微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
, l# d& l* h& g7 g% Y2 ^+ {# u, O5 X1 U& A* w' K2 Q& ?5 x
7 e, u h' R. F3 _
\api\StatusesApi.class.php# G6 d, d5 r# Q/ ?4 n: p l
5 e7 n; i& v- w' Y2 i- a
function uploadpic(){- Z" l$ Z5 G9 H' ]7 G, h8 F3 r
if( $_FILES['pic'] ){
0 Z1 O- \# V9 C/ D/ n+ q( E& x //执行上传操作
4 ^" ~% @7 f$ F" ^% n% y $savePath = $this->_getSaveTempPath();
: V" r g2 n, y5 _) A, w $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
3 l5 }. Q% M# z' R$ ~8 f( k7 j$ P if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))# B8 \0 |0 ?. u: E8 i \
{
( _) S& u+ L- S: w! s% n6 B4 M7 f+ s $result['boolen'] = 1;* K- c# z8 Q2 h' G9 d, x' F+ v
$result['type_data'] = 'temp/'.$filename;
2 Y* p& D$ r: f& Q# c! L& e $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;/ E5 ^* |5 H0 T( S0 G( J
} else {" W1 U! `2 ]: j) o, C$ i- L
$result['boolen'] = 0;; L Z* }0 W" }5 x' X4 J, @
$result['message'] = '上传失败';
! G& X6 k' y% W n- n+ D0 f }- B v4 a% w0 [0 K" c
}else{+ f5 V: E8 |" R) _
$result['boolen'] = 0;
& W ] ?2 T$ k& e" w $result['message'] = '上传失败';4 q$ u: A( g" `3 f5 F% F5 X6 e
}% T% b* j6 g) U# _ d s6 Y) B
return $result;% b& M' r3 g* z- c. q0 d
}6 r, s; v+ y4 a9 f }+ i$ H
unloadpic()方法没有对文件类型进行验证
% z( J) I; q4 S( ^
- q/ b+ {% F% f$ y9 I0 }可以构建表单, 选择任意文件, 提交到6 i a0 @2 W" v5 c2 \( h; V
/index.php?app=w3g&mod=Index&act=doPost
& c# b- k: O1 j/ X3 ` , O0 y3 P8 p7 B5 v4 t m. J, i+ e
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)3 q0 I+ e& r& y
5 C4 H- G$ R4 e0 A" q! D+ d$ ^5 U; ]& I2 r* u t' v: y1 g: t0 I
在登录thinksns官方微博后,
5 l% Z" X9 V' v构建以下表单:( a+ F" R- a- P: z' V0 D, [
" C4 w* X- ?6 a5 Q6 w" A<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
( C: t+ k' e1 C7 \; N! a: o<textarea name="content">test</textarea>' D) y% ^7 W3 p4 ]
file: <input id="file" type="file" name="pic" />+ {6 n1 s, P& n# j
<input type="submit" value="Post" />
4 X0 v! g% M2 ~; S</form>
/ w t6 e5 n8 W. \; t( D3 w5 m去掉缩略图的前缀(small_ )
# Z- J6 D7 x9 I! r8 m8 f修复方案:5 n8 W6 B: C9 b {% j2 N
$ g7 K3 e9 x# S- O1 ~' P; A
! e' a" v9 s0 K H" l, z- T* c\api\StatusesApi.class.php1 p+ i: t" _2 u. s6 r* j& g3 s
s/ |5 i( C4 k. d$ p
function uploadpic(){/ f2 H8 F+ e! ?
/** V* u# I- K; a; W
* 20121018 @yelo
! b0 V, f [' \3 X& d * 增加上传类型验证
9 |, y; ]7 ^, ~2 s */! q6 k8 D4 L: C- u k5 Q' a/ `: z+ }$ S
$pathinfo = pathinfo($_FILES['pic']['name']);, o- _8 n0 w& [ F
$ext = $pathinfo['extension'];
, \; K' f0 Z$ u $allowExts = array('jpg', 'png', 'gif', 'jpeg');% I! o( w0 ]: A7 d+ B
' m$ d) o1 d- G) H$ B
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);1 p* u& n- \: Z5 h! m) I1 |
0 G. q# u: j4 i3 l; L" J9 X# Y
if( $uploadCondition ){( k. N1 m* _9 j( m2 L0 G
//执行上传操作
4 r. I- ?) s2 P+ b $savePath = $this->_getSaveTempPath();
0 m: b! A( H: n& @, K5 V $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
& d! z5 ]& @5 V4 A6 A3 Q if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
# e! B0 K U) O9 T3 t& u5 ` { O0 h6 f( W5 x; m! Z& D( N
$result['boolen'] = 1;. M! P* i1 s% E2 w9 I0 S' j
$result['type_data'] = 'temp/'.$filename;' E- D8 m: Q& b
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;8 `% w" }. Z+ \ z3 c
} else {
- }" m {. \# K& r# Z+ c $result['boolen'] = 0;! V2 d _8 O/ o1 B2 G! `
$result['message'] = '上传失败';
6 ]$ s' d, l9 b1 J* b0 [ }% Z4 i, n1 |5 n/ G% I$ u' W& A! |
}else{
! w& a& A' v7 }8 r! @- ? $result['boolen'] = 0;8 D! d. c- x3 W1 H; Z1 V0 u
$result['message'] = '上传失败';/ B" O/ D, O+ \' \$ {2 L- x$ I. G
}
7 y0 w+ }( l5 L4 {, I% |return $result;
, v f4 N; ^1 [$ q2 r }
% h/ U2 }( H4 c" _4 D% o& o$ \0 B+ B! w! ]' E9 n
j; A$ c1 h6 |
|