微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。' v4 F5 h" t& @- w
8 R6 Q, |1 [8 c9 K. p$ }* I
2 j4 G& i2 U: c
\api\StatusesApi.class.php3 E9 k# o# ~9 u/ X
$ O( S; v6 g8 U- ?
function uploadpic(){
1 g) }9 u6 i2 ~ if( $_FILES['pic'] ){
% t( |4 B* B8 ?6 s0 n7 W //执行上传操作5 }0 R, s4 S$ g+ {
$savePath = $this->_getSaveTempPath();# ~2 W; W! b9 S: k% q, C2 N
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
% [+ V3 n4 `0 t" N4 v1 P& g if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))" v- p) i* k8 R
{9 J- G5 k9 _! D) L+ q
$result['boolen'] = 1;5 U; `* m p! @2 I$ |
$result['type_data'] = 'temp/'.$filename;
. x$ V+ O/ e) J B1 x $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;" j. b; I& q; j7 a( X# _
} else {
3 M! ?9 v3 n/ f, a# ^8 ~0 c& y( j $result['boolen'] = 0;
_: T: ^. x+ U' K; U3 Y& N $result['message'] = '上传失败';) A4 U" j j% i4 B2 I9 T$ [- i
}8 S3 a( `2 Q0 G3 ^) f
}else{
O3 {% M3 k/ D3 k9 f( ~ $result['boolen'] = 0;9 y) ?( u2 k& m% t+ @" h4 L9 N& L
$result['message'] = '上传失败';' |7 N* K( J. i. ?" c3 {% g! U. R
}! a* y/ n. |3 m3 x
return $result; z4 p$ K* F- P! _. T! `" {
}
; z2 v- \- J+ u7 cunloadpic()方法没有对文件类型进行验证
. i: X0 m0 k- j7 Q 8 F! x. E" `% d3 [6 f- B4 y+ C; o
可以构建表单, 选择任意文件, 提交到
' O- J" y% `% _/ q! L/index.php?app=w3g&mod=Index&act=doPost: U7 a' y2 ]* p
: g/ M% x) L! E: z4 l( z
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)% j+ s. ~' |/ @+ s
% ~0 W7 U* v" B0 X
# k+ q7 ?% z" H" J* b* ^ z在登录thinksns官方微博后,
1 N. I. o; T. b构建以下表单:% h& o) F0 e) L/ Q; e' `
7 r4 g {! O6 c0 N' i
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
( ^4 O. w4 O5 b% z; z5 I# ^- k0 i<textarea name="content">test</textarea>. z$ ^; e7 @; U. q
file: <input id="file" type="file" name="pic" />9 t; N! ^, I! U( ]: \4 S" ^( V
<input type="submit" value="Post" />
6 H% X# l% ?" ]6 k, U</form>5 p7 z7 U2 V; y
去掉缩略图的前缀(small_ )
2 `+ b! J9 N8 y. y7 @8 B修复方案:! o5 A1 X, V/ A0 Z6 P1 U1 N
3 m& R9 X. U( y# m9 w1 t* E+ _$ v
" T( S& i5 Y- m9 v
\api\StatusesApi.class.php
E" j9 d& _1 Z6 k% F
; ]) A7 G) w/ Nfunction uploadpic(){( u( F$ n( X- K2 K" j
/**1 G, ]" P- g0 k' k/ e9 A' B- t
* 20121018 @yelo
( \) O8 ^) B2 k7 n7 i& ] * 增加上传类型验证
9 o: D* v8 ], \: q& C/ w$ l( @. C */
0 K. h( W I4 p* r. a. `6 Q% \ $pathinfo = pathinfo($_FILES['pic']['name']);* ^, i: M' Z- `8 U
$ext = $pathinfo['extension'];9 g1 D# Z$ W2 i: j9 ` {
$allowExts = array('jpg', 'png', 'gif', 'jpeg');& q* F4 B4 q8 l+ \/ Y
: T+ I' Q4 C6 r8 R( d, k $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
$ m! E5 H* Z3 w# A- ] 1 a8 v3 t6 e( p9 M) T( w& y
if( $uploadCondition ){
2 _8 u6 q4 L1 R3 t h, [ //执行上传操作9 J, w0 Y% A0 o% x/ a2 K
$savePath = $this->_getSaveTempPath();
+ A4 ?8 {. e1 Q1 w; l $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 F! J; x4 o5 g" C1 n, N if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
& ?$ Y6 Z7 M4 O; ^" T2 m {
: C' d) _/ J9 f7 v* R $result['boolen'] = 1;
, j: H; d+ \5 H2 v8 } $result['type_data'] = 'temp/'.$filename; I& d7 r g- ^
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
* x- S; F9 |6 I+ m* m7 P3 D; M, i8 O' ~ } else {( Q0 |4 R" ^/ j# X
$result['boolen'] = 0;. }. }+ n. L" i' O
$result['message'] = '上传失败';% m+ }5 ~* `. M, s
}
# @3 _ W0 P. L8 S3 W# Y/ ?7 Y }else{8 K: \7 \4 y J; ~; z
$result['boolen'] = 0;( S/ ~3 B7 s% B, G
$result['message'] = '上传失败';0 F5 _: h: Y' z& j6 W
}
! K- j) K3 x9 Xreturn $result;5 Y9 J* V/ i4 a' R6 f* `$ _0 L* O
}
X8 r7 H# S% [) B3 g
; `, E W7 G% n) A
+ Z- w8 p" X( ?, y1 n5 D5 f/ d9 Y |
发表于 2012-12-4 11:12:30
收藏
支持
反对