微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。8 b2 m6 t: o8 ~* M/ O: r3 D
! a- {/ F( z) Y+ D: _5 s0 x
/ P. N& z1 a+ }! k3 h\api\StatusesApi.class.php
, z1 {3 O2 B+ J9 A8 {6 E$ h' T
/ {) s* m6 Z- B, {6 x8 f& Hfunction uploadpic(){# \$ j( b x; j: d, t9 _/ d
if( $_FILES['pic'] ){
. M( M8 V/ X& \ //执行上传操作
" `& ^1 Y9 e ?+ t/ [5 T- W $savePath = $this->_getSaveTempPath();3 t6 @ I: d3 P
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
2 o2 m4 Y8 c% O7 q& M% z if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename)): S! a- Z& R9 B7 v3 z" z$ q7 e3 G4 x
{
5 B/ [- y& `& [2 I2 l- {- f, }2 k2 b! p $result['boolen'] = 1;
9 W" Y& O6 S# p $result['type_data'] = 'temp/'.$filename;
$ H% }& ]3 w/ z$ X# [0 J $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;. f3 Z; o5 w. R$ d. ?- r8 J5 ^
} else {
; M: G0 L( l' q3 h# s $result['boolen'] = 0;
1 [4 ?8 f% o V+ P! a $result['message'] = '上传失败';3 G' |$ s/ E( I- Y
}
8 G% d1 I" l! Y. s; a }else{
: D/ N* [+ p- b c0 p $result['boolen'] = 0;
+ \" K! [! ^/ q* d' P $result['message'] = '上传失败';' C) I/ E0 {2 F3 o
}
# k" ^9 o& E" B: U+ I1 h3 ^return $result;
, X+ y2 B# M& R4 ^( j- H }0 x' D) B4 _ W/ i& x8 F
unloadpic()方法没有对文件类型进行验证
) u- h2 G0 N0 U % @' g6 a5 C) A5 x" w5 X
可以构建表单, 选择任意文件, 提交到
9 [+ k2 ~6 j9 u5 I* q/index.php?app=w3g&mod=Index&act=doPost5 e% m. e! g6 b; `- s
g4 A) ?' Y8 b: F8 I在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
. l- e- Y7 U! I( u9 Z$ E, g. S5 M1 W7 w5 r2 @8 W7 X+ y5 z( Q
; ^" D& x$ q9 n+ n& j' \, ?) K在登录thinksns官方微博后,
' |8 j/ ~* T9 D. G! e构建以下表单:
5 n5 v: e& }# ~% q _2 h
8 Z8 L( `" c! x5 Q/ h8 B6 @<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />! o4 M3 ?7 i5 A3 ^' V/ [
<textarea name="content">test</textarea>! {7 U7 Q! x1 p/ @* d' k" V
file: <input id="file" type="file" name="pic" />7 D; S: e% B% P7 Z- ]+ U1 a
<input type="submit" value="Post" />% @1 l8 J+ i! w" K2 X
</form>
" l: r9 b& }3 n% b去掉缩略图的前缀(small_ )2 L3 d/ T5 o0 E1 G0 _. S1 Z
修复方案:" ^; a, x1 v. o+ [5 r, I( t
) r0 B1 v" o3 Z! \, \- ~7 s9 A% M3 p& W, ~ \
\api\StatusesApi.class.php6 T5 ?0 O Q5 A
7 r% P6 e2 h. E5 z% s" D+ _function uploadpic(){ h: W/ l8 k' x* s" o! u* `
/**) S7 K% @7 R9 @
* 20121018 @yelo
D0 z {& X0 i * 增加上传类型验证' C! c$ I) [+ K9 D
*/- E6 y" D3 G( o/ H ?; u+ d5 r
$pathinfo = pathinfo($_FILES['pic']['name']);
# R- F/ y6 `5 N; M* d6 e $ext = $pathinfo['extension'];
, `2 O: s5 J4 O# x# [( l $allowExts = array('jpg', 'png', 'gif', 'jpeg');
, H7 E+ i" X, v. P# z( `4 B
# }- B$ Z1 D$ T $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
! ^& x) ?& H7 o& I/ z7 x $ a4 z/ v7 G- I5 G# T, Z4 X h
if( $uploadCondition ){' F. M$ |) h! @+ K
//执行上传操作$ s* K6 y. Y6 m; L2 M
$savePath = $this->_getSaveTempPath();
( O6 k- m1 Q3 |) z $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
; o W. l* t q if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))1 d# R! W- E, H# ~: d3 K3 A
{
# i" K( }8 Q6 _2 R5 L( M $result['boolen'] = 1;' @8 M" c4 l% d5 ~( L
$result['type_data'] = 'temp/'.$filename;+ X8 f( K, o: O+ K" c! Z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;- ^+ M! S# x u' S& T: d% R
} else {
/ L) v; E/ Q: ^! R4 D7 M7 k1 B $result['boolen'] = 0;: J. w& i: L! W1 i5 F
$result['message'] = '上传失败';( F5 h1 I7 |: t: v
}
0 f. R1 O# S" a3 Y8 K0 ^ }else{
4 ]9 O L+ `4 L7 s; v) X $result['boolen'] = 0;
" h& k8 \7 K% P% M $result['message'] = '上传失败';4 e( u/ V6 R, c$ d2 z2 i. H
}- i2 A8 u5 r; q% n" H% f4 G
return $result;5 k3 N/ L' z8 Z8 U; R
}; N; K n1 m: z9 b6 u$ @: t
( A" x* `, p5 @8 l3 d7 u7 }7 w
8 o$ T1 D" p2 H |
发表于 2012-12-4 11:12:30
收藏
支持
反对