微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。6 j8 k: [6 U4 ?- O- f# G r
8 v: {) I! M' E I* r) b1 J" Q
+ c7 f. ]) Y+ N\api\StatusesApi.class.php
" d' H9 `+ ]! i
9 \6 T1 x# D! ~- M' a; S% |) P5 s {function uploadpic(){3 r9 M7 V5 W. b) e9 I
if( $_FILES['pic'] ){
+ C6 {# m" J+ X' m //执行上传操作
; y, C5 H; p6 G% U4 m' D+ q $savePath = $this->_getSaveTempPath();
4 Y/ Y9 |1 i% O. k' ^6 ^1 h# T $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);# V& F( q" W: e4 e) T) _
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))4 G, c3 ~' A" i+ v
{
1 Z* d: j( v- b0 i; G' u9 D$ o/ c& F $result['boolen'] = 1;
' v4 t* l( |7 T. O$ f! } $result['type_data'] = 'temp/'.$filename;
2 N# z+ o3 ]9 I- X: C% u' G $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;) e% o( N% Z' A5 |2 d2 t
} else {$ j ~4 R) o Q9 N
$result['boolen'] = 0;
$ F# o/ g! H: Y $result['message'] = '上传失败';: C, h6 m; E; ~7 a9 u! i, f5 g" f
}
1 N- h7 W8 N9 y }else{! T, m' P( g1 j$ I) Z6 q
$result['boolen'] = 0;
! _5 ^ r6 t$ N& E k $result['message'] = '上传失败';
1 R: r; v& r5 }1 A' i3 V }5 R, q1 `2 G/ B
return $result;
! n) e$ e" G. O2 I! T4 k+ Z }
) e4 |+ [! ^4 @( K' Qunloadpic()方法没有对文件类型进行验证- P) r( C$ o# [ k9 O
1 \4 o2 I! H0 P3 p可以构建表单, 选择任意文件, 提交到# ?% H. n! M: B: }4 y( t+ {, Y
/index.php?app=w3g&mod=Index&act=doPost
- \* I1 d) R# E: B8 |! X 1 R0 C% K- |0 B/ _* l& f$ a
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
% r4 _; \/ Q& O; U# c0 w4 T8 E. \# `& r
" X4 c- y' Y& z* a在登录thinksns官方微博后,2 b4 e- c( ?* ~. h% s* H) v, X9 E1 X
构建以下表单:
8 ?( _+ _: R- P5 _: B 9 N4 \" p% p4 N
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
* }6 }! l; @' ?, p4 z+ ?<textarea name="content">test</textarea>3 o6 n8 ]' i7 ]5 J1 x
file: <input id="file" type="file" name="pic" />/ y5 P% j0 J+ H5 N
<input type="submit" value="Post" />% \8 {2 V* f( @1 c7 h
</form>
/ D0 @- V, |8 w% J/ v去掉缩略图的前缀(small_ ), D0 D. B" u: ^) @7 h
修复方案:/ b4 M3 |4 P! ]5 b" g2 u
7 l, _! u" q" h$ y# Y
^1 [. M/ T0 }5 d% A\api\StatusesApi.class.php
s0 m3 ?! s; ~1 G, Y " ^, t8 j, t+ `0 j& V/ x$ u
function uploadpic(){
! V: {; S* a# h- ? u2 r2 ? /**
" k7 h# M) |9 a" p * 20121018 @yelo4 K7 e0 [3 W" b2 B
* 增加上传类型验证
3 r& Y4 q8 w( h# `" }# r */. [3 t; l! ?6 l5 i
$pathinfo = pathinfo($_FILES['pic']['name']);
; U, }/ Y8 X8 N+ M) |" ^7 Q) s0 H0 ` $ext = $pathinfo['extension'];% \3 ^8 @) J- m& U& v; i: w
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
% M$ U' w3 {+ z 9 A% M, r- K# N9 Q# B' v
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
; T3 m8 T* e3 B- S! u6 ]% P# x' s
7 C2 \$ U8 h) y/ z3 o9 @ if( $uploadCondition ){/ u! l( ~1 N# W# U
//执行上传操作
6 p _/ t% K9 b6 L $savePath = $this->_getSaveTempPath();# G7 Q7 v+ w2 D& W& X
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
& ]: @2 \2 g$ C0 F. q7 v4 Q( N' V% Z if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)); u) e' [' c1 ?5 q4 R5 l3 u% [
{. ~( w: x' h1 g4 I- Z
$result['boolen'] = 1;. ?. S2 F+ q( p, `
$result['type_data'] = 'temp/'.$filename;6 }$ \$ o9 B0 \ M" ?
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. u5 i) ?; c4 D% A8 w( z6 y
} else {
3 Z7 Z7 F4 H& \; F& B- K- v $result['boolen'] = 0;+ O: r2 `! R% M! X
$result['message'] = '上传失败';
% t- P5 g+ N+ S# N+ x1 W" N }
: m: O: G* n8 O( R0 b! R }else{
5 Y7 [! D$ B5 O! P( P% w+ Y; Q7 `- C $result['boolen'] = 0;0 W, ?' ~; |& M5 g w: D
$result['message'] = '上传失败';; k' b H7 {0 {/ D
}
9 U0 ]/ R- q1 d( _4 ?return $result;4 N7 V) u9 u7 o- X/ ?2 ^, Z
}* }& M) f/ ` ^ q" ~" p! ]0 X, x
! w/ @; r: c$ ]2 }6 E1 N
! h5 U9 l, ^9 l. ?" A! t5 z. s |
发表于 2012-12-4 11:12:30
收藏
支持
反对