微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
0 u9 d1 {' c9 U) D5 d( C' \2 }* z/ ~+ i1 B# _, j9 o& I
" X& a% n N# S: @* t$ q
\api\StatusesApi.class.php% p3 p* Y/ |6 } q; U1 B$ C
# s0 H7 ^3 Y0 t1 j8 y5 D9 ^1 |
function uploadpic(){( i/ N& r0 R* O0 u
if( $_FILES['pic'] ){
6 N$ X& V0 E2 y) l% a. S //执行上传操作; I7 y! r4 R0 \6 n' {3 t# _% L' Z4 e/ k
$savePath = $this->_getSaveTempPath();
% q+ e! n" N7 z) w/ `; B $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);( e, n' G" K# R ?! n- Y
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))! h) f! x, o! o* E/ t- z
{* y2 Q* a& |3 e: f4 ?9 }
$result['boolen'] = 1;. p( q8 {! [3 F
$result['type_data'] = 'temp/'.$filename;* |( ]5 @+ M2 v1 _/ i0 q0 X
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
L, ? V7 c+ x" ?' K1 u% U } else {
% l8 K6 L# z. y" K/ {! \9 q/ R $result['boolen'] = 0;
/ z3 K: `7 ]7 t6 r( V5 y% }9 { $result['message'] = '上传失败';
$ k6 W: t1 N" @ }: \ N$ I7 u) z2 F9 w0 }/ K) D
}else{& X/ f, R7 [0 X. q) [$ C; W0 f
$result['boolen'] = 0;
# q* m% E* ?+ c2 q& h w, J $result['message'] = '上传失败';! X" ]% Q j: A3 c1 f" x8 H7 d
}
. `) h# O$ g$ S% ureturn $result;% {, j4 L: X6 |8 T0 K- Z* ?
}: M2 L3 z; O; ]( D2 x5 ] }
unloadpic()方法没有对文件类型进行验证4 b( B7 A, W0 A2 d
& m3 ], G& k) B) g# }
可以构建表单, 选择任意文件, 提交到. z* v' x2 R1 \" K
/index.php?app=w3g&mod=Index&act=doPost. \ S3 f s5 O4 T o
: d+ b& m* y) w
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)8 d$ A/ ^9 ~; y' j1 s: h/ ?
2 \7 g7 I9 o' h: h
7 Z4 E$ f5 s E+ Z+ o在登录thinksns官方微博后,$ \! Y& M5 `$ k: E8 j2 Z3 |
构建以下表单:% ?& X/ y. J$ p8 J `+ k/ O! t- B) W0 k# ]
3 v: z1 n: ?/ l: A; M4 k<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />$ C" t; g3 q3 e5 E# P+ Z
<textarea name="content">test</textarea>: |6 g' E& o6 j T* R" b/ _1 }
file: <input id="file" type="file" name="pic" />
1 ~, _4 M# D; a0 e) F<input type="submit" value="Post" />. L6 V1 N4 w3 j& s2 M
</form>
8 Z" ^+ D0 @: P3 a# n去掉缩略图的前缀(small_ ) A" a: `. L5 j+ u
修复方案:
$ V3 x F! j, D2 f
, t: Z6 t. ~- o9 G1 D) K* I( Q2 k- E- T8 s W" U+ j! h
\api\StatusesApi.class.php
" l! ?) l, x% t 1 Z, N$ ?, N- T* r: f
function uploadpic(){
4 h7 y2 q. K6 ?; J7 J /**
, W) j" n, l* v4 T' n * 20121018 @yelo J, v1 h' `; ?# a
* 增加上传类型验证
$ A* t# {$ t0 E' f */
- ^# i4 G. m& W! W! R Z. ? $pathinfo = pathinfo($_FILES['pic']['name']);
) K# ~6 f) j* i3 }9 @, g2 d $ext = $pathinfo['extension']; w3 Y) q5 r! R6 h' |% O: e
$allowExts = array('jpg', 'png', 'gif', 'jpeg');+ s: B5 X+ t1 c5 ~
6 U5 L& J m6 K+ g6 v) g4 f, @) q& v
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);4 V4 z/ A: W4 ]5 W' ~
i! W3 m0 h5 b$ [ if( $uploadCondition ){9 X* }6 ]6 {- D$ Q6 p
//执行上传操作
/ c9 V) \7 Y- N+ _; ?! n P' s $savePath = $this->_getSaveTempPath();" C1 q" Y9 W& z# v; d& N. @8 A
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
4 G, [6 p- F7 o6 B2 k if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))9 F; r4 {' _5 @! [/ C5 z9 |
{9 Q5 `7 r0 u- J8 c
$result['boolen'] = 1;$ A. X, F, D) i# Q' y% V7 G/ ]5 p
$result['type_data'] = 'temp/'.$filename;% x& L) B& O1 U6 w- J5 a/ j3 I
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;4 ~1 E/ y) R3 Y9 e
} else {
# l T) }( t1 C9 t& Z) F $result['boolen'] = 0; b& }( f( L9 F3 t) p' V% g
$result['message'] = '上传失败';
$ Z) u3 c( v s& l9 c- I' K }) W4 y5 |3 S4 q' V/ R7 q
}else{5 G2 L7 G5 E3 C3 {+ K
$result['boolen'] = 0;9 ~- X1 E+ M# \) ?
$result['message'] = '上传失败';$ ^% S- D7 I" ]5 f. z0 O! E
}
! P$ M8 h" ^. F1 f% F& i4 Treturn $result;0 v8 G w* f. R& g1 c, {
}
$ G! H9 v4 O: ?) K
$ o+ ]# ?- @ S+ i+ o
0 v% ?; o& p9 |5 } |
发表于 2012-12-4 11:12:30
收藏
支持
反对