微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。3 I' D8 G& K! A
U& D* j3 g% m, j' j, c ! j( t, V2 }( Z. C6 i% x. G) b9 s1 X
\api\StatusesApi.class.php
: @& I2 a" ^& G! I5 E1 S
; w9 O0 Z& r6 s# hfunction uploadpic(){
|0 j5 d9 ~, W+ a if( $_FILES['pic'] ){7 e3 t; @1 s6 @# Y( z/ Z
//执行上传操作' `7 L2 ~# ]! [9 P* Z2 Z+ J! e
$savePath = $this->_getSaveTempPath();3 J- C' G4 b& P; ^6 Z; b/ b) g
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);* a; y; t' R7 p, u2 Y3 {* j
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))' m' U# |7 a8 Z8 Z$ U5 ^
{4 Y% q @* M0 D9 s! ?& C2 v
$result['boolen'] = 1;7 g3 X" L K5 M0 Y) i; |' ^' D( j
$result['type_data'] = 'temp/'.$filename;0 W* l2 M( n2 U' |2 J3 ]
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
6 u. a% j+ [1 N } else {
+ |3 ]& \. B* Q3 |" ?! g' O' f $result['boolen'] = 0;0 U! b' X+ U& M6 F7 j
$result['message'] = '上传失败';
- `, k- s6 o. _' t# I( J }+ [2 q# h# L; k' e- n) M
}else{& J9 W. I' |" |8 y3 c
$result['boolen'] = 0;/ k2 [8 _4 [9 H9 [0 g
$result['message'] = '上传失败';
% T" A5 @8 t" X# k+ R }
2 {2 D7 d; _6 j5 Wreturn $result;; G+ a8 z8 D" j! K
}
|* \/ }; o8 S8 Dunloadpic()方法没有对文件类型进行验证) {7 A( J4 }! W% P
7 Z9 I- W5 c0 f3 X9 w T
可以构建表单, 选择任意文件, 提交到, v. w! m. {& o$ Z1 }6 L( r9 \
/index.php?app=w3g&mod=Index&act=doPost
- R+ G q8 T! @9 H g3 @ . H {9 S! X5 ]- a3 S' d
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)' e0 s5 m6 m* _7 R9 U
: T; W0 L( q5 }& Y' I0 H8 n, K* P& `
6 h5 }& a! Q( `: n. ]
在登录thinksns官方微博后,
2 T3 {0 J+ u I6 b构建以下表单:
' r6 ?2 k$ B: T8 ~1 \3 A. C3 |
' ?; v1 K% [& v4 {8 l8 G<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />! r1 N. s/ V6 m0 K1 m& s, w+ K
<textarea name="content">test</textarea>
) o" \2 H, {9 N: P/ @file: <input id="file" type="file" name="pic" />
' }, k" J( C" E. V8 b4 i<input type="submit" value="Post" />
: {, T+ S, a9 q# A3 ~" c5 v</form>; F1 _ Z4 Q0 y9 h1 P
去掉缩略图的前缀(small_ )$ h, G3 Z$ N& _- s0 C9 t+ d
修复方案:. X! T+ W* h6 N, F8 W
+ n" X( A* H: j5 b+ i
6 \5 q \$ S# }% u8 ?, J\api\StatusesApi.class.php" Z( J* `+ J7 T# F
: l, k7 u9 |5 j; V4 B
function uploadpic(){/ ~; ^7 j" I/ j" i
/**
- ?4 n( ^' {, `% n) e5 `1 Q * 20121018 @yelo5 e+ F/ I0 u3 t+ ?. L+ x% {' x
* 增加上传类型验证3 j* Q3 u: U; V
*/
( p. ?$ [( h( t7 a# B1 W$ L! C $pathinfo = pathinfo($_FILES['pic']['name']); L: O& Y9 h1 f6 F, F; k
$ext = $pathinfo['extension'];5 F) f: u6 p% R1 f2 D/ x
$allowExts = array('jpg', 'png', 'gif', 'jpeg');# Q: g9 k$ x7 e) r
9 b; @8 w; P5 n5 P+ n2 e
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
5 g7 t/ n" l1 O5 @ / B- y1 G$ D s9 _( c
if( $uploadCondition ){
( b, ?1 j- D1 @4 K% O, a4 Z0 Y$ M //执行上传操作 ?9 l' p; s0 `8 ^3 y; r
$savePath = $this->_getSaveTempPath();
0 x' s2 F% L E% X- z. V9 _# U4 W $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 S" B8 e. D& p if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))' J% A- K0 l! x9 g! G
{3 _* K1 n0 r( l( p
$result['boolen'] = 1;
7 i" k# P5 x: H# J- k& a $result['type_data'] = 'temp/'.$filename;
Z# G3 `! V8 o ^ $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
- e- Y3 s6 D8 H3 Z7 C2 L3 Q } else {
3 f3 g& \$ w' e $result['boolen'] = 0;
' l, j2 q" k/ `8 t4 c$ D. M $result['message'] = '上传失败';
$ j: x: F# l1 g4 Q' g1 D }2 S( ?$ K* b0 r7 j! b
}else{: N% V7 Z' j5 P8 W4 k+ z
$result['boolen'] = 0;
; |$ z4 x$ H( j: ?% T $result['message'] = '上传失败';
& Z. z( Z+ Y8 C# o }
0 d8 W% C: j( X% ^3 ureturn $result;
- |: o! c) s' ^# m( { }
7 K) g" G5 U" l& u$ \/ e! P. e7 O1 A- a/ _: Q
# N5 D3 r: H2 r! R% y
|
发表于 2012-12-4 11:12:30
收藏
支持
反对