微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。5 G0 z$ v- `9 `7 |4 I6 C' N4 D, v) q
$ \: P, w( A& w! u
" H0 z6 f h3 y' ?/ D\api\StatusesApi.class.php
! C: _- `5 ?0 @! j4 C. j5 O& s " {+ `3 c& P) y+ ?. V
function uploadpic(){
# q3 P1 j& c! X0 m0 N+ [! V3 h if( $_FILES['pic'] ){
, X3 P9 w$ B: r) Y D3 ? //执行上传操作
2 x/ b" X( ?$ Z' j" s $savePath = $this->_getSaveTempPath();. { G1 r9 g3 q
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ n% f! o7 r/ R& P2 h
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))4 q0 ]3 ]# Q( B' I6 D6 j6 _ l
{: t T- c' [$ g+ F
$result['boolen'] = 1;
$ Y; y8 \# B' I0 p8 P, D $result['type_data'] = 'temp/'.$filename;* B* e0 J1 S. ?. v! {
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
9 m( d+ J$ Z2 `+ {" L# y } else {* P S( P1 z3 m, F F
$result['boolen'] = 0;* U" N2 A( y) ^- K3 \, B
$result['message'] = '上传失败';4 |* p' s+ S; o
}
n! [" r/ U( t7 `, ]5 K9 } }else{3 P5 Q# Q: ~. ]8 j* _0 S6 v) n
$result['boolen'] = 0;
/ P* W+ {* M, }2 r1 F* }, V $result['message'] = '上传失败';! }+ ?0 F, j8 B
}
, w0 V6 y% [1 x+ d0 Areturn $result;
9 Y! r) x! T3 Z" { }+ `7 [$ v8 ?. t; l. Q( s/ l) `8 e
unloadpic()方法没有对文件类型进行验证+ X' g2 f( r7 T' v/ Q
4 p0 c3 @( X8 T" Q可以构建表单, 选择任意文件, 提交到
( [; h- x0 ~8 o$ l2 ]8 F5 b, Q$ Y" G/index.php?app=w3g&mod=Index&act=doPost
, h: h: n) J' x, M- o! } Y- P
( E8 m" `$ e3 k* |8 X! _3 Q1 t在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)7 n$ `% |+ `( j, V; T( R: Q
& K8 f. K9 s8 \% Q- Q7 J: {; C6 n/ K% r1 e/ T
在登录thinksns官方微博后,
% F, u. J. r2 V1 \ ]构建以下表单:! Z, t) _1 f- h; X* n
* j/ U; W" e4 y
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />5 {/ q/ [) [' x* \% J: B
<textarea name="content">test</textarea>
6 c' \( j6 [, Z4 f; u$ _8 [, @file: <input id="file" type="file" name="pic" />! M0 g# V" `4 g" j" b; Y
<input type="submit" value="Post" />
- v& e& E2 c m" U</form>/ X3 z8 J7 D" j! _# K* K
去掉缩略图的前缀(small_ ): ` z* m! c, P; Q) |2 O: m3 }: V+ g
修复方案:
' y! Q: e7 R: V3 M
& S e2 O! S5 w- o0 A: P- g6 I/ v3 e- m U7 p
\api\StatusesApi.class.php
; _% f) z: B9 _! t1 O6 N 7 W0 E. I" k3 F+ O) I
function uploadpic(){0 \1 @& m% R, [! n
/**/ [, ^2 m- L! u6 }0 n6 Z
* 20121018 @yelo# a( R$ W) K& R: K# C2 m
* 增加上传类型验证
, u3 K E2 E; J0 ?8 F */
9 I$ T5 ]6 u- F1 \9 N& s $pathinfo = pathinfo($_FILES['pic']['name']);
& V" R$ ~7 n# C5 T" X9 [ $ext = $pathinfo['extension'];
) @8 h( i" ^ d8 J* m- b $allowExts = array('jpg', 'png', 'gif', 'jpeg');* H6 m6 C; v; B9 @7 W' _% ?
( l2 ]4 j1 T U+ I1 ` $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);! Q6 i5 \3 }6 g0 S r6 Z
' a, \8 @0 _* l% j4 ]( ]* ` if( $uploadCondition ){
) w3 `2 s0 C2 v. n/ c //执行上传操作- s1 V- t4 z5 i# @2 R
$savePath = $this->_getSaveTempPath();
3 h) Y7 U* [0 x $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
* M$ v7 n( }: C/ l) b if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
( y1 b! u c5 N: d {% _' C h0 h* [1 j
$result['boolen'] = 1;
8 R( {$ i. H' H7 A# K $result['type_data'] = 'temp/'.$filename;
# ~7 }$ X Q U* @3 O5 H; f- { $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;% l5 `1 X0 J$ L5 f4 U q+ u/ `6 X+ r
} else {
" h4 T$ U) w3 @' I: E $result['boolen'] = 0;
8 v Y& x9 f* N: r% Y- L- x1 ^, E $result['message'] = '上传失败';- }) A% E5 e' A; d% O2 b
}
- y/ M8 x- ^8 u- v2 t. _- ] }else{ i" P/ M/ D: v% M3 E
$result['boolen'] = 0;# E7 f2 ~/ c8 l; n* Y
$result['message'] = '上传失败';* m" Q' N; b9 ]0 ^' h
}7 N$ k+ I! K% p, [) P
return $result;# b( V. Y' l o/ S o
}0 R7 I2 D. N$ u
9 S) n" Q9 c0 A0 Y8 S# ?
& N3 i! _& _* c9 u0 X9 F+ B! P
|