微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。8 g9 W3 V1 S$ P( S* r
8 u) Q; D% C: a; r8 h4 `
6 |" c' y8 W7 N+ O+ a4 T\api\StatusesApi.class.php
* U) f' h) `( C0 G! i
0 A+ i' F( S. ^( d( g! _" {function uploadpic(){
* q+ c0 L9 `4 r' ] if( $_FILES['pic'] ){
" Y; Z: Y: J$ P [9 N. R' a //执行上传操作 d7 U) m1 `. ]' K6 l$ ^
$savePath = $this->_getSaveTempPath();
% U! L) R4 a% }: p$ [ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);, h+ a! f3 j! d7 ` u7 ]! J
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))+ k6 |$ w# r" C$ ^" ^6 d
{4 a. H! y n+ e6 L
$result['boolen'] = 1;
' O' b5 A' |/ U' E* B $result['type_data'] = 'temp/'.$filename;
3 [" p0 S L6 |9 \. f: _4 g $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
" |1 X" P% v, ]6 G# E3 \$ w- D) o } else {
5 c3 U! I% M! v# H+ q1 [7 R/ L $result['boolen'] = 0;
, S4 ~# M, t9 Q6 T, | $result['message'] = '上传失败';
/ u+ V# L' M0 K" [8 [& N }! V: a* I" i. g& O# q2 O2 {
}else{8 {7 k$ s8 X% t" G) n3 Y5 d
$result['boolen'] = 0;3 }) F( `4 c+ I2 v% s" T
$result['message'] = '上传失败';! r6 q. G" V: K8 N; o
}! C7 a3 j: V: ^* o$ f! V5 C H
return $result;
8 R- n+ Q+ H# S$ W }; a8 R1 y) A5 A( m; p
unloadpic()方法没有对文件类型进行验证4 z! ~6 P5 `1 `
7 M- G `: X& A8 Z
可以构建表单, 选择任意文件, 提交到
# `$ L% w: o1 ^$ O/index.php?app=w3g&mod=Index&act=doPost
% }# p/ m3 h/ [/ T* D8 A( k
' Q, O) A8 T) [- A1 c在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
' [, ^! t9 N2 B5 r9 P* q/ u9 @. O* B! \8 R" v' J9 m
. K/ A$ _+ s5 ^: k在登录thinksns官方微博后,
; ]; _( b7 _7 ~4 X1 H构建以下表单:5 z8 J3 _2 Q3 Z; ?4 n
0 k7 V: N" _$ z6 E0 R5 Z
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
' `% |. {$ D' [<textarea name="content">test</textarea>1 m6 Z- W, M8 b1 M3 t
file: <input id="file" type="file" name="pic" />8 r( l |% |9 D" ^ c
<input type="submit" value="Post" />
% A2 W" Y7 |/ K. b5 c) j0 x</form>
8 Y2 ]) r, g+ F4 j, b8 k去掉缩略图的前缀(small_ )1 q2 {' D9 a( _0 u. e) N
修复方案:2 a% ~3 i2 c4 {2 o2 G \
9 b; T9 w: G- _1 t
* W8 L% X/ P, j7 B0 k; C7 b" M\api\StatusesApi.class.php+ u* c8 k7 ^) C; S9 J4 {4 r/ @
9 ]. l, @, b( b2 ?1 ~$ X! I' mfunction uploadpic(){
1 I3 H0 b$ _( `& L6 n, t* b /**' ?. ~7 R( H. ^: a3 H/ ~5 x% P
* 20121018 @yelo
1 t* x4 w# Y3 x+ J * 增加上传类型验证
9 a7 B( c! I; V: x- |* M/ ? */
1 @/ o" l! {4 h4 a+ ]) s $pathinfo = pathinfo($_FILES['pic']['name']);0 ~5 Y) o+ |# m3 P; q! n5 B
$ext = $pathinfo['extension'];
# V' X' b2 J/ o7 j+ r+ w( D7 U8 a; E $allowExts = array('jpg', 'png', 'gif', 'jpeg');
9 v3 @4 |4 F) Y9 N6 y
- X6 g7 z" p2 x& a% t' C6 s $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);( o0 H2 X! K' h# @2 P9 ]8 A
6 b1 H+ x6 v5 s) E# |1 ~- [+ G7 h
if( $uploadCondition ){
* M8 c1 H7 u/ P) Q( Q4 z0 _ //执行上传操作: c4 Y% M& C5 @ y8 j/ o
$savePath = $this->_getSaveTempPath();8 y) N8 i9 q, D: P# j1 p
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);1 y' e( V$ C7 q, T
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
7 V7 }& q/ r& e( o' S0 T( c {
4 n! b4 `/ {6 u, g9 P' J! {9 y x# _1 e $result['boolen'] = 1;( q) t. y' y$ x" T' j9 w& t
$result['type_data'] = 'temp/'.$filename;5 z0 h Q e" Q4 C7 {/ N
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;2 `. b3 G5 w: v, B8 W F1 n- P
} else {
; b; q4 K* p8 g4 h% y; a, Q2 C $result['boolen'] = 0;5 N* ^' L# H: @6 K6 ]4 V! ^7 T
$result['message'] = '上传失败';
* c$ A0 {% Q: ^) R }
7 w# B, D6 h4 H' b1 m }else{4 d4 d2 H' P+ G* x& g1 L$ e
$result['boolen'] = 0;# Q6 S6 q% |; r& h/ g& e0 Q
$result['message'] = '上传失败';
9 M/ A: C' D- b! E6 M }! T4 x$ v, A8 g
return $result;
' z4 V9 H& [$ k3 B ~, i }
& |5 s% l. D* j) j* C3 z( ~& ?( q/ `5 m5 V$ n
, p2 |8 ~9 | q) F" K |
发表于 2012-12-4 11:12:30
收藏
支持
反对