微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
( i. c& j' o& \
0 g { f( m/ E C! [ v, k, l4 Z* I8 [0 `; S
\api\StatusesApi.class.php! d: w" @- _2 n! }) w$ k, Y
8 p4 w* ^& P- n- d5 M0 Afunction uploadpic(){
* \, f. ^2 [3 R, V( v8 ^/ ]* G if( $_FILES['pic'] ){: Q, s' \0 u2 Q, m3 |2 j
//执行上传操作
1 e0 U$ U, N* ~7 X $savePath = $this->_getSaveTempPath();, h; E5 \% o4 G3 B
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
4 _' R" _1 d/ L if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
, H6 y2 p/ | c: Y: b8 @ {+ @0 Q+ \! o7 a' {/ b
$result['boolen'] = 1;
4 Q; K9 c5 m1 { $result['type_data'] = 'temp/'.$filename;
- F2 F O% B! W+ Y, P8 n $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;- p6 W, E5 U) j, R: z; V9 Z# _
} else {
$ G9 ^& _/ o' b9 f. i $result['boolen'] = 0;
6 i2 s0 K4 ?; p% D0 q $result['message'] = '上传失败';
" v' z s1 ^4 b0 r8 g+ V! [ }
2 U- z/ Q- |& n Y& |; q% { }else{
4 V4 f0 l% w# u7 S) u: r! f0 ] $result['boolen'] = 0;2 `1 @- o0 V) J+ Z) p
$result['message'] = '上传失败';
9 u9 s4 u" t n0 x0 i E }
6 s7 `5 u4 A4 h/ V3 Y2 Greturn $result;
0 s, R* R) C/ V: O) w! j" ?5 l }. V8 M7 }0 a, ?3 u
unloadpic()方法没有对文件类型进行验证& |/ _% B# Z( [) ]0 m7 o0 l2 n
1 a# e+ H( V! L! T% t/ ^
可以构建表单, 选择任意文件, 提交到+ b" ?% S9 a, {4 i( @, h
/index.php?app=w3g&mod=Index&act=doPost3 |/ T9 Y8 T' M |1 e9 |
, S! Q& l6 o& r在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
/ l: l0 I0 ?- X; f( t7 e0 Q+ M; y( {4 Q6 Y& |# ?4 c
' A0 r7 f3 d8 I& l* }- C
在登录thinksns官方微博后,
" a/ X, z, i! B5 D( X构建以下表单:
5 T4 H: o6 x' l- x+ `: h
% ~& J; V+ i: C- y' e<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
4 O9 w( s" x( N: ]8 b4 _0 f$ {+ @. Z<textarea name="content">test</textarea>9 \% P! G& A+ v* F- h: J m5 Z: i- s
file: <input id="file" type="file" name="pic" />! F0 S" |* Q! g' b, [" E
<input type="submit" value="Post" />( l# C6 c$ R+ G. c- U& ]
</form># Y0 Q" [7 x9 @7 e% |; x
去掉缩略图的前缀(small_ )
. e% q$ p9 X# ^8 x& @9 C) E+ s8 e修复方案:, Y" t/ \+ d* Z
. ^! _& W7 {# O1 m: X4 a
$ k% |) V3 e9 R3 N1 M! A" C
\api\StatusesApi.class.php
( |2 J2 i) y6 J# }" z
* k8 M3 U% S; ^' r( A: qfunction uploadpic(){& Q: S4 U1 ?& O" s
/**
* Q' \1 ~/ h$ F3 x$ ^ * 20121018 @yelo9 J/ k3 S8 s) P
* 增加上传类型验证
3 O; j5 p+ g7 R& |2 H9 r) _ */
. t, }, T1 y V6 f: a* ^' S $pathinfo = pathinfo($_FILES['pic']['name']);
: ~0 c& \) ~: h $ext = $pathinfo['extension'];
/ Z* q8 X/ E% q* T# j, } $allowExts = array('jpg', 'png', 'gif', 'jpeg');
3 G6 h6 u5 f" b" a* F8 q % [5 t' o! b+ |2 s
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);& y8 k* n. e5 J9 Q
7 d/ W2 B1 J6 r+ n
if( $uploadCondition ){- y4 d. T/ s: U
//执行上传操作/ V+ R( ~% s! P
$savePath = $this->_getSaveTempPath();
+ c. J; i4 @& l+ T4 w5 v1 g( o $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1); m0 Q7 @- d( z- Z
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))( _$ n! F2 m- g9 ~2 _
{
4 Y( h" r+ q/ C: n $result['boolen'] = 1;
* D- K* X' }: Z& l+ z $result['type_data'] = 'temp/'.$filename;
5 I/ I" S% h+ t" h $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
! w w( S4 d2 \; f% | x) Z! u) m } else {3 \; H1 I, `* i6 _
$result['boolen'] = 0;2 V0 N2 X! Q5 J
$result['message'] = '上传失败';
; G" ?- p5 |( ]% {+ v6 n }$ \- C1 P# _: t
}else{
: I) W& B, I M; L( f2 E" a0 G6 |" @ $result['boolen'] = 0;
2 w+ {6 M+ d* ?# @ T3 m3 S $result['message'] = '上传失败';/ v" A; {: u2 c: O, b7 Q$ W3 H
}- t. R& }1 T2 P- ?
return $result;
+ { C$ y5 x* @& B9 P) E; @* v' B }2 k; a: h7 J+ @3 Q1 J$ x; H% `% _. _
6 ^+ L3 x o: ^& N# \& E2 |/ `7 P# y1 r4 {! e3 M
|
发表于 2012-12-4 11:12:30
收藏
支持
反对