微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。8 B+ n2 ~; d9 v: Z0 u
6 u! p& s @' X, S# V + r) G# i' m6 W
\api\StatusesApi.class.php
) V- [$ i% Z9 k4 ~
$ J. N& [7 A( ^function uploadpic(){
: v0 B3 g' d& r if( $_FILES['pic'] ){- e4 h; \- s1 U, O
//执行上传操作
* v3 c6 }2 ^( Y* ^ P/ K $savePath = $this->_getSaveTempPath();
3 ^- K/ s3 P6 X+ B* _+ q6 V $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
; [% f# N; h0 R. Y& A8 @; Z9 f- M if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
. r& v2 J& B+ I# e0 V" c {4 Q# C. j. A( I. I9 v( i
$result['boolen'] = 1;
6 n; }' C! g5 `) D $result['type_data'] = 'temp/'.$filename;7 W% j' N3 N, ]- H% B
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 l/ j, A5 a$ W6 b+ |# u" n } else {% T7 D: h& S- H
$result['boolen'] = 0;) O7 h" `) A4 f" }3 j! Z* G. Q5 T
$result['message'] = '上传失败';
& s9 y# L0 D d( R# _! r }! p6 w7 B3 c' ] D) I
}else{* y* v9 k- A) P0 O; u: l$ H
$result['boolen'] = 0;
0 _% r( K" S* c, p$ i* \ $result['message'] = '上传失败';
8 G9 j- y4 v9 g, J4 v }3 [% i& o$ I% H, _9 A
return $result; b s8 {9 I8 X1 Q% M
}
# H- _0 m& x: ]5 I1 `, c8 ^0 lunloadpic()方法没有对文件类型进行验证1 k* p" p4 n. j. p
, g+ C: L) Z, k5 j& ^/ |可以构建表单, 选择任意文件, 提交到3 x3 N2 Z* n2 H( @! Q: e Y, e
/index.php?app=w3g&mod=Index&act=doPost
5 H% s0 o* w3 P+ R( f9 k* f* J
& u7 z2 w7 V7 x在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)- _# D1 l& t G) }
2 |, n/ \( a* D" Q5 m! M. f/ [1 h- g. \$ H% d a" Q; [
在登录thinksns官方微博后,4 r6 y: g7 A7 o0 e, W" t
构建以下表单:
) _" N2 R% M0 D2 i V+ m( K" l. s/ H' _
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />& ]* v2 z6 ?) A5 Q2 ?
<textarea name="content">test</textarea>! D9 J% b7 G/ ~* W1 [
file: <input id="file" type="file" name="pic" />
6 R8 h: | x% U& T. a' q<input type="submit" value="Post" />
# M* ]- [3 l& {' g1 n3 i7 G5 F</form> A& j2 H: |8 u3 C
去掉缩略图的前缀(small_ )$ F3 d: ?- u( x1 Z9 }
修复方案:
3 j8 ~ ?1 ~8 n, n- o
$ ^2 }1 \3 W& m3 v- G* b
- }6 l$ v- q9 V" C# b, b\api\StatusesApi.class.php
: @9 Z" ?1 Z! |: A( q& c5 p& k: F 7 S) y0 w% p- D3 L8 D$ V7 _
function uploadpic(){
7 M; t0 X+ M+ |, t2 x /**- y3 c+ K! G/ ]! M+ W5 w. F
* 20121018 @yelo
/ o1 H2 W# N5 S5 j4 C( { * 增加上传类型验证
% q" @1 c% y: Z S */, ]5 @. ]8 f2 z+ r
$pathinfo = pathinfo($_FILES['pic']['name']);
! w! x* l8 q% v q& | $ext = $pathinfo['extension'];
1 h ?: P8 @7 {/ }' g$ Y$ W4 Q; I $allowExts = array('jpg', 'png', 'gif', 'jpeg');- U$ U7 A. R% @' R m0 G% i( q0 L
& o9 N: n# Q- \: q6 E- d $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);* x. |+ G, ]; ~* g1 G
3 x7 y! M1 a# w1 A- y if( $uploadCondition ){
* Z" t$ d- j+ x# {3 r3 E# J/ H7 D //执行上传操作
/ u5 Z6 `& T) m& h0 v' P $savePath = $this->_getSaveTempPath();# T$ }) r- l6 L {4 _. v5 _
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
/ }% ?2 R& ^) r: E if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
- ~& \! Q* E/ h, ]+ v/ y _ { }# |) S" T/ T9 s2 J9 Q2 K" D$ z
$result['boolen'] = 1;9 {3 V( s3 f: h* x1 N
$result['type_data'] = 'temp/'.$filename;5 b4 v! X! ?9 D8 e; t K- M) i
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. [( \7 d% P! Z4 \1 A k/ r
} else {" T& D% M" g, j6 d% ^' G1 M
$result['boolen'] = 0;
3 b: l* `' r- s $result['message'] = '上传失败';+ F* c( ^3 m5 o7 S+ G" I' r
}
2 [3 C: g: h9 m/ B" H }else{% U; r' W% C* \ {* l% _
$result['boolen'] = 0;- t% n; |* z9 q; M1 m; n
$result['message'] = '上传失败';
1 Q. w; Q4 s3 U3 T5 n( L }
; M) E1 e- B( B* E, wreturn $result;
0 Q b# Y S! t5 B }- K: [ |) `4 D) R* g7 M, G
( ~! A1 g7 X ^6 ^* V$ u _
. C! U: y7 F) h* y$ i, J. m$ C |
发表于 2012-12-4 11:12:30
收藏
支持
反对