微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
7 K2 q. E' X6 o; ~! Y/ [* E; o. b+ w- ^+ I1 p0 c6 W
8 A# M! X2 a( I/ h/ G
\api\StatusesApi.class.php9 d+ U# S. H% w7 G' O
/ }3 ~4 X1 ]9 y" i* a5 X
function uploadpic(){8 c1 G, b/ r; b% g4 M
if( $_FILES['pic'] ){6 u6 x5 B' o: S7 ~
//执行上传操作
3 z/ o, s* g1 z4 u- B H; Q# o $savePath = $this->_getSaveTempPath();
# M( Z& p( E; S* a6 W3 i6 ? $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);" C) M5 z- d( T$ }$ o
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))! u* l; u `: W* x
{
7 g7 |. O0 c( r; a+ A $result['boolen'] = 1; U1 D9 |+ g6 {! K
$result['type_data'] = 'temp/'.$filename;1 G6 R0 y/ }7 p; g7 v: W G
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
0 q* ~& W+ v; Q" [9 ] } else {2 E8 k2 _' v6 e% V9 ~$ R
$result['boolen'] = 0;6 Q0 U: J, x1 m V4 a
$result['message'] = '上传失败';' e/ }$ `( ]) I* F2 J0 y" s' F; {5 p
}
6 H% T) c4 L5 O) R" `8 t }else{' U% @ c, e0 X5 u4 W
$result['boolen'] = 0;* c) z7 z- f3 ~5 U- |
$result['message'] = '上传失败';
+ }, Z0 Z( }- a, U }
1 {8 I! E7 E4 M8 h" C* qreturn $result;
# o. n! ]3 L9 \$ r0 f( H }
2 f3 e: J i0 m: \* w5 }unloadpic()方法没有对文件类型进行验证" N& |, j! g9 P, w# l! ?
2 @9 U! `( Z- b6 J
可以构建表单, 选择任意文件, 提交到' k8 e4 q' }0 L
/index.php?app=w3g&mod=Index&act=doPost8 Z) f; g& N L, ]# F# u
f; r3 H/ u+ S {8 t$ g. B在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
7 H# a( Q2 k7 v/ x |- Z0 \5 a" B' e
8 v( J! Y% s! y6 p
: D% f2 s0 ~$ o在登录thinksns官方微博后,; P0 e# _( k% _% U
构建以下表单:
[ J/ u) Z( ? R, t5 g" G" A3 W ; S) v, t8 [% I2 B" }) Z, J
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
/ t: I/ }- u4 |) G<textarea name="content">test</textarea>
3 X# V% u$ Z$ R) e# P. Zfile: <input id="file" type="file" name="pic" />
- Z* J( ~& I3 [- b<input type="submit" value="Post" />
. S6 C( v; n5 J</form>
; B1 H0 K8 a" ~5 _- f4 ]( {- l5 O+ c8 M3 j去掉缩略图的前缀(small_ )
/ w/ F1 F0 y% @5 I' ?修复方案:: _% C* r# s( Y2 C% p* O. b" W
6 ^5 |; ~ q5 C7 ~" L, H- U# R; `% C# m
\api\StatusesApi.class.php
, x* A" ]0 T3 `! [8 U* S$ A " @7 d: M, t/ z. V( X
function uploadpic(){/ I* V) i5 w" g! m
/**
# a% n% @4 S8 |5 ? * 20121018 @yelo8 A+ N% l2 ]- Q' r4 w: S7 Q
* 增加上传类型验证
$ m$ w( a/ T/ |* B M% l1 ^ */
6 U l5 V! [7 p $pathinfo = pathinfo($_FILES['pic']['name']);
' F8 z$ v& @2 M( o' e $ext = $pathinfo['extension'];, B4 E' V5 y' N! U
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
4 q V: t# F# Q/ b2 _3 ^& ]
. y2 X1 ]' X) N# M$ d9 u+ m $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
) b) Z6 Y5 W4 F: `' q
; R$ U3 N3 c m: {7 E if( $uploadCondition ){
) x( P+ m K8 @ //执行上传操作; Y9 i( F8 b8 V( Y) e
$savePath = $this->_getSaveTempPath();! u: v9 e$ g# B" R7 B R
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);' |9 z$ r% p# f8 Z$ _% y
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
+ o- Q( V$ m, m3 p {) j F @3 ^+ R5 [& h H+ h7 f5 t$ E
$result['boolen'] = 1;& n) Q7 e; C- r( C! A2 I! x
$result['type_data'] = 'temp/'.$filename;& Z+ P7 @$ z; E4 p
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;8 z! r* i* u) ]' [- x `$ T* I
} else {6 E$ ?: P& G7 E' }% `
$result['boolen'] = 0;
6 m$ v& y+ Y2 Q8 \ $result['message'] = '上传失败';* v' D( R4 e9 Y& d6 o
}
7 c2 U6 H, \6 {1 o- x* o4 Y }else{2 y$ Y# V0 O9 R t+ y. t
$result['boolen'] = 0;: r# x) M8 f( n% S. c5 q6 |6 n
$result['message'] = '上传失败';- g/ O7 ?7 A i2 v
}
. \, \% b; [& A8 f8 lreturn $result;3 r: I5 |; j/ H ^; A
} Y7 H4 X$ h1 V c9 u4 @; F
5 ?4 X' O t, [* n# E# z# j
; }% s) z% I! X% W4 J |
发表于 2012-12-4 11:12:30
收藏
支持
反对