微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。+ T& |; W* y9 l3 v0 U' H* Y
2 s* E( `5 i, L# \) o# m
7 }8 C; ~2 K' m5 X4 x3 D\api\StatusesApi.class.php
: l; P0 J2 K# M! E 5 C, l& A1 d y$ ?7 j
function uploadpic(){
& u. O9 E! T# d if( $_FILES['pic'] ){
4 M4 M9 o2 ^2 f" }1 L# W7 w2 r //执行上传操作
# X; E+ f! Z, Q5 p% k1 p0 e8 z' o $savePath = $this->_getSaveTempPath();+ @3 ^. r( Z' c
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);- y/ r4 x7 A1 c0 H
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
/ {& Z# V3 A( l" x/ S {
( H; M8 y& q: W5 y $result['boolen'] = 1;1 q/ p n L7 n. n) t
$result['type_data'] = 'temp/'.$filename;
4 v0 g+ G9 _1 H/ P+ Z $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
% e' V# _, |2 j% x } else {
+ R2 `# @! ?# Y& h6 Z $result['boolen'] = 0;
1 h. _* M% u4 L% x' _! [) |9 C2 b $result['message'] = '上传失败';) o8 w8 [1 M, K
}: p6 u9 n- L; Q* d5 k
}else{
5 D7 d* I/ M) m9 o" p! L $result['boolen'] = 0;
; V7 r! ~3 c# r" ]1 t" A6 L6 n $result['message'] = '上传失败';5 K9 c0 D& U7 P2 N! y( `' K" w2 i
}/ W: ]* Q# t; @/ D$ m. a+ l
return $result;7 r+ a1 D+ Y5 j" a1 O+ _
}
+ j( R( n4 j3 e. M4 tunloadpic()方法没有对文件类型进行验证4 P) N4 ~- ^/ q6 |, v( E; j
1 Q- s1 t) Y* C# M) P. L9 K可以构建表单, 选择任意文件, 提交到
4 k" R( a3 z% T) }. d/index.php?app=w3g&mod=Index&act=doPost* m; N+ |0 A3 j0 S: z; u3 W
& _7 Y7 R$ g$ i8 ~$ S在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)2 ^. n& }; j/ z4 F6 Y" o
' W/ b: @+ c/ F9 @: W' n
+ ~1 g) ~7 P0 l/ e/ _8 }在登录thinksns官方微博后,, S4 E* K5 Y$ F& C( e }/ b# |# i
构建以下表单:
- A& p/ O+ p. `! u+ G7 D/ d 5 ` e( ^4 I4 H) F* y0 W: v
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
: n( p1 S' h) n4 f9 S6 z' h* n; V* i<textarea name="content">test</textarea>5 q9 P" A" ^1 C. @4 b
file: <input id="file" type="file" name="pic" /># ^4 ]* a( `. m! O. m) \
<input type="submit" value="Post" />
' ]# W$ `5 z2 g5 t) w' l5 ~/ O" C8 j</form>/ H% N$ `# h& f* l9 k; k0 S! w
去掉缩略图的前缀(small_ )$ h% E4 P" X5 D! `" I+ K
修复方案:9 L3 C9 E6 T% y' x
, A- f; l3 ]' u' R. n. h2 i% _
4 b( U9 y) Q" X% c1 [8 }, Z
\api\StatusesApi.class.php% ?1 I- @* [7 h5 n& M4 p- c! d
3 R6 O0 E b( b! ofunction uploadpic(){" s0 X* H. @& W2 T' u0 m. e' n
/**
( ?% h5 N- d. G * 20121018 @yelo7 D+ F- q3 b- g" O$ g- u) w( [5 d
* 增加上传类型验证$ g* p4 k$ ^% D) J
*/2 f( [. L. S4 X' O. f6 ?& _
$pathinfo = pathinfo($_FILES['pic']['name']);/ Q, B% q9 m; T: d& n# `! I9 s
$ext = $pathinfo['extension'];
/ s9 D3 }& n0 j# X) u) m! f; @3 ^5 W $allowExts = array('jpg', 'png', 'gif', 'jpeg');7 a, M, C, t( ?1 F" k. r# I4 X
: B# I7 o' O _) z $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);# w0 V2 s: G. s2 q* Y" `! d
3 R+ Y8 V7 W @# ~6 d
if( $uploadCondition ){
/ g `6 g' J) d' x% z1 J //执行上传操作% A* F" @3 i. @: h. l
$savePath = $this->_getSaveTempPath();
% M* A2 O; E- t# e# B $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);& O8 ~4 Z, `3 s* t9 k
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))5 R* i2 t5 i ^! x; Z# \/ Q
{
# ?/ ]/ i! K$ J* k7 N9 k7 e l) Y $result['boolen'] = 1;
, l: Y {1 D3 _$ Z- _$ V $result['type_data'] = 'temp/'.$filename;
( R3 B) J& R. M# \ $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;! t/ @3 u4 _6 Z' R
} else {
( S+ u# z' b# X' y3 G1 h( S4 W: Q $result['boolen'] = 0;; f4 H0 k- m* y5 b
$result['message'] = '上传失败';5 ^2 [0 N+ l) o1 D
}
4 g0 q M* l4 Z/ P! j }else{. A7 h$ x# z; O5 R! b% o: R
$result['boolen'] = 0;
- f2 m2 m( b; d, O7 V $result['message'] = '上传失败';
' {1 R4 d0 u# J7 ]: h7 z }# _) C4 K1 k# | {; X9 Z6 s+ l C
return $result;
1 a% x& J) R r0 x. S }6 t6 _( M4 l5 S. M- j6 D9 i
% d) p! l- z# H$ X( S9 Q
I. h1 D5 U9 O. h
|
发表于 2012-12-4 11:12:30
收藏
支持
反对