微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。/ x- c$ d0 P4 \; S
+ `7 b& R4 A3 O1 H6 A: i0 d
: g4 \1 t% U( U9 d& F3 G& f\api\StatusesApi.class.php
* L7 i5 C$ G A5 k7 d3 O' c9 ^& e 7 B# O, [' |' ]# h% T" ] ~
function uploadpic(){6 V4 w S3 h9 m. \8 c: h
if( $_FILES['pic'] ){5 t9 Y- [: R8 a
//执行上传操作8 Q" n6 K. E _# ~7 e$ A
$savePath = $this->_getSaveTempPath();/ e: L3 `3 P# N0 ~5 N
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);( ?' r a. h2 G \( ]3 \
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))1 X( v. }$ X- ?/ d4 `& l5 n
{
% J+ N# a# q* d o6 _/ |, H $result['boolen'] = 1;6 c% Q8 n4 Q! `! P7 B
$result['type_data'] = 'temp/'.$filename;; h- A! c% ? m. z3 O/ F5 I0 d
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
9 c# z% C6 i$ o# _- W9 N8 M } else {6 k% h7 [' u W& z1 Q
$result['boolen'] = 0;- b0 U1 i, Y$ a' M
$result['message'] = '上传失败';
9 ~+ G Z, f4 _" k8 C( Z }
- }8 q. R8 D p% C* V }else{
9 [/ I. @5 E4 d' k' x7 Q $result['boolen'] = 0;
- G7 G9 `- r0 t# M; C5 ~- K8 L# j $result['message'] = '上传失败';
/ j8 ~* D/ t5 G% ], ]( K }7 Z' I0 V' T5 N2 S5 t
return $result;
R, a6 w8 R2 M5 g }4 Y9 d1 [5 u8 s. g" \3 c: r
unloadpic()方法没有对文件类型进行验证
9 i- k& v* b; [* l* w5 f4 W 6 n# w! _6 @* i8 N
可以构建表单, 选择任意文件, 提交到# N( f* k0 D8 ~. o9 u. a
/index.php?app=w3g&mod=Index&act=doPost9 T2 A7 F+ Q0 r# c+ X( B- `6 L- G0 d
7 S# F' Z j! I, @7 c/ y
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
) Y3 S8 r' l: y: l
. X: P c# e& K1 I
; _. _% u7 _9 ^, c$ C9 d6 b在登录thinksns官方微博后,
( i( u1 f9 a8 Y构建以下表单:. ?* q8 F9 N3 D0 I, r
: K# p2 @. @( s- f, w<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />% H! U0 s$ ?* S- U8 E( @( D
<textarea name="content">test</textarea>. q4 M* ?; [, _! i7 t
file: <input id="file" type="file" name="pic" />& R m* W# |) R0 O& s y( n& u; c
<input type="submit" value="Post" />
6 u0 `+ [0 D+ X) x! G9 Q! l</form>* Z/ s0 R8 O2 c a% w6 n
去掉缩略图的前缀(small_ )
0 I6 j* ~ ?: E0 ~( |4 S修复方案:
% N/ p" D, ?# Y( J/ E
3 c' |7 Q5 ^7 f" f6 Y! M, A% S
9 _# Z( s. e' S/ q. J2 J! [- g\api\StatusesApi.class.php
- a: G7 s# n/ P+ n" O3 j
4 w7 o* t+ c7 Mfunction uploadpic(){) P/ P% ?" \. ?' s
/**
2 {; y; O# U5 |7 ~2 ^6 f4 g+ S& [ * 20121018 @yelo
3 E* Z8 A7 A. ?( q ~ * 增加上传类型验证0 W6 K6 f w" _6 U
*/
! L9 f3 e* J! H% i $pathinfo = pathinfo($_FILES['pic']['name']);1 E$ R2 ?. a3 y
$ext = $pathinfo['extension'];, ^8 i! `6 Q2 S' {5 L4 g
$allowExts = array('jpg', 'png', 'gif', 'jpeg');& W) F! g% s8 @ F0 g: R
( v' E l A0 I. h2 ]/ F7 w $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
- b4 Y# O$ S! p1 X2 ` & D( M, ]7 c9 p9 \* Y! w
if( $uploadCondition ){" w0 o' `' w' d
//执行上传操作
+ [; F* G6 V5 _3 f' M $savePath = $this->_getSaveTempPath();
* e( m' O1 u! N2 F/ I $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
* x& r) g- M$ P7 d2 a8 x5 F if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))- ~2 o& u* Y/ Q. @
{$ _+ D Z4 l- x) ?- a/ e
$result['boolen'] = 1;
( m5 K7 P& C# D) m7 Y5 W $result['type_data'] = 'temp/'.$filename;
# V5 z+ ], ~+ Y2 | $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;5 y6 w! f6 j! i: e! c1 d& L
} else {
. o* c/ a6 K0 b4 n $result['boolen'] = 0;
1 E j2 B0 l8 N+ U $result['message'] = '上传失败';
9 p4 D+ r% f# x5 S9 z& h }
! X8 _* S+ b, R& @' ] N+ d }else{* C* j6 T7 _, ]3 W; U; u
$result['boolen'] = 0;$ o# I; V0 L6 |4 x" o; a; h2 @
$result['message'] = '上传失败';
$ r( R$ L8 ^6 V: n9 c; P# K }
4 u7 @) G) }9 \8 Greturn $result;
1 V2 f8 H+ W% y& q) ^. _% O5 M }
4 `8 H* u0 z# f: A5 {
& J# @5 g ?& { G& y6 s& U: o8 Q9 N
|
发表于 2012-12-4 11:12:30
收藏
支持
反对