微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。! f( d6 i) z2 o& E! ~
; w& E2 ^/ @% K+ ] - e0 [$ ~, h, t3 M- t9 R2 n2 ~7 F
\api\StatusesApi.class.php* E# L, _ i- I' y: v6 v
% Y$ s# P2 M4 ~; U
function uploadpic(){
% i4 B; p9 d e8 N4 b& v if( $_FILES['pic'] ){
0 a! H" Q8 N6 t& s7 L //执行上传操作
3 Y5 _1 q5 [' K k2 z $savePath = $this->_getSaveTempPath();
" {! E* L; S2 \3 n% Z& n ] $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
( U- z" G& }& P& C2 m if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))* A5 d' I9 N1 ]9 v
{- K; y! t2 ~7 r( ?4 j1 Y. i
$result['boolen'] = 1;6 }! _, T" z! X3 d+ g
$result['type_data'] = 'temp/'.$filename;
: L/ m3 Z% F% Z( [( ^+ d $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 d5 y8 W, v$ B5 W# p } else {: w6 {4 E0 z1 X+ c* k. {5 f( e- q! ~& }& |
$result['boolen'] = 0;
: W7 ?+ l+ z; M( x2 t $result['message'] = '上传失败';
1 `9 Q! t6 u- A! Y4 l/ [# e }
9 L* U# ]! K7 ?4 ^ }else{
( C$ F* h' ] w7 i $result['boolen'] = 0;, X* p$ K; g/ z8 y( f& g
$result['message'] = '上传失败';
7 K9 y( _0 c! C v }
0 c: p+ L% J k0 A) ~! m5 }return $result;7 Z! j: v0 s- @: g
}
8 m3 Y4 t3 C$ l8 O. Lunloadpic()方法没有对文件类型进行验证6 x2 L( L% s8 j* u+ H' a
* D$ [; d# l# Q$ U, T8 C, ?
可以构建表单, 选择任意文件, 提交到( U5 ^2 u6 {( _- o' {) C4 ~
/index.php?app=w3g&mod=Index&act=doPost, d/ @3 I8 F( F$ `+ }* Z
) z) E7 o# P7 N% F% W1 f在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)( T# y% O: C7 Q# m/ `
+ Y# I$ ^% s: O0 Z2 J. ?
6 D* k, y2 u7 h$ l; p, [" Y4 u
在登录thinksns官方微博后,
6 `) |: Z& N1 H, \7 G. D6 l构建以下表单:5 r$ ?+ h) p% Q! U; S
) `6 |0 y1 p o4 o/ ?+ N, R<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
- i2 i8 f6 E1 }" ^# N5 [4 I<textarea name="content">test</textarea>
* {' L, r: K9 C; ^* M5 pfile: <input id="file" type="file" name="pic" />
* d3 |9 k1 m: P6 M4 y! A6 [<input type="submit" value="Post" />9 F5 ]: _5 R% |$ \0 m
</form>
% n$ z' E6 E$ F1 x$ b$ h/ @3 h去掉缩略图的前缀(small_ )
1 Q# b. v+ [4 E3 Z修复方案:$ m8 @- h; z$ {* O9 g$ n
2 @4 a$ X% j ?/ f; v5 H9 O% n- Z3 g9 N) Z2 M; n, K) g
\api\StatusesApi.class.php
5 L1 C7 F3 {" E% Q# Y
/ X" L8 B6 X2 s q5 mfunction uploadpic(){
) O6 S- S% D7 U* F /**
9 a2 x, j7 |( b- s- q6 D" g& M! | * 20121018 @yelo
: |8 e, H9 W( ~ * 增加上传类型验证0 ^0 a, K+ }1 v' W5 }' G7 k7 m- B
*/
3 x! T9 V+ ? K3 _" H9 T2 n $pathinfo = pathinfo($_FILES['pic']['name']);
9 [7 |0 _# [: M $ext = $pathinfo['extension'];
4 j7 x0 G h, U$ y% m1 ^+ o $allowExts = array('jpg', 'png', 'gif', 'jpeg');3 s6 I3 m* |7 ~0 s0 V! C$ H1 T
) W* ?8 F9 `% O. N $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);3 L9 P7 J% O$ k% k/ s7 L7 k
1 y, y5 b% K* j( _
if( $uploadCondition ){
) L* S0 k6 o: Y! ^ S //执行上传操作
+ q; C T2 o O( C $savePath = $this->_getSaveTempPath();
( S0 e9 c' `% j2 E8 M } Q; A $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
6 }; a$ h. B- | if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
9 b5 j5 H! y/ E4 d' @ {$ t* [# g2 O* k
$result['boolen'] = 1;
1 @: p! _" j. i" _" v $result['type_data'] = 'temp/'.$filename;6 d9 N k3 r9 S% y/ a+ U
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
6 }. `$ P. F7 _) E8 q; e } else {
. d" D' v; B2 ~, @3 s4 x- _) Z6 H $result['boolen'] = 0;( v0 f8 T$ a I& v" e) L
$result['message'] = '上传失败';
) r" E7 w# h: e6 G; \ }
1 I0 Z+ G* q& J: B% k- W& g }else{% ~# ], s( ?% c7 R W% ?
$result['boolen'] = 0;4 r, W. V3 P" c. I9 C' ^
$result['message'] = '上传失败';
* D! N7 q" O! p$ p& A. ~8 w }
1 g5 `5 t( j. Q' ereturn $result;3 E5 F- t' x0 C, F3 U; V+ |( ?
}7 z4 ^0 h: y) Y- q3 w4 i
5 V3 Y4 q! N, O4 o. H6 O0 h* v# |3 x8 I% P$ M4 U4 |" W7 A
|
发表于 2012-12-4 11:12:30
收藏
支持
反对