微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
1 c. d! ]$ Z- d% R5 u/ A' s8 s. P" `' U7 Z) o4 T( M0 h" A( c, z
3 D/ w' Z+ ]0 y" D
\api\StatusesApi.class.php* l3 C* q3 Q) F3 @* y9 u+ R6 r1 ^
4 K) {8 J7 B: Q; [function uploadpic(){1 ^* K2 d: K4 z" d- R7 ]
if( $_FILES['pic'] ){5 i: x8 Z1 X" h4 V0 Y4 l' v
//执行上传操作, b9 P! o& z& A. Z5 n; ]/ G) ?
$savePath = $this->_getSaveTempPath();
5 F' p7 U/ t, [" `' s $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);1 ?) V' l* N W! D! U9 L. n$ S
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
3 O* ?% q2 ~ g( Y, ~ {
; ^2 R: g, [3 ~5 h5 Z# x" N& M $result['boolen'] = 1;
6 x- |/ m; S2 ^6 g- ^* Z $result['type_data'] = 'temp/'.$filename;
( ]9 n; Z- J h' P' T0 l2 y* d $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
$ y; h+ l: G" I, V- @4 o" O } else {
4 n$ o# b/ B7 I& k8 D6 v' B; n $result['boolen'] = 0;
& R3 J) c% X, d$ j6 n- [8 g $result['message'] = '上传失败';% j, c: [% l0 J p* \
}# O- Q9 K0 f8 l! u4 K
}else{
& Z, `- r9 Y& S $result['boolen'] = 0;
# n% r S9 I0 N" r; Q5 } $result['message'] = '上传失败';
( b6 g6 P7 d( K; \' ~4 \+ R1 X# h }$ O: O F/ m7 Q7 i& k
return $result;
+ v5 r3 s2 Q2 E* J. G# a( T6 J }
$ c2 b0 u6 Q$ C1 j) gunloadpic()方法没有对文件类型进行验证
, @! o! [6 L/ O3 F* P1 y. }/ p 2 i" V$ h( l5 G! k2 U! B
可以构建表单, 选择任意文件, 提交到1 d+ V; P, B r& u% Z( [
/index.php?app=w3g&mod=Index&act=doPost+ g* {+ t- B! N# P- {* ]9 y* e
8 O K& _0 S, z) \在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)' l5 W& d8 `( |, D" @: ^8 V
K4 N* L+ E; o8 A. Y: N
* K: F$ P) \2 `$ \* H在登录thinksns官方微博后,
& u9 R5 a" K' z5 h( @. M7 T构建以下表单:
* J4 E: ~8 N8 o f0 I ! O' P- B4 E; m. Z9 H/ Z
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />- D' V% {3 X0 E# q& i
<textarea name="content">test</textarea>
1 ~0 K7 y" A- Y% c' v4 D/ W$ E$ nfile: <input id="file" type="file" name="pic" />
# G: M/ @5 m) M) K6 ^$ w<input type="submit" value="Post" />3 D# [- f; Q/ s5 B0 Y) G8 |
</form>2 V% W9 o: G! M1 j, z# t$ z
去掉缩略图的前缀(small_ )
2 |5 n* ^# I6 w+ ^8 p修复方案:. ?! b5 C1 A0 l2 d
) B' N1 R& L- M$ g% r# r9 f
4 y. {" ?- v" E8 v\api\StatusesApi.class.php* A9 O) r+ J' R
3 B4 E+ X3 z0 { M" ?0 v2 Lfunction uploadpic(){
9 A7 I5 C v4 M) ] /**
% M. c. W) D9 M z$ ` W * 20121018 @yelo9 Z$ _* K, ^# }' X2 E3 E
* 增加上传类型验证
( o) f/ N6 @1 ?5 h& p2 C3 ^% u5 D: P */
* s! ?* q8 D* e2 X$ [$ ~5 e $pathinfo = pathinfo($_FILES['pic']['name']);
! n& j4 E# |( I0 R4 [2 ~2 c $ext = $pathinfo['extension'];
. O* R1 c1 c' R1 l: c" Z3 q" l $allowExts = array('jpg', 'png', 'gif', 'jpeg');. `, z6 G. C- j. C6 D! L0 c
( \; C5 s) t' n3 V% T( B
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
+ |: N4 o: S9 M : Y& S5 a, O* r
if( $uploadCondition ){
5 I7 A3 ~# @1 r, T7 O //执行上传操作
5 C" a% I, u/ O W3 C) K5 j $savePath = $this->_getSaveTempPath();
9 s% T: f2 U: U3 L/ h/ E $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
+ r0 w# g% [1 f" X if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
% {1 @. `, B* S1 I0 w {
2 B% ]6 g! ^+ z- k+ ^ $result['boolen'] = 1;
( Q+ R8 i- |' h8 ?, @3 s( Y g $result['type_data'] = 'temp/'.$filename;
1 K$ R$ }2 t0 M$ l& F $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 T3 \, s5 v7 m! f/ X$ U } else {
: r! _7 W* G) {) d Z $result['boolen'] = 0;/ H- R0 q# _# d o, ?# a
$result['message'] = '上传失败';1 k# Z9 B+ O3 R
}1 D' a% k7 ~+ j1 C" s0 R" h
}else{
& U2 a0 m9 q! v( r, m9 } $result['boolen'] = 0; K- v- j; h: e
$result['message'] = '上传失败';& N) z9 i& L& B @4 ]$ o
}. {; B) y$ F+ j' u, Q6 l
return $result;
& i0 N+ r0 e4 f3 q3 v }
7 N- |- V( w# ]! W- H2 r( ]
% n b; s( J; j B) C) _
1 ~' U8 U3 Y5 o. R+ k7 y7 q |
发表于 2012-12-4 11:12:30
收藏
支持
反对