微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。8 R6 z7 E. l: _ \; v5 ?
7 O8 s# J7 w1 x- w# ~
- b5 b: e' R2 @: G2 F5 I0 h
\api\StatusesApi.class.php
$ X2 X2 z l$ s9 f; b " W. D% B: e6 t. @+ ]1 [( R
function uploadpic(){
$ _: @5 n4 `* k. s6 p& U if( $_FILES['pic'] ){
! P3 m4 _/ o5 G: C1 C9 o. H //执行上传操作
0 k$ P z d7 p $savePath = $this->_getSaveTempPath();
% b/ m2 y- g O% K9 H $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1); A, o7 _4 ]& K( U
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)): K& M) |6 @- @0 ~1 s
{' H8 j9 G" h* d5 X3 t- h4 z
$result['boolen'] = 1;
/ f$ E" y$ R8 e) k) P $result['type_data'] = 'temp/'.$filename;
& I [" z2 e) O$ |' H. Z% x# X $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;; R" \( C) @4 o; ?
} else {3 F; E0 G4 [) X# C$ y7 ~0 h) ]
$result['boolen'] = 0;
7 c; u" t( W4 d4 z" n2 @/ Z $result['message'] = '上传失败';- }* E% b3 m# B- M# Y! n
}
6 b2 y" ~$ `5 R$ r }else{8 d' y" x2 o8 ?
$result['boolen'] = 0;
0 h5 p( q6 [ X3 U0 V $result['message'] = '上传失败';
9 ?+ n# |' U$ K m; T& l6 s* g }
. f# g) F+ T i& v( ?- u& |return $result;4 L4 k- N9 A2 v; Y
}. I! G8 ]9 K4 v7 {- D0 D: ? k0 e
unloadpic()方法没有对文件类型进行验证
& y H9 e: [" ]5 ?' Y- w
2 K! b- t1 @5 j" U' z/ I可以构建表单, 选择任意文件, 提交到$ F0 |$ t" G$ v
/index.php?app=w3g&mod=Index&act=doPost
3 f: T6 Z& h5 K3 J( i+ ^ 5 F7 L W1 i6 K6 G, c8 m) L9 l
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
: V* g6 K! d3 a" `/ Z! y( i
/ z0 m5 }' _' n: n5 l+ X+ h* m/ \( l5 ~' k. K
在登录thinksns官方微博后,
0 B7 l# x v- X- P* Q1 x/ s构建以下表单:
, J( U1 u. J# {+ ? ! ]* D( H) G! @% L
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />" ?5 O7 C8 u5 p$ O. V/ K% G
<textarea name="content">test</textarea>
* L L, v: t! J% |; c4 U& Tfile: <input id="file" type="file" name="pic" />
! q$ m" b/ N% i! o. N/ E, k<input type="submit" value="Post" />9 r$ q9 {1 V( _1 r0 ]- F0 P
</form>
- V1 {3 p5 W! Z$ e' y去掉缩略图的前缀(small_ )
& D8 Y; M, }8 ^6 a& c- h* p4 z修复方案:
( K* A M! ]; |& x% }; F2 H3 G; ]& [$ ~8 _# O$ o
8 `! T5 { u( C" Z# }( c2 @( S/ u
\api\StatusesApi.class.php; I& g, z3 G1 z: g% _+ k
+ F5 C$ J9 I6 l2 @4 ?function uploadpic(){) s9 B a# }6 L$ g- J3 ]: u0 i
/**
1 T9 W. ]+ y; P9 {1 g, e: Z * 20121018 @yelo6 s0 Y6 k) x% y" |, g% x/ c
* 增加上传类型验证1 r6 N) R4 t" ?9 n" u# n. o
*/$ q, ^1 Y, ~ r0 ^# A% q/ Z7 t
$pathinfo = pathinfo($_FILES['pic']['name']);9 }: a q$ S# |' b# P
$ext = $pathinfo['extension'];
' V' |$ b G1 n( o& J* F $allowExts = array('jpg', 'png', 'gif', 'jpeg');9 Y0 ?( G0 C% S: j0 f
* [7 M& `$ U1 I0 E $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
2 N; B2 b, Z. R6 g2 S
8 z& k% J# c P: ]9 J4 M* M `2 R if( $uploadCondition ){# j) I J/ V' v6 k
//执行上传操作4 E, }# P5 {. e; T5 ]8 m
$savePath = $this->_getSaveTempPath();
( s: @1 ]% ]$ z3 U8 l, b0 I3 c $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);7 M, l( |% X9 C
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
# }4 k; @& C0 Q' k* L8 C! D; ` Y {
; h L4 D4 R. P$ s1 t $result['boolen'] = 1;
; @6 O3 l; y0 R1 _4 b# C $result['type_data'] = 'temp/'.$filename;, {4 E! B3 M' Q* Q- t) Y1 h
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
( i% j9 n) v4 T } else {
" E) H% V: C8 r' k. L( J" k9 O $result['boolen'] = 0;3 i* |) q) w$ a
$result['message'] = '上传失败'; j5 M0 Q1 F7 E! a
}
% V) W8 E% W+ B2 z+ N) U2 B/ Q }else{
/ ~. H# G. n5 d $result['boolen'] = 0;+ E1 k7 c! e6 D/ `
$result['message'] = '上传失败';& `8 G6 @9 n: k; U/ }
}: v4 F2 f6 \4 J% G
return $result;3 Q/ P2 h3 E" ] K. b% R
}& n+ P: x# |. ]& {" l
6 p3 E1 S% \; r, h# m; w# w4 ^
# J& d$ u4 D9 g; \- A, b) B, z: J |