微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
7 P: N+ h3 z8 X2 {6 E$ T' c( j( L0 i
# t$ N8 P5 c, k+ n. @8 U
\api\StatusesApi.class.php1 A) i- [3 K9 |/ c t
7 B2 M# l: K H4 t1 Efunction uploadpic(){" j2 M! e V" ~: D& a4 m4 W2 G
if( $_FILES['pic'] ){
0 l3 ^2 d$ D8 ?/ D: s //执行上传操作
9 h, B% M! v- i. C/ Z2 a4 h3 z4 Q% a $savePath = $this->_getSaveTempPath();7 N5 A' v, _2 g% s
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
# a+ W4 {7 }. M if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
4 u9 ^. Z+ Z0 o+ M {; s9 V+ t) j; |
$result['boolen'] = 1;
! L& c8 x. R- U" X) @ $result['type_data'] = 'temp/'.$filename;
8 E @5 _8 X; ?& B $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
' [% B9 @- n3 z) f4 S. o' D } else {
) Z: g! L# \' l: w $result['boolen'] = 0;
0 F, x) I" B" v8 e, w9 L $result['message'] = '上传失败';0 I( o3 Y6 z3 x i5 S
}
& @* ^+ D/ D& m% }+ Z }else{
) Y7 R7 I) j+ W+ x V: X$ U- | $result['boolen'] = 0;& B: L: o& s# f* |, M" K
$result['message'] = '上传失败';
8 D7 k# v& P9 X }3 R* ^, j( e$ n+ f6 [
return $result;1 g4 Z8 F2 q# p' j% j% X+ ~
}6 `, }/ O$ Z4 R6 K$ U" B' ^( [, H
unloadpic()方法没有对文件类型进行验证1 N3 I. l' k) m/ R4 H# j
6 }, l4 o) |8 q+ M# R d3 n5 k可以构建表单, 选择任意文件, 提交到3 v5 R8 L' a; w
/index.php?app=w3g&mod=Index&act=doPost: a$ G) s2 ]1 \# k, R, A$ {' `
& G3 }/ e" _9 L. x1 |) O7 n% S' k9 j在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)9 W9 ^- y% k$ k+ i8 J# T" Y5 D
1 K; r W6 z$ f* e1 U: g
* s' z8 G7 X; v
在登录thinksns官方微博后, f" x5 E2 F4 D! K% w ]6 M/ S
构建以下表单:
6 e' c0 ^3 x2 J3 j, R
Z2 o* l/ A- \# c<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
1 r% \4 u/ l* c. o9 ?' Y% ]9 b<textarea name="content">test</textarea>, q2 s! d9 r5 M2 \8 c
file: <input id="file" type="file" name="pic" />& G6 b9 x. Z/ m9 g& W
<input type="submit" value="Post" />. Y" v" w! D5 m/ `
</form>$ W" v F) S! k6 R+ r2 b, L
去掉缩略图的前缀(small_ )* G+ i( h3 {; ?/ S
修复方案:! n- o, k$ Q( i) }) r3 c
: w2 Z, d+ c, b" D
# ^8 ]; ?1 x# [2 h! Y\api\StatusesApi.class.php
' a. Q% L! w1 e! q9 t* _4 a7 r , P7 ?( \# g5 Y8 x; [2 q" M# u2 H
function uploadpic(){) J0 I4 @2 s" |$ G n! p j* c. Z% |
/**3 w4 v6 \( a7 I1 |* x$ h1 [& L
* 20121018 @yelo
5 l: X3 s( z4 K1 i& G( } * 增加上传类型验证8 e) V' e' \9 c% c" `3 k2 W
*/) X0 R5 k4 J _1 y) [
$pathinfo = pathinfo($_FILES['pic']['name']);$ v+ h6 L: @* g" F; n
$ext = $pathinfo['extension'];
4 S! P. t) y0 \8 _/ S' O& Z $allowExts = array('jpg', 'png', 'gif', 'jpeg');
# ?0 Z2 F" C2 e0 G& T # C5 B; v) g- u+ }' L
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
. p; ^7 X9 H% x0 d1 Q- {% Q
7 C" @4 k# k2 `# ] if( $uploadCondition ){" O4 D. T& p$ j# K( n. `
//执行上传操作
2 H0 x$ L! @, b* ?9 [ $savePath = $this->_getSaveTempPath();0 P/ H! K" x; z4 _: j% {5 X1 ]" a
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
* N# R' e5 u/ r if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
/ g% S8 W; L0 E' A: s- H( V {
8 G& `! _& p. _. D$ Y- r6 I1 F $result['boolen'] = 1;1 t4 I* V+ ~& r4 m; d1 W
$result['type_data'] = 'temp/'.$filename;
6 Q% l9 ]4 t) H $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;% ^& r1 \2 Y) c
} else {
$ a, R# B9 ~. Z; g $result['boolen'] = 0;
b% i7 ?) \' C $result['message'] = '上传失败';6 h4 k9 M8 N- \' t
}# `( z5 n9 P: b+ K x& i
}else{
; }& U* z3 T! d3 T& M $result['boolen'] = 0;
K3 a5 i/ {% b6 Z2 g $result['message'] = '上传失败';
' t' z* ]- q' J: e3 d+ i }
6 D! F6 [( O; N& \/ u- Xreturn $result;
) G& ~6 D" ^, q( j$ Z }
, v$ t- I5 H7 v5 w/ v5 [
5 E# ~! W" c4 w
( S! ^* f% q( s5 c5 e2 h% q. {0 l7 s |
发表于 2012-12-4 11:12:30
收藏
支持
反对