微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
3 r; f8 t& e& y7 _' T. [: S
- _/ V0 V3 ^* m) w' `+ M
9 f o1 ~& K1 \5 M4 T$ f9 a$ O! Z\api\StatusesApi.class.php' d) |4 ^$ T; U4 B- D8 `
+ N- J T1 V$ n- t3 Y
function uploadpic(){( ?3 m$ B3 {1 z) ^
if( $_FILES['pic'] ){
. A2 I0 M3 X Z% L' } //执行上传操作/ U: T/ L& S7 A2 i
$savePath = $this->_getSaveTempPath();
- y" W1 f, i( R# e5 A2 {6 A! n $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);% S6 E" [4 h3 e8 I7 u) ?
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
+ P2 h. w* i( A& |' @ {4 W; @* d; P8 {2 }5 o" f; k
$result['boolen'] = 1;& z. q5 m( J9 C6 R- ~! C
$result['type_data'] = 'temp/'.$filename;
$ a9 e0 s0 Z9 g $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;3 g5 `* a# ^. j* l7 H, Y1 {# I
} else {
7 i7 ?7 f, `1 v6 y0 }* ^ $result['boolen'] = 0;
. j, \& @3 ]: e" ~8 f3 Y $result['message'] = '上传失败';
1 Z' u0 ]: G. Z. ]3 F. _ }) f7 s/ M$ p5 f
}else{5 u& T) @, e* d
$result['boolen'] = 0;
G0 G) K9 \8 \/ r0 l $result['message'] = '上传失败';% n, y' d* E1 P% J. [' V& v, t
}; _# K) i( q6 |: r/ e5 g6 [
return $result;
, b% }! t7 j$ n }" u5 h5 k1 @- s% m
unloadpic()方法没有对文件类型进行验证
: D4 V" J9 e6 y; }
2 Y- l$ G& y$ }/ u% {5 ]4 z可以构建表单, 选择任意文件, 提交到& C9 z7 p( P& P0 \! O" @( N/ G
/index.php?app=w3g&mod=Index&act=doPost# B3 V! N2 d Y% c+ Y; a
2 y' K) r2 r5 G9 d0 R0 D
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)+ [3 U" X9 L! |: X( i* Q" D
# m' t7 E4 N" [ q2 A% {
: b7 W4 p6 l+ h( B
在登录thinksns官方微博后,1 O3 O# m: R5 N: S9 q2 ~% {$ l
构建以下表单:" b- J; M, R; h, s7 h6 s. C
3 f# x% } w+ f2 k<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />' V$ B5 z* S% B5 y
<textarea name="content">test</textarea>* W1 t8 \9 w* ?! A5 j
file: <input id="file" type="file" name="pic" />
2 s2 [- b& h9 _8 x; H0 `<input type="submit" value="Post" />) B1 }6 E3 M# K1 h& l
</form>% ~. Z& v0 s. s( ?, L
去掉缩略图的前缀(small_ ). I2 ^8 { |) w: r% Q3 {7 _2 p
修复方案:7 b5 Z) W' o; h5 x9 H. e) c* w. h
3 c; M8 D) D% k! r9 D$ K7 ?
) e2 ^3 n X& J) R" r# {7 H\api\StatusesApi.class.php
0 ]2 S2 u# T2 i! _1 }$ ^ # t" J6 G/ M1 L8 A
function uploadpic(){
2 X" G- P7 e/ L" [9 _ /**
0 @: X5 V* S( v" V4 j& _: b * 20121018 @yelo
5 r! d' @. ^9 G * 增加上传类型验证
5 J3 K+ i6 Y F+ z/ p */" X# w/ {# `5 D: b
$pathinfo = pathinfo($_FILES['pic']['name']);( @8 W5 n m3 M& i; H3 {
$ext = $pathinfo['extension'];7 R% X. Z& `# S4 W
$allowExts = array('jpg', 'png', 'gif', 'jpeg');' n3 N$ V$ e& W! e+ m+ v! L& k+ L
7 K% ^! P; H2 b! D$ J8 H7 X $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);1 Z- t! \$ q b: I% B
1 i6 A$ d' ~ B9 P- @
if( $uploadCondition ){3 L$ n9 b4 q9 I5 X0 }& R: R) r
//执行上传操作9 l1 \# c3 `% I1 `, M% n
$savePath = $this->_getSaveTempPath();
/ h; u+ U; g" o# O3 {! a; \ $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
( K* i4 _' k& V/ x& i- Y- d if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))& S3 o8 S- K- X# ~+ c: ]
{
3 ~6 n* C# Z9 j" _8 Y7 R $result['boolen'] = 1;" e* J5 h% w% ?
$result['type_data'] = 'temp/'.$filename;, M V' v# R" a" F2 T
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
/ Z. N1 P4 W8 `1 e& r: F/ i. r } else {1 \- Z s. e6 L a, O* G: {) F
$result['boolen'] = 0;
1 E+ `3 s2 Y8 ?; {7 g0 a$ G $result['message'] = '上传失败';
( F' d7 T/ x8 w0 _3 B/ M' I( ^( ` }/ L; T( Q3 @* ?2 B$ _! e
}else{
P$ P7 D/ V6 `' N r. p1 V/ b $result['boolen'] = 0;
$ z# s! ?4 }! X8 O# R% {0 g) v+ E $result['message'] = '上传失败';0 U, G3 r# \8 `( w
}
6 Q9 f y5 c# [5 Preturn $result;
( D5 C. m+ y% \, E }% \( {1 r; k' ? K* z
/ q% N; I3 Q8 r; i
) |" q2 H8 E' K% \; d* l- f, y |
发表于 2012-12-4 11:12:30
收藏
支持
反对