微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。* @$ j, }2 \. `' _9 e
8 y8 E/ H# K" P1 L3 K" E/ X6 O
4 l( Z c1 Q1 I0 K2 y\api\StatusesApi.class.php
% ~; k. U) S0 v W$ H( `( c5 e z, J, h
( v4 N7 }# n* l3 ]function uploadpic(){1 N3 F# D; x. e1 q6 Y
if( $_FILES['pic'] ){
; h& \. @* X4 b6 x1 }; B) \ //执行上传操作: F( C8 s7 L& [) j1 H0 d- I
$savePath = $this->_getSaveTempPath();
3 E% R0 ?+ |! X $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1); G* ~# H! b3 `! Q( b. `
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)) H+ o6 O% r' x+ |( `/ L% v
{5 O- {. F9 I: {2 o7 k0 R1 _ d5 B
$result['boolen'] = 1;
; L1 E4 m3 ]" Q. r* C4 _# f $result['type_data'] = 'temp/'.$filename;( f2 E1 t, Q1 ^5 u( z, @' w2 S
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
9 C, V0 Z$ |! R9 S } else {8 O% n: l+ v6 N( T8 a3 ^
$result['boolen'] = 0;1 {7 o& d( {) d5 K/ p/ s8 `
$result['message'] = '上传失败';8 I0 _9 c$ ~/ v3 s9 L ]" o
}" v$ U4 Q: N( ~; |0 E; x$ \) T
}else{
* ]9 p" i/ }1 K: I. y3 b# u $result['boolen'] = 0;5 G1 s, s" m- I8 K7 [- A
$result['message'] = '上传失败';. u" Y' `( r/ v5 }* `* V9 i
}, x$ h7 G4 u2 h3 H) ~/ X
return $result;
+ S* E$ G. z! Y. M2 z/ ` }7 m* Q; \/ U: o; G
unloadpic()方法没有对文件类型进行验证
# t K# ~4 w2 h" v1 w1 L) _# c/ [
T6 ^3 G" ~( I. M* _; h4 U可以构建表单, 选择任意文件, 提交到- X2 f; ^9 @0 Y
/index.php?app=w3g&mod=Index&act=doPost, M. w y. M" I' h8 G& h. C# c
5 t* |6 A- _- ~7 y* y k7 p
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
& M7 w7 a" h# D# Q8 J# Z4 o1 c. I: n
8 D. k b( q/ T$ M
在登录thinksns官方微博后,
, f. g2 }/ o; q0 s: [' o构建以下表单:# w/ V4 P+ [( v9 N2 E4 _4 e
+ X# S5 ~0 }$ {; d<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
8 C5 a/ w# p2 I% v<textarea name="content">test</textarea>0 o: L/ `. x& [
file: <input id="file" type="file" name="pic" />
6 k' I6 s% H! u<input type="submit" value="Post" />
8 u" V; |/ p) Q" i</form>5 \; z2 W, Q1 z9 c6 J ]4 Q
去掉缩略图的前缀(small_ ); i$ N0 d8 Q( p4 N1 }
修复方案:" p! L+ |( s8 T. c9 c& n+ q
' d E9 J7 z" m& w' h* \
2 f4 e/ Y8 Q3 i. S. J\api\StatusesApi.class.php3 q- |1 E1 n+ g8 d
, c! [5 N7 ~8 l: I5 [function uploadpic(){
$ S. M4 t0 V" |* j1 \- E /**
; @: {$ k$ F) L. X' D" C * 20121018 @yelo
* l2 |9 V- `0 a * 增加上传类型验证; C2 @7 V0 z7 \+ [# `
*/
3 m6 S, {7 A* m+ D$ O# A( } $pathinfo = pathinfo($_FILES['pic']['name']);9 `: {# ^# {$ I! l8 s5 `+ `0 ]% j
$ext = $pathinfo['extension'];* X" ?% {5 M9 K) y" E k
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
/ _# s4 W' x" K! r7 G7 w
' ?$ C6 B3 r( k1 z $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);) W: h- P7 a; J$ J0 {$ o2 y. l, t
( { w$ G9 b2 `$ Z if( $uploadCondition ){
3 t2 }( ]# {- `: J! b H //执行上传操作
0 y% y/ b x. z1 H: B" N $savePath = $this->_getSaveTempPath();
0 y* |% U% ]' D% x; ]! F $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
; C# N2 q! }/ t1 m; h2 B if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))9 x4 ?3 j q* j6 C/ d
{ C9 H, o) u a" L
$result['boolen'] = 1;' {6 d! P7 ?% n+ W
$result['type_data'] = 'temp/'.$filename;
: P- s$ ` w6 Q/ y! g $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
3 U6 e/ }, ] g1 N/ ?; J. ~# Y" ]* _ } else { }% X1 ^6 k' t9 P1 T) j8 a6 X
$result['boolen'] = 0;
2 s$ h/ Z2 i6 B& ^( Y% Y* R $result['message'] = '上传失败';/ L! @1 S. t, r
}- ~8 i- B1 Y. f/ F; K7 U! e( f
}else{
* z) r. F |& r$ y0 l $result['boolen'] = 0;
0 W5 n) O; q# H! L- a8 @$ X $result['message'] = '上传失败';
, G7 E( ^4 u6 T4 k. V0 I }: q4 i9 X# @* i5 {
return $result;
; S) F9 v1 w8 V* i. L: W7 q( f }( \5 r9 `" n1 |' G9 V
2 J/ T. R$ E; D4 d$ P* n9 @# n
; @3 w$ ~! F+ A0 h+ O4 F2 p |