微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
" D% o, t V4 F! k; |1 \5 T6 J3 D# M* Q+ E' |
3 C3 ^5 b8 K2 w$ A' [& N( F
\api\StatusesApi.class.php/ E( B5 ?' T0 l, Z% s: |( f
# M' R- _( X2 i. W8 t: I
function uploadpic(){
1 U [( s% {9 K1 W4 v if( $_FILES['pic'] ){& a" V$ [3 M8 Y# p' C! S# [
//执行上传操作
3 e+ m! j# S9 k4 S, c $savePath = $this->_getSaveTempPath();0 |/ N3 V$ X7 [5 p5 d( ]
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
- b. J0 L3 W. |$ m' R5 ~ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))7 g& z% M# M0 g7 T8 n
{" q, B) O- ]% w3 @/ R
$result['boolen'] = 1;
8 q2 s+ p k- f+ r) t $result['type_data'] = 'temp/'.$filename;
* ~: z5 {0 l x- m $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
- l. X" a8 q7 b8 O# ] } else {
8 Y9 P2 B- b( l! v5 R& p" Y4 J $result['boolen'] = 0;1 T4 k L! ~0 p+ |# M8 H, p* f, f
$result['message'] = '上传失败';
! C6 t7 N+ x+ G; z" A }6 S$ O! s: O* |2 ^
}else{
1 H% n* ?8 w8 p $result['boolen'] = 0;
7 {2 ?8 I& v- q8 q& Q8 e. d $result['message'] = '上传失败';* n9 K+ d4 {8 z7 _
}2 I" J) z* b0 k2 V& _
return $result;
! q+ B& c2 D& `; M* N }
2 i3 r4 B9 S, R+ [2 `: Sunloadpic()方法没有对文件类型进行验证
; _! {& e" ?; y. e! I8 |6 L ; \' A& m6 x1 P5 }
可以构建表单, 选择任意文件, 提交到5 n' |- j, h3 U$ e
/index.php?app=w3g&mod=Index&act=doPost* [) X) N; Q/ V
/ `' s# P; a t/ @在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
" _9 v/ _+ x( y6 Q# \2 k8 G; \: u- i2 I" y" O
$ N8 }7 W) g2 {# @2 ~* x- Y在登录thinksns官方微博后,' V9 \- e0 W) B9 t( D/ ? y4 I
构建以下表单:$ L4 ~/ B/ s% ]. ?0 a# _& ?: U
! U- `- ]' ], p" q# j4 T
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />; U* A1 z. L2 _, b
<textarea name="content">test</textarea>
( l/ M8 t. r7 `6 Ofile: <input id="file" type="file" name="pic" />, z- P, P% D7 V3 ~8 M+ P# s
<input type="submit" value="Post" />
. b, f* O8 ^+ k6 N1 }0 p</form>
1 b+ y- [: X3 p" g# B) u+ c去掉缩略图的前缀(small_ )
/ w2 y3 C" ?" P" ^; Z6 w修复方案:- P4 t. q/ P6 N. h8 t
, L. @9 S/ {- f& L, k' j+ y r. T
! g& |3 _$ J9 s- J: o( `\api\StatusesApi.class.php
' J) o: ^! T0 ?( g( ~
& l" R0 V4 I( ]- ~0 U6 ~$ W) xfunction uploadpic(){. e& n/ x5 c5 A6 S3 N8 w
/**
; O% ~: \ Q& c6 c, ~1 d+ o * 20121018 @yelo5 ^ w& o" Y) i* g; d; O+ ]
* 增加上传类型验证! _/ A: n* q/ u- r
*/9 i/ m# c; A/ `9 \( \* V) W
$pathinfo = pathinfo($_FILES['pic']['name']);. v& Y* W' l! C$ a) {" Z3 Y
$ext = $pathinfo['extension'];" X; S, @( A0 I) k/ D* q Y
$allowExts = array('jpg', 'png', 'gif', 'jpeg');# I; X# {+ B' y! D+ K4 o
/ l( R j+ C+ o: a $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);& |/ y9 o! F0 D) z! L! n- |
6 z: J# Q- @+ D& W) E& K- _5 a if( $uploadCondition ){+ T% |+ V1 Y$ K0 Y0 L9 _9 p& v
//执行上传操作
" p& I9 @5 |, {1 m $savePath = $this->_getSaveTempPath();
' {; b: ^% N" ~( V# E$ m3 {# m $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);$ o2 i: d' Y( D. L' |. E
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! E5 d! a* P, B( y: } {) Y$ [* F! x; r3 \& A! h
$result['boolen'] = 1;" Z7 e; V$ v8 U- L7 n) o% V7 z
$result['type_data'] = 'temp/'.$filename;/ }) |4 g t, S, {
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
% n) n6 a# s+ v; i3 M } else {- g1 X9 D6 G8 q/ Z
$result['boolen'] = 0;
1 R, E. K: _1 g4 z$ {! P $result['message'] = '上传失败';
6 {! v6 {/ N: [( o) @ }' |$ f! k& r6 L+ c
}else{. x5 W4 z% u- M; j- o- L
$result['boolen'] = 0;
6 l+ I+ F& x' Z! P: Y $result['message'] = '上传失败';) P0 o r' A$ P
}/ _- U+ @2 m: |5 Q; q( |
return $result;# F0 v1 m. m2 ?, j8 S
}) w+ p9 o5 n3 @. j+ D( H! F
8 Z3 @, f: O( ~1 O$ G
- [2 ?. N4 h! j1 W0 _9 L t |
发表于 2012-12-4 11:12:30
收藏
支持
反对