微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
' U% k, {! o6 L, @9 S9 ~9 p6 y. C; k; k: G2 ?& n
: a& @! l( B* R0 M\api\StatusesApi.class.php
' g- Q& {% |, G# a3 d
% P9 p5 Z% r/ a) s. r9 Kfunction uploadpic(){- {* s+ u8 L# H0 Q+ a
if( $_FILES['pic'] ){
1 r4 b+ a+ o$ V/ K2 g //执行上传操作7 d0 T& W3 l0 {' P* _8 j
$savePath = $this->_getSaveTempPath();0 ~6 [# _6 E/ `8 r7 c T: y
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
1 W# _5 r, k& n/ [% m- \& M% m if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))( i+ P+ c1 ^, N7 ^5 D8 X) B" f @
{
( k( W9 o" ^! s$ ~6 b. [ $result['boolen'] = 1;% I; ~$ i2 [( `% {, {3 V+ a6 c
$result['type_data'] = 'temp/'.$filename;3 U$ m/ \3 P Q& R* t& s
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
/ e: F% {4 q/ W% ?0 g, U/ H4 S5 ?/ U } else {
E: `8 q* Y- B) o $result['boolen'] = 0;* c2 \0 C- y$ {$ E" x7 N5 u
$result['message'] = '上传失败';
$ |, F4 O/ [# I8 ^8 y* v5 _ }
" E! N0 \9 P1 W% c9 r3 T }else{1 A# ^4 r' h" P: a! N
$result['boolen'] = 0;
2 n3 b2 o1 R8 w& H% q. J1 E0 D $result['message'] = '上传失败';
3 A5 R, F0 d- X; V }! m7 Y* T; |4 F" Z) O' q% o/ I
return $result;
& W/ F4 h4 u) l3 O/ y" V1 i }3 ~! i; Y3 B3 @8 {2 c! Z$ g0 N* Y
unloadpic()方法没有对文件类型进行验证
6 F2 W+ \3 [8 |5 a( o, X 1 s% r% c5 H+ |+ r$ h
可以构建表单, 选择任意文件, 提交到
, ~( D& W! v0 Z/ {/index.php?app=w3g&mod=Index&act=doPost, b3 d C! j! D, x" X
' O1 n+ x3 U) o, f! f在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)6 d) ~& A5 E k! Z" w
: Z. u# C# z2 _9 y9 ]
0 ~% d. @1 ^3 O, W4 Y9 c在登录thinksns官方微博后,. y* ^8 f6 @7 [; W
构建以下表单:
) p8 {2 x5 O, y& L% y# e
' z3 [" O) t2 N0 M5 w& i: d<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
+ i% Z& |0 F# W2 l" c0 i) h<textarea name="content">test</textarea>* b. `# q* v$ `/ e
file: <input id="file" type="file" name="pic" />
6 G( Z& d0 T7 s) c# n* p<input type="submit" value="Post" />/ L0 s0 f. A8 s* k' }; w& a
</form>
+ p1 h S, j: @, N2 t去掉缩略图的前缀(small_ )
( p" z% I9 f9 `8 i! c6 o' d3 [( ?修复方案:, A5 O6 F5 d7 ?8 C/ Y
7 w& m- F. I7 |0 u
3 P3 a- Z) w9 b5 P( f& ^' e: Y2 S\api\StatusesApi.class.php
2 \0 m) { ]/ J" L1 x" Y
% j9 W% M- f0 C: xfunction uploadpic(){9 G/ v4 S: d5 p/ M5 c M! @
/**
2 N' }$ m" z4 p2 |/ ^ * 20121018 @yelo
6 Z& V) M( Q5 Q2 p * 增加上传类型验证
# E4 l" J/ \* \3 T( j */
0 H; G5 J: H0 k$ G1 q: T9 O $pathinfo = pathinfo($_FILES['pic']['name']);
9 Z4 d! k) d, m" L $ext = $pathinfo['extension'];8 I+ Z6 ^0 J+ f' _
$allowExts = array('jpg', 'png', 'gif', 'jpeg');+ f# }" b5 W2 \. i+ x- U
9 L4 S5 @( i* u1 b
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);6 I0 t/ M0 S% I% e& w Z
& F1 O f t. ^# A if( $uploadCondition ){
6 }3 V% Z8 k- N' i0 Q, E+ R //执行上传操作8 F% p V' h, x
$savePath = $this->_getSaveTempPath();
# [4 P. ?% D. J ^ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);" E/ Q/ Y5 f& X9 W8 y1 o
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
2 X6 E' I6 ]. N1 G9 \8 Q" s {% ]$ L% r) W/ G
$result['boolen'] = 1;
3 p; {+ ]5 m6 k6 g0 b $result['type_data'] = 'temp/'.$filename;
2 g* D' \- I; a4 R/ F $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. T/ W7 G0 C- r$ x
} else {8 y; p0 q+ {, r! W8 W" Y0 V- }
$result['boolen'] = 0;7 w: }; O+ ~9 |" V, M0 @: Q
$result['message'] = '上传失败';9 _' w* K4 l- s$ L
}
8 O0 D( T, e$ e" l! r }else{+ z& \) n. N: o$ M
$result['boolen'] = 0;2 W V9 n1 M/ [
$result['message'] = '上传失败';
$ k* I( {+ {' G; Q, r }
, d3 r. _" ~* ]" Vreturn $result;: B- v+ f; Q/ y Z# n
}
9 k: i4 @ Z) Y2 {* R! [' v% S& o- ?7 o, E% g
. n$ _8 e7 g. t: H" G
|
发表于 2012-12-4 11:12:30
收藏
支持
反对