微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。6 i. u/ z4 k- ^' `" l5 ~/ W
0 x9 O) o9 m! h' W 8 {! O" Q8 C" |+ z1 u$ N
\api\StatusesApi.class.php/ j) c: R5 C/ y4 J
8 f. o0 i8 ]! L+ p3 y
function uploadpic(){2 u& P+ _; ^3 K6 \
if( $_FILES['pic'] ){
# [5 C$ ^% w, Z5 ]. `) W //执行上传操作
6 K# }' m* q; `# S3 l. C6 _ $savePath = $this->_getSaveTempPath();, z% X7 H/ }. } G1 d4 [' E4 G
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 O: m2 Z `7 U$ Y# W+ T( u2 K
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
% n6 u/ M7 j; L5 Q3 D" ~2 e {: k8 D- F& W( O; x! P# E
$result['boolen'] = 1;
6 J+ f+ a+ o( }) M $result['type_data'] = 'temp/'.$filename;" d8 o* P4 B5 Q5 m s
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
3 F" [8 M* p4 h1 \- Y# n+ D8 L } else {$ [0 Y& T; j) u# o& _
$result['boolen'] = 0;
; C* @4 X3 |" M& }' F $result['message'] = '上传失败'; w' J' t1 i0 ]9 \3 X% g5 y9 T
}
2 `9 b* `, r) S: ]/ O4 N8 q }else{3 q: g. ]. c- [' s& v7 v/ m% D
$result['boolen'] = 0;
. E8 V8 n. n& O8 W2 \, ^( e1 w $result['message'] = '上传失败';
- Y9 B) b1 V1 G G4 Q+ K0 B9 B }
+ Q6 r4 q3 ^1 o( Xreturn $result;
9 [+ |% c- M2 h- ], ^2 d }5 }. e8 h! Z' i7 T0 S$ A4 A1 p
unloadpic()方法没有对文件类型进行验证
8 E* a, d4 s6 ]2 ?" F. X
9 B0 q& E$ w5 h' M可以构建表单, 选择任意文件, 提交到& i/ H% Q8 x9 @' o* a
/index.php?app=w3g&mod=Index&act=doPost' J Q+ B% o3 |0 ~& E! e1 y5 z
! d0 \4 v; v" h9 X! |在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)+ C+ v- T, r0 Z/ y
: a: h8 `6 ?4 z/ E. u# X( v; O, c# r! ^ c/ p: y
在登录thinksns官方微博后,
& `5 J3 \ U5 b8 |4 x% y构建以下表单: g2 n3 U) m; ?1 a1 t
# U' q) S6 D) q3 n<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
7 _ A, n5 C. R: \+ L& I<textarea name="content">test</textarea>. F7 g$ i' \/ j9 U& o& g
file: <input id="file" type="file" name="pic" />
+ P5 V. F$ m4 `; F! Y$ F: Z<input type="submit" value="Post" />* h) `- i; u- m2 T* X6 T& \# L( k; P8 o
</form>
4 O y8 G1 S" K1 `/ N0 H* ^- u去掉缩略图的前缀(small_ )
/ c4 T* ]% k, ?( E7 Z! z4 V4 k5 G修复方案:2 P" P' ]- _( N/ N7 e
& ^* k7 B/ j3 m' A. a. [9 v
1 _, _$ o4 K- g- f: l\api\StatusesApi.class.php/ }( n6 T& v# e& y! e
8 r J2 g" C/ O0 T$ mfunction uploadpic(){ [* d2 A0 D/ E I& _
/**
9 P# w- E% s% v" v! E3 z! M * 20121018 @yelo8 e9 j6 a& g) D# K% j" d% j! @
* 增加上传类型验证4 c( w( B0 H( w7 R. u: T& v
*/
" V) m& {- B ~! M- ]! @* W $pathinfo = pathinfo($_FILES['pic']['name']);+ O2 W$ W* T- c( e& y( }
$ext = $pathinfo['extension'];, R- M+ e b+ X
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
/ l* v( C, W z+ J( g 4 F- a8 t: ~ [4 n: {
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
$ _) e: U4 m; A# C
; E4 R0 }4 W' j$ b if( $uploadCondition ){4 K! _0 O, Y0 p& T' S" c
//执行上传操作! ?, Q8 U9 b. V9 r
$savePath = $this->_getSaveTempPath();5 X- B0 `+ j$ C- s9 J
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);2 S; L( v0 h- R# R
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
: S0 Z) h! Q7 F9 ] {
3 F+ k6 J! b/ I. J/ a. X- v5 G $result['boolen'] = 1;
8 Y ?, X4 f6 N& E3 U( t $result['type_data'] = 'temp/'.$filename;
6 H) W6 c3 A( T( z" P $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; F& x! l) X; d' ~1 z } else {7 b8 y9 P. A' ]6 p6 M' K
$result['boolen'] = 0;/ U% @7 v: ?+ W( n
$result['message'] = '上传失败';9 v0 Z; ^+ P# A& a
}8 w. i5 h7 D L C( {
}else{0 u- ^- c1 }; u; v( N
$result['boolen'] = 0;
7 M0 q% L* n# h9 t+ [* t' e $result['message'] = '上传失败';: U" r* Z# ^+ Q1 A: B7 {
}
5 M/ e8 C& D9 K9 P+ C6 Jreturn $result;
z- t( r) q1 U! _) U; v! b6 ~$ q9 @+ A }, r. u% r3 u; X' J
$ S) C E h$ y3 _
* W1 D" y; t- M# a0 c; y
|