微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。# @( s4 b) m/ i5 \) z: @3 H
9 }* y2 h- J6 {8 B4 x7 K6 O
+ X& f K9 k5 v4 x' z3 w* l\api\StatusesApi.class.php
& o6 a0 `5 D1 Q3 ]2 i" {+ R
2 u2 d) y* _' F3 s+ d9 R* L2 yfunction uploadpic(){. E3 z& ?9 {! \4 r: R1 W
if( $_FILES['pic'] ){
/ [3 v$ q$ ?" e, E) d+ y2 | //执行上传操作
2 d. O' H7 E5 r: u; G: N $savePath = $this->_getSaveTempPath();$ s# K; q7 N( m9 o' U/ }
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);/ D% o. K) g+ m+ S! r6 i
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
4 [6 y- r" C2 G0 ~$ r7 \! g1 j- Y {3 }! ^1 m6 S9 d, C2 O6 b; h/ Y
$result['boolen'] = 1;: K) h3 j9 e; N; w$ T0 j5 z
$result['type_data'] = 'temp/'.$filename; g4 f( Y) n0 t3 X! s
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;0 g- I' X) z0 k, X& ?6 |6 w7 {8 S8 I
} else {
) \& N; r' L# W* ] $result['boolen'] = 0;! Q! d: X5 G4 Z
$result['message'] = '上传失败';4 J' Z0 ^5 i8 f6 A
}7 e6 V7 o3 B$ `! `1 P& W l5 Z
}else{
: {8 N: u" i# l $result['boolen'] = 0;& b0 |! `2 b8 Q; d
$result['message'] = '上传失败';
: U$ ?# ?) M" ~; {4 w- S5 x3 r5 x b2 d }) m; r5 R. Y% E& \
return $result;
9 w" Y6 d) O/ G/ Q" n* |% u }" B8 W u+ i) k
unloadpic()方法没有对文件类型进行验证) W5 q$ t8 ?; y" v- f0 }, f+ D
5 B# e& J& R7 `0 x可以构建表单, 选择任意文件, 提交到
0 s. Z: g6 S( f8 n: t# E3 C4 k/index.php?app=w3g&mod=Index&act=doPost! a$ W8 p; b/ V' t; K
* H" A! \ e2 A
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)" P% U# _6 ^. h8 ]
3 c: d { ]/ o
- I, j W+ \" \1 `; T( B: Z在登录thinksns官方微博后,
" r) f n) T7 f4 u; O3 S构建以下表单:
* @* ? Q! Q/ R! b* Y ^
: i% }9 u! j6 K1 q* Z<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
1 x: J$ W5 N- w8 a+ l<textarea name="content">test</textarea>6 f- U* a2 y: U( s7 G2 g- b0 R
file: <input id="file" type="file" name="pic" />
9 \" Y* j' O2 W4 j<input type="submit" value="Post" />
( ~! P% h' y+ W: B</form>
! i) P' K$ Q7 p9 l8 R7 Q去掉缩略图的前缀(small_ )
8 l P$ j. [) t1 C+ M2 A修复方案:3 x8 K2 ~; E \) }- s) [; Q
* b+ f( M2 q/ [/ o
J) d1 L1 {) P) K, L% ~
\api\StatusesApi.class.php
* C. f9 V9 V7 q/ W6 _* d" u& |" ` |+ R . }3 R" l+ C4 p" O- v( \9 X8 @
function uploadpic(){
8 j- f5 g, j$ a) G /**
1 @/ r$ ?3 g( y5 `% R( F1 ^. Q * 20121018 @yelo l: H) `$ ` b+ u( P
* 增加上传类型验证
* E9 b+ I9 I( s6 ?. E */
" a& J5 @3 ]( b) P $pathinfo = pathinfo($_FILES['pic']['name']);& Z) C9 K: ?# }
$ext = $pathinfo['extension'];/ M5 `: z" T/ G; G2 {" D& W
$allowExts = array('jpg', 'png', 'gif', 'jpeg');) }) C- I. r# {/ A
- o; c5 v0 h" D; E3 Z9 U
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
& O9 z. p% Q9 b+ `
' e5 u" W! x, u! }2 t& X# {" @- x5 n if( $uploadCondition ){0 B- o u! F& r1 v
//执行上传操作
1 G3 R$ i: M: l6 B; K( y $savePath = $this->_getSaveTempPath();
+ C6 P( e* ~! \9 G$ | $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
3 X6 g. [6 N3 ]# K' ]* A if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
8 f" M) y8 G0 D! K {3 \- s6 j. c; K
$result['boolen'] = 1;
( u& E `( d, v8 W9 r9 b9 E $result['type_data'] = 'temp/'.$filename;
5 Z* A9 j7 G( k) e0 G9 l: z+ L- o $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
" {; Q) [, c, C" c2 ~ } else {
& g Y8 T+ I' ^3 K7 t+ E# ]1 Q $result['boolen'] = 0;
B9 W# e, _+ T" B $result['message'] = '上传失败';+ b X. T9 G0 {
}/ a& J- f4 T. v Y H% g' ?
}else{
4 ?' |9 F) g/ ^0 p $result['boolen'] = 0;
# g/ q# A5 l9 ]* L$ J" m, L $result['message'] = '上传失败';4 h+ E- j& R6 |3 ^
}
E& a4 b: {2 W: W$ {" ?4 H5 {return $result;$ i) T8 g* q3 I
}
, H' U0 s. u6 H5 T6 {% {# L9 Q( n: f c* |4 [
! X5 B! b# A/ s3 ~4 x( N T% I0 ^ {/ H |