微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
7 H2 P+ B1 \2 s# A: q0 V7 @5 ~5 E
! O9 o; f, h) `2 p2 q\api\StatusesApi.class.php
* e! }+ Q+ c/ x: V3 y! D+ o " C9 b: M! | ^3 [! j+ c
function uploadpic(){+ c+ e% i) ^' x( n9 K$ D m
if( $_FILES['pic'] ){+ \; A% g- q; N: ?* u& K
//执行上传操作
1 z" \- g4 c* ^; ? $savePath = $this->_getSaveTempPath();% s' ^ z: a4 ~" w" A6 F% F5 V3 X3 ^
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
7 q5 L9 `7 A: b, V if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))& P, |& R5 Y! g' V
{
0 K8 S, A+ _; L' i/ n$ ` $result['boolen'] = 1;
/ r3 i( `' O0 \, C6 F $result['type_data'] = 'temp/'.$filename;3 O: X5 r) V" r: ]2 e7 p
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
J* R7 J: C/ r D$ r0 v } else {6 L0 m! J/ m# q& f
$result['boolen'] = 0;2 q/ _8 n! S _% C; P* F# e
$result['message'] = '上传失败';! M# E: ^" H- p$ q) i2 U, D! Y
}
+ T2 Z2 a, s0 v6 V# l$ p }else{
' U+ V% a' d" r $result['boolen'] = 0;0 |& u! W6 Z) `) {; c9 x
$result['message'] = '上传失败';/ ]" H! x# N# [
}
' V3 h S% X; Greturn $result;! V; K/ m; Q! s/ }% U! P
}
8 K6 _) W6 e7 b) ^7 F! x8 V( Gunloadpic()方法没有对文件类型进行验证2 X3 [& M: P$ z4 B
7 h/ [& l. U B, w/ y
可以构建表单, 选择任意文件, 提交到
& i- c6 r+ ]8 N, _" ~/index.php?app=w3g&mod=Index&act=doPost
& A, f; [+ x0 l1 W+ l
% s; M0 _7 \- [+ z: |' @在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
+ G( W9 `' f6 n) o: D% k5 I# b- l/ z4 E, q0 p& V" ]
; ?% U1 L6 S# w+ r在登录thinksns官方微博后,* x0 a; B5 w2 s* w( D8 J- d# q
构建以下表单:- x! k' Q& Y4 T
7 J O; U( n& B' Z5 F
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
& |7 Q) G& L0 m1 H% Z! f<textarea name="content">test</textarea>
- S* Y" r* o- }! Ofile: <input id="file" type="file" name="pic" />
) s% j8 \4 Z1 i+ j1 A. `0 ~( m<input type="submit" value="Post" />
% x8 l) e" v& u4 b. {</form>
- b8 c: p+ \& m1 [去掉缩略图的前缀(small_ ) ?( x2 j+ x G q0 x' u: \. W
修复方案:/ [* K3 t1 G" Q
7 ]& B6 H; @+ b7 }6 {
0 g4 R. ], ~9 ]* f* R) G4 T+ i d\api\StatusesApi.class.php
) L7 A" W4 e! a! Y# X$ K; r8 M - _" X0 u: G5 ^: c" p- u
function uploadpic(){3 g$ U/ j/ u; N2 C6 S# ?
/** k% d+ Z, l- T5 [0 |; G5 A1 r/ ?
* 20121018 @yelo
4 \0 l2 f3 s& d, u3 c * 增加上传类型验证
l# o; z. Q X0 G9 u& O */, Z9 Q3 j" G! }$ o- \3 F! D( a
$pathinfo = pathinfo($_FILES['pic']['name']);
$ f- t5 [; t! E/ d! x4 U% \5 }# y $ext = $pathinfo['extension'];( h6 T4 a: ], L* t6 g% q; _/ H
$allowExts = array('jpg', 'png', 'gif', 'jpeg');1 ]& e2 w( H& U: H+ m
0 e5 h0 v- f) S v2 m% f0 ^
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);. y- b% G' r$ p A6 z+ f
/ H8 }$ l6 H& k* h- s8 O
if( $uploadCondition ){
2 O o- D4 i' v+ l$ ~, v3 A+ D: f //执行上传操作
) n( D% z4 ^1 X* [ T B $savePath = $this->_getSaveTempPath();
5 W- U" a; [7 x3 G! _4 u $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
]- g! a! l, o- X- O if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))/ j4 m1 W$ H9 q: q1 G
{# ~2 ~7 l: r# C3 Y% S' L7 y
$result['boolen'] = 1;9 k" e3 W0 e: b3 M$ Y: `
$result['type_data'] = 'temp/'.$filename;; l# `- I# P. U2 F! b) K/ Y
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename; k3 {- T; v: `8 N7 H5 w
} else {
+ K1 ]3 ^ T: {) D $result['boolen'] = 0;, x1 b/ W/ R% E1 C; K' S$ Z
$result['message'] = '上传失败';" [9 p, {+ M; K6 a; H6 h0 R
}
" e. a; @, I2 X& w. o4 E }else{
4 j! H- n$ o/ \6 D $result['boolen'] = 0;
1 `$ L" ]) z) H $result['message'] = '上传失败';! a9 a% k4 `$ L9 r
}
6 S! y4 S% B% y* areturn $result;
) y2 |" h# {% [% n }
* g, d+ ^3 ]# y5 d1 K% u1 _( c v* o! S+ M& ]: ~! N$ `6 K
- n) L8 q( _$ V, c3 M |