微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。9 }! x: p$ O- O, d
[' T% _! R1 R6 X, P5 L* q
7 A* Y [! i# L0 w
\api\StatusesApi.class.php
: u7 k4 [" N% O6 i7 d 8 @ s z& p, e/ p
function uploadpic(){0 {/ F. d, W# K
if( $_FILES['pic'] ){
6 r t9 C; _" `% k8 z$ L" U //执行上传操作
. K8 L( K; ?- I+ {/ F0 @: R $savePath = $this->_getSaveTempPath();
7 _1 n$ B/ u7 j/ b% q, P& m $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
# L) _$ Z* G8 x* _ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))4 ~' m0 o2 x8 c, L) e5 |8 {. X
{
& [) l8 V- k) O& R $result['boolen'] = 1;- Y, c) `( K1 q9 @) e0 p& i
$result['type_data'] = 'temp/'.$filename;
, B7 \' A! f+ e. f8 q& V $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;, O* H' f6 c3 g! _5 M1 Y. I8 R
} else {
$ B& U9 w& N5 x9 n9 J9 j! E $result['boolen'] = 0;
2 T- G# q( U7 g! y. X9 h $result['message'] = '上传失败';
. N- h) I5 V7 Z* p }0 d9 F$ }' s0 U
}else{& w* z# `* g4 d
$result['boolen'] = 0;6 e) [: S8 V8 F! c1 Y1 R
$result['message'] = '上传失败';' {8 {# E- t. w0 h1 o
}
3 W. |+ B$ A, r; S1 t. R' Oreturn $result;) g! I2 }5 F- }' Z1 i/ |) g# F
}* N. l, v( T5 {1 x9 D, b
unloadpic()方法没有对文件类型进行验证
4 O' N" j, i/ I J( x2 Z+ a 7 K0 M% S' c7 V, b8 ] C" e0 M
可以构建表单, 选择任意文件, 提交到
% J& l% q5 R! W7 r5 B/index.php?app=w3g&mod=Index&act=doPost _+ k4 |* n& z/ p% S7 ?
; J7 ^- v4 q7 N, X5 L \
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
6 _) E8 c+ F1 F, T3 O( p6 }5 A
2 {& L8 c. Z+ D, s l* U# l! ?& c" a" }( i7 R& Q4 a
在登录thinksns官方微博后,
3 E' m7 }& c: I: |% |; Y6 ^构建以下表单:
o& g2 L$ l6 E1 l7 ^ 5 i) ^ L8 \( ~" x, ]" u
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />& W7 u% [- J5 I
<textarea name="content">test</textarea>5 v' E. `' h! s+ a/ L
file: <input id="file" type="file" name="pic" />. A1 R6 f. E6 ^9 |( f1 l
<input type="submit" value="Post" /># I$ \# w8 `! z" y$ ]
</form>
6 F9 q1 |' s: R7 W# y去掉缩略图的前缀(small_ )1 W- R( ^0 q B
修复方案:
I' ?2 r9 v& u% D* r
- w8 B% Y" Q3 t8 M
1 G7 e( T0 _2 I( m; o9 v\api\StatusesApi.class.php
/ N) T1 D3 y) h6 r( _
9 t( l/ `0 |1 E5 t' n( S7 O* g: ufunction uploadpic(){
" A& f' y7 W1 N2 l; A /**$ K1 @0 @: u: u+ R' w2 g
* 20121018 @yelo
) m' h' O4 `; ?5 b% H * 增加上传类型验证
! }" E8 d: x% n- z. u% h */
* N7 X/ g8 R$ X- h0 D $pathinfo = pathinfo($_FILES['pic']['name']);
8 l# h- H$ q' ?2 G $ext = $pathinfo['extension'];
' h* ]. {: Z5 _( [9 `2 S $allowExts = array('jpg', 'png', 'gif', 'jpeg');
/ n/ l% h6 ?( ?! W. ]) ` , W& R0 G9 l! l
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);1 `$ L1 I5 p0 _& \% o, P6 F
9 T* Y: |/ m7 }: v$ x if( $uploadCondition ){' U) \, N4 j! v1 ^# ^
//执行上传操作& v- j! K) n; W& R$ M
$savePath = $this->_getSaveTempPath();
g3 F$ B7 G" @7 p% W7 ^6 J4 p $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
& c* q1 C' B5 E% S if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
; e$ {$ Z) S9 I {
* }+ a9 v. ^+ I $result['boolen'] = 1;0 X6 w2 \1 F; `% D, ]: G
$result['type_data'] = 'temp/'.$filename;
) ~2 k7 z+ p$ d- `, v $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;4 |9 B' [; }) p" r% h y9 k
} else {
# y' c- } B4 D% t' ^ $result['boolen'] = 0;" R/ V7 F! R' J. o, k$ L O% f
$result['message'] = '上传失败';0 ?% _& h; f6 f% `+ t+ H
}; d( O, L/ L- B" d1 k
}else{
: N5 M/ l9 d0 F( q: h: H $result['boolen'] = 0;/ R s$ }4 L7 @, J- M8 U; i
$result['message'] = '上传失败';/ l8 S: S2 V" w. @2 }, l+ J! z* \, t
}
0 j4 e: g0 {4 U, treturn $result;0 U: k. W9 w' Y& C1 P
}) d! \8 v3 {6 J" o" b/ A
* [0 n# f0 |' V( Y
: F- V' k, h- z1 R |