微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。8 j/ H+ U5 N+ w6 N1 Z' @
1 B6 p2 [: h2 t) U5 [* y
% ?# m) W, R) m6 E$ C( I
\api\StatusesApi.class.php
2 q$ q8 E( u9 u8 o
/ ?+ H8 [6 y& l$ Xfunction uploadpic(){/ u9 O- f8 j G, D+ g/ S
if( $_FILES['pic'] ){( M" n1 P/ a" u9 ` a$ n- c% A1 ]
//执行上传操作
/ [2 \) d* h n! C' k! [ $savePath = $this->_getSaveTempPath();" N: q1 }" A3 P' F+ Y9 R, h$ X
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
! n: s, N* L9 P1 Y( A0 j4 S if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))! J. S5 I! C5 A) V- V) f) u6 z1 M6 z
{% w4 Q! D1 F. ]0 J) l6 [
$result['boolen'] = 1;
$ s" E& k, q& I& d( O% ` $result['type_data'] = 'temp/'.$filename;/ O4 X% y S1 D" m& N
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
: p" ~' O* W8 @ a } else {" n( U2 l4 Q6 ?% D$ B* l
$result['boolen'] = 0;
+ F6 |( C; F# @# W& S $result['message'] = '上传失败';. t5 a; Y4 B; f, x
}! w( t! t# F4 W/ B2 F+ W
}else{, Q6 W. }* j, [
$result['boolen'] = 0;
7 `7 `4 E, s3 a' V $result['message'] = '上传失败';- E& H* X, X8 l" j7 E
}: ~- ~* G! q! ?# ^+ P
return $result;
# R: y1 F! I6 t+ S. { }; f+ V& W: |# X# Y2 V
unloadpic()方法没有对文件类型进行验证
8 w6 ^" c2 |3 Z* X& v
4 u$ C8 [+ v |9 Q6 X+ n可以构建表单, 选择任意文件, 提交到
% \8 t! F4 o( [/index.php?app=w3g&mod=Index&act=doPost
) G |) d" Q9 | " ~. o" n8 z2 ?0 y9 n" D
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)- q; c$ E# r( [" ] Z
- D; e6 ?4 A+ q) A7 C8 J% e
: q/ `0 p" h0 N5 O$ G( V& ]在登录thinksns官方微博后,# m! F1 Z1 v4 w- j5 d- k0 n0 k) p8 B
构建以下表单:* \% ?* ^2 F% R7 z! p$ k4 C
6 p: y: G, f6 d1 H6 ?9 f) Z
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
) n1 }3 r8 O. D$ E8 U5 E<textarea name="content">test</textarea>
D8 |+ n l6 U2 j3 r, A$ z( mfile: <input id="file" type="file" name="pic" />
1 t9 A+ \1 {$ ?; u: x<input type="submit" value="Post" />
$ r1 Z, n3 f4 w+ D</form>+ i3 K1 m* k" g; L4 {& y
去掉缩略图的前缀(small_ )
7 d- U/ ]4 i$ H, l2 ^ ~' b0 C修复方案: g$ l5 k0 O2 U g% `& d$ k
1 g; D2 t3 m E( h1 l
) P0 H' O) i3 Q: x' m
\api\StatusesApi.class.php/ G7 Y9 f3 `. C" p+ v
+ X6 @6 _& C" |2 ?! {4 @+ W, R9 Lfunction uploadpic(){3 T# c( Z0 Q# V O9 w
/**
4 z! ^3 {& E- C: d' a1 s- D( H4 a * 20121018 @yelo
1 z' Z) R4 v5 v * 增加上传类型验证
, d& V+ m" g: t1 l+ C3 X */
! k* a2 u1 b% n0 o! Q" S: `3 U& T( w $pathinfo = pathinfo($_FILES['pic']['name']);
! Y/ Y9 q7 L; M( Q $ext = $pathinfo['extension'];* g' A, \2 h7 ], r- T/ y- X3 A3 w
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
& `$ Z$ B! y. g6 u2 H8 o
% b% P2 ^; U' P J $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
8 Q7 v4 D& b# R, y; u2 _7 s - b" {/ _& V x9 e/ { w( T
if( $uploadCondition ){8 x# H- O5 r! X+ R) S: g. K3 h
//执行上传操作4 F, h3 M8 o$ x c- z2 o
$savePath = $this->_getSaveTempPath();
3 X! T5 A9 f# T8 h$ _/ p $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
1 ]1 o& C) J/ V/ o! ?& I' g$ D; p if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))' N, a* k$ W L2 z* i6 k# x
{+ [7 A+ y6 N( Z0 W+ T
$result['boolen'] = 1;
+ M8 z; p# `8 c/ L3 k' h( y! E $result['type_data'] = 'temp/'.$filename;1 o6 |+ o) q- G" \* N" m! i' Z: l
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
2 f i2 E! ~5 i% @ b9 L$ d* ` } else {6 ~. { O7 _6 n/ `" u2 O! n
$result['boolen'] = 0;
( g8 P) g- ?; Y; }0 v2 I( O/ s $result['message'] = '上传失败';
5 f; \" e: c2 ~ }
/ [1 Y! A( s4 k5 x) L1 Q/ p }else{/ [% ?- k, Y0 G( W/ X- B
$result['boolen'] = 0;
|7 N! Z6 y9 d* v $result['message'] = '上传失败';: _# e5 M2 ?" n7 `+ O; \
}; [1 O. u3 L ?' o
return $result;, ~4 q+ [* s! k& W, N
}
8 |4 G/ E& n+ z( y3 f/ s7 j# w0 ]& J6 A! o
6 W" O9 g3 w9 H- j2 w# e |
发表于 2012-12-4 11:12:30
收藏
支持
反对