微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。& U4 _( ~1 A$ [# F6 ]8 j4 Y1 y
' c( q( J8 A: t1 F U) f, Y% c
7 s$ F1 G. h4 X# f: L
\api\StatusesApi.class.php
' P' J0 Y# e- G- c7 k
: j$ _ p1 n0 X; s6 ~function uploadpic(){- V0 C5 t @3 {2 N1 f
if( $_FILES['pic'] ){1 H" i' X6 ~2 O) M' [" t
//执行上传操作
! @% r0 v! x1 r# q& r1 ~ $savePath = $this->_getSaveTempPath();) ~6 _5 M$ X, l* _4 J, o& a
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);! v5 g w R4 ~
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! C6 K3 `9 J) U+ U A {6 C% m& B/ J2 p7 B7 F
$result['boolen'] = 1;
9 ?& C! Q- e9 S $result['type_data'] = 'temp/'.$filename;
0 T5 \+ f" a9 a! _! l) g% f; q. S $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
$ D& H+ b0 H& n9 s } else {/ |4 O% O% P" X" X- K
$result['boolen'] = 0;6 v( E2 k+ u6 o( s5 _! E
$result['message'] = '上传失败';" ^7 i% t. A! g1 L3 j
}5 a" {0 L" d; @6 ?
}else{# s! a7 r8 ? e9 |/ r' I6 N; L( E
$result['boolen'] = 0;
' G- _5 `1 Z/ D" C) O, @- s0 E5 g $result['message'] = '上传失败';
# _( {- i# m6 l }7 I, m3 s* f2 D7 F" K- G% k
return $result;
/ P- h* D1 A9 m( H, i }# K/ m% Z- R6 s5 w$ L) S
unloadpic()方法没有对文件类型进行验证
% ~( J) J t9 W3 Q+ J% f+ r 7 J) v$ M' o. Q q) W! K, ^# \
可以构建表单, 选择任意文件, 提交到$ H7 ~, g: g1 I* \' i6 g+ E: M; P6 Q
/index.php?app=w3g&mod=Index&act=doPost. i; w1 d/ a, H4 o- }/ T% r6 A* Z
7 p7 [$ O. d, Y. L7 i在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
) L. P) `. X3 d9 S& [: l
B. H4 w2 [/ H4 Y1 E: R$ r5 ]
( i( s& m$ V) ?, E8 e在登录thinksns官方微博后,
( W/ Q( L7 t4 ?5 _0 v5 W构建以下表单:
. c& s; S# D3 r
4 f( C4 v- A( r<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />8 {" f1 A! r/ X7 _
<textarea name="content">test</textarea>
& R$ X/ [0 G& z8 G5 j9 @0 Cfile: <input id="file" type="file" name="pic" />
& J9 F1 p( i, x+ T<input type="submit" value="Post" />
: e" g3 Q G3 r, h</form> ?8 z& I8 U- s: Q E
去掉缩略图的前缀(small_ )
% ?; ^. `% M+ {, u1 d S2 x3 X# d修复方案:. c# _2 n" Z7 A
2 Z$ x4 q( P. ~4 G! J" a7 X
- L' h2 }+ y t8 ]! k7 g. x! D
\api\StatusesApi.class.php- }4 _0 F1 z9 r" }$ X
8 @# c+ x" |# F8 _function uploadpic(){
( Q0 A- u, g( F /**
7 b6 M1 l6 P/ E( h * 20121018 @yelo
2 l" ^* p( r+ |4 u5 p. ?9 ^. ^ * 增加上传类型验证
; H$ C& i/ a2 a$ d9 d# j8 \ */9 ~! J/ k+ W4 j- g
$pathinfo = pathinfo($_FILES['pic']['name']);! e$ y5 g* m1 _6 c' r
$ext = $pathinfo['extension'];
* i$ ?+ E9 \4 `4 E+ G8 A $allowExts = array('jpg', 'png', 'gif', 'jpeg');: `( g4 @' R$ T( m8 Z8 C: E
/ c& I/ u. g8 X; O1 \ $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);" H+ T1 R4 X6 p' i: A0 p
$ e/ m- G* a$ f) y/ R4 R5 b
if( $uploadCondition ){! b6 w: b- y! O! A, L
//执行上传操作
2 \* }/ B5 @ u# R) \& r $savePath = $this->_getSaveTempPath();7 G6 e( D7 P$ F$ a9 u3 i8 D
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 X" l1 Y4 I" ^ P: y8 u0 V5 F
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))+ c" q7 J& h" G! B: {) r
{
( T6 I* |& Q r* u9 N $result['boolen'] = 1;# ^& V2 N' F5 J
$result['type_data'] = 'temp/'.$filename;
n+ T% y2 _6 f$ b; j$ e6 W7 Z $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
1 E$ Y4 m5 T3 `; j1 \ } else {
* ~" q3 Z2 s- Z. ]1 N7 c0 O0 b $result['boolen'] = 0; d" A7 ] ]: ^* i" P: ?/ \
$result['message'] = '上传失败';
6 m3 ]0 ~1 h" d }" K& F. E& E3 S
}else{3 n; Q* O3 B- A0 B: B% W" k( Z
$result['boolen'] = 0;
% V. n+ Z: P' T( z& b $result['message'] = '上传失败';
( E$ S( L$ K& I( G% O }
2 f. H8 k" f- P' n- m. }return $result;- z7 o V5 q( M/ b! {! W1 R
}
4 M# K" t2 _$ u! x. D, @& \6 F2 ~. x# ?1 \1 E' d6 }
7 }+ D$ M* I8 Y/ s) J$ y. O7 V |
发表于 2012-12-4 11:12:30
收藏
支持
反对