微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。, g- {, T) ]* t
3 k! i: O' K9 ?; D$ n
( n5 Z& n- F0 L\api\StatusesApi.class.php# A6 B3 b4 v. x# Q
K. O" ]5 t2 e, k1 W- q
function uploadpic(){
8 y5 b1 m% s% F8 Y! t# A; Z if( $_FILES['pic'] ){; n1 B# f* M: H, T% R5 M; r# a+ p5 A
//执行上传操作
5 o9 q- ^5 M% g9 \* M {5 B $savePath = $this->_getSaveTempPath();% ^ d9 E7 t+ y2 b7 `4 o! N: H
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
0 z0 ?2 f5 ]: d/ @. l if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
: m0 ^. y; ?& ~. E8 { { r- d* `. L! D* z' \5 L
$result['boolen'] = 1;+ S; y/ I, X4 t" R4 g
$result['type_data'] = 'temp/'.$filename;
# S4 C- O I5 O $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;- f; ?0 V% ]: ~5 k' H" E7 y
} else {) Z5 I1 R3 ?# v8 O& h% L" B3 \3 h
$result['boolen'] = 0;2 K) o" v$ F+ N8 D+ o
$result['message'] = '上传失败';
z; b& C$ s7 v5 g7 K1 A( j/ F2 v3 Q }$ `& J) m/ C0 f4 j; U% @: W
}else{
; C8 l5 t6 W7 h: ]- ?/ ~ $result['boolen'] = 0;
' A0 x( E3 ^% K9 a$ u/ | $result['message'] = '上传失败';% p: n4 b; }5 Q. x6 W/ E+ [
}
/ K" g- V- L+ {return $result;
: _4 B" ~$ a2 m4 F5 s* ` }
) V& t, l! M! U' b+ s( Kunloadpic()方法没有对文件类型进行验证
$ f) `5 P8 X- I- X . `. _4 W% p* N: [: A
可以构建表单, 选择任意文件, 提交到
0 x* j8 d5 Z1 i- Q5 @/index.php?app=w3g&mod=Index&act=doPost
+ n! }* d" U$ }' S! ]. R" s! [
' L3 ?- A3 I7 h j% y; B V在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)0 W6 R6 L- }8 U" Z+ O2 p
l0 d. H1 _2 G, F( L7 R/ e# p; w7 {- C9 h
在登录thinksns官方微博后,* j1 d& [8 h$ N1 M5 n0 |
构建以下表单:! k* b w& l4 C
2 e- Q( O3 N/ N3 C+ P2 I7 _0 y# l- P<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
' V/ |" l) \' x8 [<textarea name="content">test</textarea>
* o+ k: a$ y) o+ Efile: <input id="file" type="file" name="pic" />* n2 [0 M; E' T: V4 d/ J7 \. h
<input type="submit" value="Post" />- ` ? A6 E2 P* n
</form>( |* b0 j6 g/ U0 @
去掉缩略图的前缀(small_ )
, |* Z, M" ^( C1 c g$ n- `修复方案:& P* h5 o9 H I
4 k) ]3 c. s( z
- W( Y9 e. ~1 t\api\StatusesApi.class.php
: F' l1 b+ B; `/ [9 j0 e
7 H/ [- {9 B7 A5 w+ @function uploadpic(){
9 y& G5 G9 L) D: u0 L [& n /**" B" E" Q. i" _( D6 U4 h' f
* 20121018 @yelo
8 P7 G' A6 @+ S& C# i( z, v7 w * 增加上传类型验证
0 d$ |/ w3 `9 L, P g3 V; K */
4 I( I) f3 u( p% ^+ K: ^ $pathinfo = pathinfo($_FILES['pic']['name']);4 s& ?0 `4 J$ t6 A5 J$ U
$ext = $pathinfo['extension'];
. d+ `( F) Z4 Q $allowExts = array('jpg', 'png', 'gif', 'jpeg');! _ J0 P9 U: d& \+ ~0 j
% m: R4 |# T# ?; B
$uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);( E" r0 M8 t" P' `
0 J ?% D) W1 ]8 O if( $uploadCondition ){% v( M. d6 \; Q7 p3 v3 E$ d; B
//执行上传操作
! K2 Y3 |) s# b9 ] $savePath = $this->_getSaveTempPath();
, z) U) Z& [1 z0 y$ G $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);9 Z# k* y0 M2 i- @' r
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
! L4 E- t$ O- j! {2 O$ W- N1 p {
: S8 M: w( d! D0 b2 ~& n1 z $result['boolen'] = 1;; { X4 J U7 O/ O) M4 ?9 m
$result['type_data'] = 'temp/'.$filename;) }8 C5 z) _0 \* z) ^3 d
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;- g6 z" l p: G6 j
} else {
' `. A H; D, {. q1 d $result['boolen'] = 0;
4 k4 @) D, M& f Y9 Z6 Z' x $result['message'] = '上传失败';
6 x8 G* G$ b& a9 Z }- L. N! H# c; h
}else{
* C9 }/ t! W8 d9 s+ l$ ]/ l$ ? $result['boolen'] = 0;& t% @; g% K# g% J( i
$result['message'] = '上传失败';
+ l7 J0 d& H) `( M! k0 v" N } F1 t% j2 u. l. Z' K5 h
return $result;1 J' M7 {( c, l; c9 y3 W! s7 e( n0 K
}
, n1 b6 r% r5 G* {+ G( A0 J. N( R" \ Q; Z$ {9 r1 ` S
: C$ W3 v* D* G4 E6 M1 o
|
发表于 2012-12-4 11:12:30
收藏
支持
反对