微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。 h) {4 F! l* k! m0 V' V
3 h/ K( o" o" Z9 v, u$ g4 g& A
5 K7 d' Y: R' i3 @% X" r6 C\api\StatusesApi.class.php- l9 p k% m2 K1 W. [* G
/ u6 K! m0 [- g! P3 _5 wfunction uploadpic(){. x- [; w& k4 h, y; S1 O
if( $_FILES['pic'] ){
8 s, {$ t0 H5 Z, D; J( Q$ P //执行上传操作( G9 s3 w/ T2 W& d; Y4 |5 |; P
$savePath = $this->_getSaveTempPath();4 L; c5 ]9 N4 r2 }; A/ v
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);4 l! H& `: K3 j( S3 M) _
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
0 O7 N& G8 a1 q: u; S n' i: Z3 @ {/ ~" X7 ]$ m# M) I0 Y( @
$result['boolen'] = 1;& b% w' o! g; }. f1 w
$result['type_data'] = 'temp/'.$filename;
- U0 z) P3 g0 @( i/ S& F# c- X( ~ $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;: k$ T4 e" [! A9 w! J2 B( }2 j- I
} else {
1 V9 B* f: f% D" U% U7 V- `& | $result['boolen'] = 0;7 M* }9 ?0 i4 l0 a: ? h* n; h
$result['message'] = '上传失败';
6 m. m G7 G u0 s+ i }, Y8 R) {9 S9 ^. O
}else{4 `* Y: O, d% o
$result['boolen'] = 0;
/ E* \( f% \. A! c( O7 t4 v: H $result['message'] = '上传失败';
, |+ Z4 w, `. G- c }
$ T j% ] Q8 R) y% n3 areturn $result;$ i& Z8 E) F* E8 \" @
}
2 I, b' b$ X$ O v8 n. N$ Qunloadpic()方法没有对文件类型进行验证
* D( D+ s% i" F$ G& `* c Q2 \
. O) u3 c7 l/ h3 C% _7 [可以构建表单, 选择任意文件, 提交到0 u" h, o/ j; ^, ^8 ^
/index.php?app=w3g&mod=Index&act=doPost! H* B; k8 V7 n1 _
3 v' R$ x; U% s5 l! a+ f- T
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)" F$ L# N1 b$ D0 P# ^
& M) y! Q& L+ ]. g+ b
! G$ I) x$ W/ j在登录thinksns官方微博后,
6 O6 M) D5 o( W8 E* w: ~, p W; l构建以下表单:. G8 U; i$ \5 @" r6 f, b1 ]
( g! G; `+ ]8 g* H
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />5 p$ g# G( D/ P" v- A
<textarea name="content">test</textarea>
8 s" k# o+ l6 [0 }# r/ O% {file: <input id="file" type="file" name="pic" />3 V/ x0 z7 G0 V9 f# a
<input type="submit" value="Post" />
+ n1 Y0 v0 x) y: `( H/ k</form>2 ?& w/ N: O- p4 j# }: i7 | F
去掉缩略图的前缀(small_ )
7 V1 M) d" i5 H- d5 ]修复方案:
, ^& f5 V! a7 V t# _/ K. x$ k' L2 r# F" g) c' H
7 K) h% x/ B- O
\api\StatusesApi.class.php
+ h' ?. U3 r1 f. f9 P/ ]7 [
/ x& o$ Z; M# O' Nfunction uploadpic(){: }0 N/ Z1 l+ Q) B+ W
/**
9 i( Z2 B" S8 X * 20121018 @yelo
: k3 {7 i' U% X% ^; | * 增加上传类型验证% n+ |- m" w5 D' u9 ^
*/
( e4 w" N! g! y6 d {; r. P $pathinfo = pathinfo($_FILES['pic']['name']);: Q1 o* H7 f, q) C/ Y- X
$ext = $pathinfo['extension'];! n+ Z, G3 T/ Q3 ]2 Z4 P: N
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
- |* ~& |5 ^' X
, L2 A/ u) R6 d& A $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
" v. A1 b( s( l7 o/ C 9 G" j; L& X: d$ W3 z7 j
if( $uploadCondition ){
& [# p% L% i) I$ ? N) _ //执行上传操作% _& R) `* |9 i9 F
$savePath = $this->_getSaveTempPath();3 ^$ | o9 }6 D- b& l4 j* @
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 g; |* x. X1 J( j5 F8 U c% ?
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)): S7 y$ x; E8 D( a+ o8 E0 K
{5 ]9 @# l4 n d7 ~
$result['boolen'] = 1;2 w) g1 l+ N+ |
$result['type_data'] = 'temp/'.$filename;
* a1 {4 z R9 n8 [ V $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; j" O+ b+ Z0 ] } else {
! J2 n- d/ F8 s8 G7 G- q$ L% A O $result['boolen'] = 0;7 G8 G$ p+ p$ Q+ n6 u% }: x$ z! c
$result['message'] = '上传失败';0 A0 u; n2 i; q9 Y% H6 C6 O
}
0 q, d* Y4 I- _( E O }else{
. Y# }9 b+ _$ I- X $result['boolen'] = 0; e6 c2 a- P; k" h o4 n
$result['message'] = '上传失败';
; v/ K3 u- f& c! }3 @& p }) i* [8 d) A. K( w5 M+ i# R
return $result;
# p) c/ {7 B7 h1 M' m* w9 ? }& Z% W {9 v( f4 B. p `
! ^2 b# d. k) M. n% R( C9 }( S, j
. d, C9 ? @# L# x$ |1 }; H4 A1 x, _ |
发表于 2012-12-4 11:12:30
收藏
支持
反对