Q9 e8 C& |0 G$ T<textarea name="content">test</textarea>
: C9 _: z# |$ [& x: T9 z$ u- v# Dfile: <input id="file" type="file" name="pic" />, h/ N W; _; J* [
<input type="submit" value="Post" />& z9 _2 v& d# H5 n" m, @# B
</form>, y" }) t I+ C' S
去掉缩略图的前缀(small_ )
" }* K! K S! k5 }& Z修复方案:; L) E, k3 }/ F( V" Q+ ]
$ |/ ~7 R' |, L- Y
0 y- [: \- P% S\api\StatusesApi.class.php
: G6 ?, v s2 s) o' j$ |% i) {
`8 H! J$ B m0 w7 p2 z: S* H' nfunction uploadpic(){
* f6 t& V1 r: a; H7 y6 E& Q /**
! H# I# s* o; C D * 20121018 @yelo
8 h% Y4 ]+ x) Y4 S' a# z * 增加上传类型验证
7 n, z/ V' p) i# Q% k8 G- P */; I% y I* u7 d) ~. i; N
$pathinfo = pathinfo($_FILES['pic']['name']);
& L; h3 M1 j8 W8 H! _$ ^ $ext = $pathinfo['extension'];
2 n* z2 ^! K4 L# C $allowExts = array('jpg', 'png', 'gif', 'jpeg');
2 l3 j7 M# s0 C. L0 |/ W4 O5 _
1 z7 L# g2 `9 a6 V $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
) g- R% n* p( T9 J& l, c
' _! h) S; p i. u! _6 Q4 z if( $uploadCondition ){) l* u" k/ Z) I8 @: s$ p* P
//执行上传操作3 L+ [) U' Y" z6 h/ ^! Q
$savePath = $this->_getSaveTempPath();: h$ f) S" B, V5 t1 Y3 {4 b) n
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);9 t. _4 i2 }; z0 w6 D2 g
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))2 t5 ~( r( j. Y# \+ d, {
{
) X c. J" _# m1 c& H/ K $result['boolen'] = 1;
3 B+ }5 A7 a5 i9 f $result['type_data'] = 'temp/'.$filename;0 ^. V% U+ ~) Z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;3 U1 B6 }+ x- ?1 S
} else {
2 g8 {* z# S1 A5 V $result['boolen'] = 0;
9 F% h) }% G9 |2 z8 n1 g9 ? $result['message'] = '上传失败';
0 @ p( \7 g: I# t }
; p2 l8 Q$ Q1 i2 x' z4 F- y& H }else{4 B, j/ }! M( o: g! w' e
$result['boolen'] = 0;' C( {% h) b! Y6 W, P5 r
$result['message'] = '上传失败'; e8 j. [2 g% `" A1 E) z( P
}
0 j9 C( J( I4 k, n! Areturn $result;
, T5 {2 c( e% m3 C) t1 J9 e* N$ k }
8 X- i- [1 n$ p0 C' }' ^1 M& |
) m- R, K- P) L( d9 G. L. ^9 k3 V' A* m5 W2 P) ^" K- i
|
发表于 2012-12-4 11:12:30
收藏
支持
反对