微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。1 |4 y1 P' t7 D5 G: B
9 _* r$ W+ C# X# W
9 k9 @+ n# P& L& `3 B7 x8 a\api\StatusesApi.class.php
. O' E+ ^+ [2 a- w/ z/ ]: o$ P1 p " A {* g Q+ X
function uploadpic(){2 d5 p0 }; {8 V1 I8 p. s
if( $_FILES['pic'] ){" R* P3 ~2 E( X
//执行上传操作! [4 ~) H* @6 X9 }5 q
$savePath = $this->_getSaveTempPath();' Y. g$ ?1 o& G' M: Y ~
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);; g& u' d% _# Q7 x, ]! D
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
- i6 l/ s- C) l) r. A& V5 G {
8 M/ \: M9 ^* i7 L- O $result['boolen'] = 1;6 T2 q3 g! D6 Q8 |
$result['type_data'] = 'temp/'.$filename;
1 `0 y% E+ z1 ?$ \) i- K3 Q( N* O $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
7 D) W- d. U' {. x" N } else {
# F) W3 g& F6 [; t! ] $result['boolen'] = 0;7 B Q5 p" c" l6 E' |! y$ [' j) x
$result['message'] = '上传失败';
6 O% j- V9 o6 x& @( w }+ g' Y+ h2 ^" T0 H- P! O
}else{3 Y8 p) r1 h7 M! v- C
$result['boolen'] = 0;; G& ?( ?$ W9 |! [5 t( c; |
$result['message'] = '上传失败';
@1 P, w2 K/ |& F l8 ~0 \ }8 S0 t1 w. j2 P4 F
return $result;
/ H4 X* n) w3 v2 D% r }
& U$ ^$ {/ R: V& M) bunloadpic()方法没有对文件类型进行验证
5 Q! D# U6 M2 T7 a: Z4 r
8 [6 w6 N. o$ Z- T, `# _" g" e可以构建表单, 选择任意文件, 提交到/ ^5 m' \. m( K; U+ U, g. Z- t
/index.php?app=w3g&mod=Index&act=doPost: z) u8 T3 r, Y
3 G5 o; B# P8 _3 J在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀); V0 \; T& U9 H0 y
( }% \! n8 v$ U' H0 f2 Y3 |+ l+ K3 Y: c& R4 O8 G! ]5 k R) K
在登录thinksns官方微博后,1 O( ]4 F) i* `, O2 h
构建以下表单:
' [' K& m$ v6 x* u7 d
. }4 e7 d" k6 m<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
6 N) ?0 M* T" F1 x<textarea name="content">test</textarea>( V. e9 y1 m3 }% D( }; R. G8 V
file: <input id="file" type="file" name="pic" />
! G7 a# t" x3 P* S; V<input type="submit" value="Post" />0 A" r- b/ p9 i0 W
</form>
0 ^: a) c- L" k$ o" A2 ~$ \去掉缩略图的前缀(small_ )
0 M5 Z) \2 S+ x" I% F, }修复方案:
& f$ F/ M% ~; P3 F3 G6 g9 F& P+ ^- `/ f7 M$ a# z& w
; Y# i; W+ E- g( ^1 S8 r! o3 |1 d\api\StatusesApi.class.php
- I( `, e0 Y1 x1 d3 V
7 W. {' \- O7 ^- a2 t9 Nfunction uploadpic(){
8 i: J' R! `$ s [4 y /**$ S( v I+ e8 u8 }6 w
* 20121018 @yelo
$ A, c. j/ W4 f5 T. b+ [) i * 增加上传类型验证
/ P2 y$ N; F% Q% p */
8 T5 k, G, K3 w5 L. f $pathinfo = pathinfo($_FILES['pic']['name']);
2 T5 }9 _. x9 \% i# x+ f2 S2 S $ext = $pathinfo['extension'];
9 T3 ^& W, U1 C. j' `- p$ s $allowExts = array('jpg', 'png', 'gif', 'jpeg');
2 O8 H- n& e: K; i: T$ H& H/ U ! V& K3 d% ~, k+ h# H
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);0 a8 v, u# u" R$ D" f
! H3 A' G3 R. k8 ]( H
if( $uploadCondition ){
4 L1 T. L* P2 o+ m //执行上传操作" T9 _$ N. p* U+ u( U" X1 ]7 {
$savePath = $this->_getSaveTempPath();' Z4 U4 @ r# ?
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1); P, R4 ~; S! d- J* @8 n' ]! w6 h
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
0 P" N5 _- n$ e& g. ] {
/ T5 [( z: a: o# u8 S% K $result['boolen'] = 1;
1 I' Z6 a& }+ v. k' H) | U $result['type_data'] = 'temp/'.$filename;0 h# Z% N9 P2 X3 k6 T
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; z! g# i6 j1 ]) \7 } } else {8 f! Y' t; g6 S* @" q8 |
$result['boolen'] = 0;3 j$ I" f6 X3 P6 p
$result['message'] = '上传失败';
0 u: A+ o8 ]: S }
) C/ l& o0 X% i4 ~5 J }else{ C) }, c+ P4 x) {' a1 G. y
$result['boolen'] = 0;
; d- y, a- U4 p& J O $result['message'] = '上传失败';
) d0 T6 L+ n( s& @! z- T* u }
2 T' Q0 n( g7 r1 P2 E" creturn $result;
; b. m# P& s7 q/ C/ Q) N! t }
. S( S8 D9 P' C! y- X j4 ^3 ^' g5 ]; h; |+ d
/ N3 y/ f' [. g9 x" { |
发表于 2012-12-4 11:12:30
收藏
支持
反对