微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。! O- Q, `* \ l, t5 x
; f( V- j+ |( F0 f; w
" M6 p7 l) u7 r+ k# e6 J9 y\api\StatusesApi.class.php2 t9 c9 L6 j$ \) C5 h/ a
- f# N6 c) r' x8 W: }4 F, u. Bfunction uploadpic(){ N* D1 M7 b6 r( g9 l: b
if( $_FILES['pic'] ){7 X: x# w: p. p& L* j* N
//执行上传操作2 N" X/ i$ C& l( P" a
$savePath = $this->_getSaveTempPath();
! ?; M4 j7 c, k/ T5 S9 U3 J# z $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);) |$ V- l6 j7 t$ O0 Y: S
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))( }" _3 V& G# h% k5 i/ l
{$ f, o6 f- k/ ?; H, Q: d
$result['boolen'] = 1;7 c; ^/ y- v& G& D, h
$result['type_data'] = 'temp/'.$filename;- C: k7 E. W6 b! ~& D& N- W* z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
$ r/ X3 q& ^& H+ ?7 h- t } else {! C' p3 S2 m) K4 ^7 A/ M1 n$ d
$result['boolen'] = 0;- \$ @$ A8 ?. r% Z+ S
$result['message'] = '上传失败';' y/ m. p- ?* P5 I6 N' U+ h% w+ e
}
) U( {& R0 w0 f. T5 G D }else{
/ V n9 A! z+ r' |3 L( ` $result['boolen'] = 0;
+ Q, P, @. M O$ f2 Y# I+ r $result['message'] = '上传失败';
3 L* n; z" Y3 V5 Q, I" W# g1 d$ X7 @ }2 W) B1 X" ?! B8 ~) @! w
return $result;
+ Q; U6 M4 ]6 w* r/ q# f }& w; h9 r& I4 \& y* A" G
unloadpic()方法没有对文件类型进行验证
5 Z* ^! B8 n8 D2 \" p; I " W4 w9 i5 _3 C' V9 k
可以构建表单, 选择任意文件, 提交到
$ D. ~$ e9 W/ C* ?9 U4 V/index.php?app=w3g&mod=Index&act=doPost
, i& z( G9 a8 m( U# ]: J& G( P
) m7 h% n( d' J( z在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
/ W l5 N. o6 ^
. i- d) [% a% n1 v1 B" y* V8 I$ r
$ Y/ h" L/ ] J在登录thinksns官方微博后,
! O- ]& n/ A2 E" H6 k构建以下表单:
- ^+ n; [2 e' x6 A
; Q- X/ Z- s* X0 H4 r' k$ T<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />9 F" K3 e5 i6 n( j( N! G( {
<textarea name="content">test</textarea>+ F/ }; b! J1 t9 P2 y# R- [
file: <input id="file" type="file" name="pic" />' x+ p) n8 h9 ~ T( C4 L3 X# ?
<input type="submit" value="Post" />; [$ Y% P0 n. Y z! l9 v0 N
</form>2 Z8 ?8 A0 A6 _) Y
去掉缩略图的前缀(small_ )9 L5 C3 k$ s' Y) U4 g
修复方案:
% q% ]# g1 Y# B$ }) P0 M2 e
n# ~# D- W- ^. w6 x' S/ R, J# m# p. g5 z$ e% k
\api\StatusesApi.class.php
% i! n. z. l( W r: x- _3 n- N) x+ b5 y) n$ V
function uploadpic(){
" ~: b0 ]7 t+ f! \. \ /**0 N& a( U |/ H& ^3 Z/ s
* 20121018 @yelo
$ }" G7 s7 D) z o. W! K * 增加上传类型验证
5 b9 u6 I4 R- A( }' G4 i */
( W# ^% R; n, r0 ?& @! L; z $pathinfo = pathinfo($_FILES['pic']['name']);# m3 I% ^: h3 q6 d5 F
$ext = $pathinfo['extension'];
6 X% l$ Q% q( J* G6 ]/ H6 A $allowExts = array('jpg', 'png', 'gif', 'jpeg');4 {+ Y- q) y( }7 t
k' F' ]7 g# W $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
5 X# K* i( c* y0 n' N8 W7 c
3 c" d9 M# B$ W( M9 \. K if( $uploadCondition ){
; `, P$ u' K! j //执行上传操作
5 p$ l6 L0 Z, b; A* X $savePath = $this->_getSaveTempPath();* ^" h1 }. e- C
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);4 v9 |! @7 f5 I& |1 t( ?- b
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
1 l0 e% _, `8 o' t {( T7 L# u/ P4 k+ z/ {
$result['boolen'] = 1;
' a, v* N- q' E0 M $result['type_data'] = 'temp/'.$filename;
7 V; | B1 H" z1 I: J9 W, a $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
' @# b& _ u# } Y } else {
8 r. R5 c. s `, @6 h/ f $result['boolen'] = 0;
- [! ?! x: a7 m, h, \ $result['message'] = '上传失败';( o% `2 S: L# a' n! y: O) C
}
& g2 [6 y2 }. k' ]( Y2 I }else{+ \7 b: o! D7 P) p
$result['boolen'] = 0;
# j+ [4 O' U1 r2 L, O" g! [: M $result['message'] = '上传失败';, O7 j) D$ J4 S# `* U# x2 A3 A
}+ U$ \6 F' s0 y4 S: h
return $result;1 e2 x4 ~0 a2 C% `3 Z
}! r" Y3 x+ R }1 F
+ H; Q& C$ t' n) t8 d
7 M: P! k8 e7 b; B% n
|