微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。5 {0 W! s# n3 f# f6 J, g* a
5 O4 X& \# Z% i
1 e0 l) B s% p k K; m& W\api\StatusesApi.class.php
6 I) G- \" P/ X3 L4 f0 t# p5 e, g
! S" J' ?9 d. @% X+ p0 |, `1 S! qfunction uploadpic(){
/ v" t6 v/ i R$ O- K if( $_FILES['pic'] ){) k! ^" C/ G- |$ r
//执行上传操作; r6 h% L" C) h0 f, n
$savePath = $this->_getSaveTempPath();
7 s0 k/ a( v1 } $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);- w& F8 ^9 l) {8 j0 X2 r
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
$ b) `9 ^1 A+ b2 l {3 Y) z$ k. `! W& [9 M+ M# ^
$result['boolen'] = 1;
+ [! N, o% J9 p5 K5 d. A2 b $result['type_data'] = 'temp/'.$filename;
5 w3 E& V4 S8 G6 k% b $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
' k1 q; |) q, ` } else {
2 v/ Q" A2 u$ X $result['boolen'] = 0;
2 v" \+ c ~( D7 c $result['message'] = '上传失败';
0 d' G+ N! c( J! A2 u! n }0 d' u- P8 _$ W' @
}else{
6 `, X3 [, U* Z# r' h( d2 C/ F $result['boolen'] = 0;& J7 }& r; k. b# F2 }. t
$result['message'] = '上传失败';! p, l7 O) N9 S D
}5 g- O5 y% G5 [" a1 [' v' L# L
return $result;
! z1 }2 k- C9 b/ o) r& j }
( j. ~9 n( f) iunloadpic()方法没有对文件类型进行验证
$ y8 u1 t& b/ E ( ~( R5 B: ]( f2 M; q
可以构建表单, 选择任意文件, 提交到
; Z, z+ t j: q: A( H0 W/index.php?app=w3g&mod=Index&act=doPost
1 |1 i* U- H3 U / y2 d- v- Y ^' }
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
K1 ~) e6 H- y; D& p* w$ q
) [9 j0 W; |# _0 T5 X& u/ {% q8 O4 E# g% V( A7 a) m9 S0 v5 ?
在登录thinksns官方微博后,; H& q* C7 W% E6 n4 R0 ^! Z+ m
构建以下表单:- m2 U; Y4 w3 F" N E9 R1 T8 f" Q
- S, G, B# d. F
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
* S) e6 Q6 Y: y) P% ]- \<textarea name="content">test</textarea>8 K" E: v! K! u w
file: <input id="file" type="file" name="pic" />) g( S& a, h m* N
<input type="submit" value="Post" />
; m7 ^) _2 B3 Q- x</form>6 n! O" [: Q( y* x
去掉缩略图的前缀(small_ )8 H* M s6 t& E/ w
修复方案:/ B, r$ s9 d$ L7 O
# e9 u5 c( t K0 ^( N, [3 m
6 L1 r9 `3 o4 b# s2 l' P5 _; X; \1 z\api\StatusesApi.class.php
x% ~; M$ l* i
4 T; K1 ^" K, \% h/ ffunction uploadpic(){
2 l% O4 `* h6 X% F% x" [ /**
7 B \* J- g1 b, K( i3 J0 B! T * 20121018 @yelo! y/ E2 e- D7 \9 z* E; g
* 增加上传类型验证$ G5 e: u* s# u" Y! Z5 @+ k4 Z, J7 U$ t
*/, |3 F) }" c: s( H/ ~, L# c
$pathinfo = pathinfo($_FILES['pic']['name']);5 A$ s7 L' E# t: V3 B! c9 h2 j
$ext = $pathinfo['extension'];
; U+ D2 c" e4 v0 T $allowExts = array('jpg', 'png', 'gif', 'jpeg');
' C- f+ Q. o: g; N
+ k0 q; N) ^+ @& ? $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
' T* e0 N5 Y& K8 k% V' O
2 n# s% U: G# e u8 a: A if( $uploadCondition ){6 F% v+ S6 c" s
//执行上传操作: P' F5 P6 x& g0 f9 x/ k
$savePath = $this->_getSaveTempPath();
/ m( W# L$ E% y% \, l) J) W- L# E $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
. V3 j, k0 U9 a6 X9 P* u if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))3 {. j; z- i+ k" R
{
# P( f, O, D9 m& G( y c% T $result['boolen'] = 1;
. P5 s1 s E/ C0 p' G $result['type_data'] = 'temp/'.$filename;
8 K7 L( N; J* z c0 a1 t $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
7 g0 F) Q4 J# v6 J* W2 a$ b5 U* l7 \ } else {
: {2 |2 }, n& G( C3 l $result['boolen'] = 0;, R( ` j/ A$ Q+ t2 X9 W$ `3 m1 c
$result['message'] = '上传失败';
6 ^' Q* I$ X% b! t6 B; d, Q1 [ }7 V* t' A5 M, ]! [9 G
}else{: u, u$ O$ D t' i) @% U% Y
$result['boolen'] = 0;; |/ U$ H. P5 A; ?& `
$result['message'] = '上传失败';/ ?! M' J* T% N( i6 t
}; H; O' O0 n% k
return $result;
7 r' E7 T0 T& P' Z1 U }
3 Q0 C9 n& q7 C7 }; v3 ]5 S1 N* ~- X# G( t% J: W4 D' N
" W# [7 K$ B/ O9 X$ _3 M
|
发表于 2012-12-4 11:12:30
收藏
支持
反对