微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
7 v3 C' h; u. R# f6 a L
! G8 \* X8 d" ^ * o& L% ]; T4 a5 J% E
\api\StatusesApi.class.php+ I, ]3 `0 v! r2 w
' m# I# ^' Q( o% i6 T. J3 z) ffunction uploadpic(){
2 D3 c% e! L3 _8 } if( $_FILES['pic'] ){9 ?1 N2 G% c5 k( y' R6 R8 {
//执行上传操作& P2 e: @; b! T
$savePath = $this->_getSaveTempPath();
~% ]& o9 A* S+ Q! v b. b3 Z $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 n4 Q/ C$ i" ^ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
8 B" _4 y2 \8 l# A1 i {
1 p# S7 ^4 A3 x, l5 L* _ $result['boolen'] = 1;
' i) H9 p0 F( H $result['type_data'] = 'temp/'.$filename;
+ s5 U( Q( }5 ~: |' a0 V $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
- p; G% J3 F# b$ [/ ?& H5 s9 c } else { r1 R3 B0 V! m h i
$result['boolen'] = 0;: m3 q- E, A1 h; o
$result['message'] = '上传失败';
9 Y) @! ~: Z- U& B/ Z( b }
/ R+ N7 a) k. ` }else{0 @- g8 y- s! e1 c% R: d8 n
$result['boolen'] = 0;9 E+ n8 R; c, I& n/ Y" y
$result['message'] = '上传失败';) a* B. t$ m/ h' {$ U* i- }0 l
}- B" A8 Z: L: @7 S
return $result;" N& Z& K, x; l0 p/ n1 r- Q5 g
}
0 {# K6 G+ Y& U2 Gunloadpic()方法没有对文件类型进行验证2 a+ a, R# R* v7 L' J
0 \4 c, ?) M2 |, b# m: B! W
可以构建表单, 选择任意文件, 提交到- _: {: v H4 \! o( f9 z2 w
/index.php?app=w3g&mod=Index&act=doPost4 M; W/ l3 f4 `# p3 X- @: }: Z
% o, }, m' J, x3 X: Z3 |
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
- T0 W' N$ U0 |; p1 Q7 }! X
- a( k5 ~% K3 m' C( t m8 s# h# K; ~# \1 p& V
在登录thinksns官方微博后,6 |1 R, d7 i; R1 i; y2 N
构建以下表单:
7 h& V+ |9 m+ d5 P2 _7 S
* h- {; T2 q- {' u. x. O9 P<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />/ d5 G' v+ z' Y1 G! F% r
<textarea name="content">test</textarea>
" G! V+ ~$ v# n4 zfile: <input id="file" type="file" name="pic" />6 q3 N+ N9 J! g9 S* Y3 X
<input type="submit" value="Post" /># Z* A, c7 p( D, C' B
</form>* Y. `0 I, c* u4 e! T* M1 c/ L/ f" m
去掉缩略图的前缀(small_ )6 p% l& w1 T7 P3 V% B
修复方案:, R6 h" r0 R4 h# U6 d0 e; @, w$ t2 U
- T* I, X: f- ^" f2 r9 W! E
% ^3 B( g2 o% M6 S% }7 U\api\StatusesApi.class.php
% \0 u* }) c/ @* C' K% N $ h0 Y( R/ H( C( [8 Z0 P
function uploadpic(){
5 l# W$ N: m3 Y B- ^8 ?8 W' y8 b /**/ x" y6 I7 L8 L2 Y
* 20121018 @yelo) r/ }" q2 ~$ `& o- @
* 增加上传类型验证6 s, a5 B* R0 d" [/ t
*/
5 X9 a1 v U! N $pathinfo = pathinfo($_FILES['pic']['name']);6 a5 a8 B+ @$ K0 n, g2 t* V# K
$ext = $pathinfo['extension'];
8 u& y7 j! [5 ~5 T $allowExts = array('jpg', 'png', 'gif', 'jpeg');% T$ q0 `& d# |, Y
0 N8 e5 m9 ^; c+ p+ x, D $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);- b5 W. Y" R( l5 I
/ q( h* x2 B" P) m5 y
if( $uploadCondition ){) p5 T( u K( w; _4 b
//执行上传操作4 ^6 s, M: W8 x) O! m; `
$savePath = $this->_getSaveTempPath();
3 d; ]: G# W0 @2 ?+ M, b( V0 P $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
3 l: t+ {+ L/ u) V if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! T- M6 O9 }% p$ z6 V, k* l! d* h {; H3 z9 e' Y4 A: ?
$result['boolen'] = 1;2 X- s8 k/ q# c( b$ C
$result['type_data'] = 'temp/'.$filename;
# @- V* _2 _ H8 i $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;* H/ b0 Y, r: k
} else {: x* {) D" `% o6 ~
$result['boolen'] = 0;$ R7 D7 ?/ a5 |8 ]
$result['message'] = '上传失败';
6 \7 o3 T4 l" u @- ~: Q; H }' ]- A0 d, l( n" [
}else{
$ @! b! S& W$ Q9 f+ U $result['boolen'] = 0;
9 [! b( R, C0 [9 ~* c $result['message'] = '上传失败'; D8 M$ d1 d1 K, ^; K6 J
}
( O% V' ~- N; _8 z" @return $result;
1 k. J. D$ L1 e }% r) d1 I- b5 Y. T3 v8 i5 C( J
* I2 d2 h( }4 F5 m/ y h
4 Z% a( C& i+ |9 a6 u8 ~ |
发表于 2012-12-4 11:12:30
收藏
支持
反对