微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。5 O7 s7 z( v* K" z0 Q' `
! H1 o2 z7 j2 K7 b: u ; [" G* N, S/ Y, J/ C* j$ N
\api\StatusesApi.class.php
0 Z: O3 h* @: `' u' W1 L 1 R; r1 q x y7 P, m: o6 c
function uploadpic(){2 [2 G7 D- @2 Q$ L
if( $_FILES['pic'] ){( B" Z+ M( q9 v- {+ n4 I4 M" P
//执行上传操作! W! g- o3 O$ d3 ~: P: c' F
$savePath = $this->_getSaveTempPath();: W- ^- v& s$ f4 d
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 \1 l# I Z1 c% |1 D
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))6 [0 n2 Y0 x+ {6 p
{
# {: L+ w- A4 X$ h/ F U* r+ l $result['boolen'] = 1;& @- s& G, g5 t4 f: ?
$result['type_data'] = 'temp/'.$filename;- U1 s; _2 d4 l, D, h- I/ C& a
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
; b, J+ F! b6 d0 o Q ^& K( L } else {
+ o2 `. l, r8 P: i8 E$ B7 W $result['boolen'] = 0;0 R9 h# m- x: f! ]
$result['message'] = '上传失败';0 |. J/ [% [' Y0 E# Q6 `
}
1 t2 e" X+ [4 _! K8 ~! b }else{
% s' G! x3 v i2 m1 j1 X4 U $result['boolen'] = 0;
7 c# d$ d! ? ~# n7 F! B5 U0 f $result['message'] = '上传失败';. }3 i( z- r' X8 H8 `# |' e
}
, w9 E9 U9 M5 e# x: x/ K! ureturn $result;7 M2 `$ b2 k+ S& D0 {
}% R) i) I0 V# ?2 W9 f) _ t7 d
unloadpic()方法没有对文件类型进行验证0 J: z$ s; J, X/ x1 N
8 d2 E7 c8 o& H可以构建表单, 选择任意文件, 提交到& Z8 @" X1 V, v7 L7 k3 G' \
/index.php?app=w3g&mod=Index&act=doPost8 o, j! p: M- I' ?" b3 l
4 |5 ?# t' y# N( _5 G在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
- P M0 _$ h! x* x! Z/ ~8 {/ d0 U- B) F4 T0 j1 N
1 B2 X9 ]# `- K5 \( C7 I在登录thinksns官方微博后,
9 i& R$ ~7 x3 F; ]2 u( U" ^. }构建以下表单:
1 q# j: m2 i' P2 N% J
3 Z1 B; g! u3 [<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
2 s7 k- {1 V( d" y" a<textarea name="content">test</textarea>
! H g, ~' U0 L& bfile: <input id="file" type="file" name="pic" />2 }: M y5 m6 v/ T; ~ k
<input type="submit" value="Post" />
1 @ w% O! `8 H: Y& U+ L</form>4 z% I7 b' | f1 ?( a i
去掉缩略图的前缀(small_ )
0 T5 h0 L6 a* ^# ?$ w修复方案:8 \. ~$ H. x" F% U9 X! z3 y) T9 b
4 [( T @- _4 S& l' F( G7 H& N- T8 x C C- ?
\api\StatusesApi.class.php
+ H/ E$ Y) M# p& F6 m/ O& r" _ , x8 a; \) E' ~) X: l: W0 v
function uploadpic(){
! R+ o1 ? T0 o0 C /**
, b1 R8 |4 }9 I+ d! d( w7 d * 20121018 @yelo n7 D$ }4 b$ j5 w
* 增加上传类型验证
' g, a+ ^" K! c Y+ j$ |: { */
3 W) w* N7 ^% M z! | $pathinfo = pathinfo($_FILES['pic']['name']);
3 [$ O E& A ]- p2 b: {- o $ext = $pathinfo['extension'];8 o- K6 q3 w+ J& W% R
$allowExts = array('jpg', 'png', 'gif', 'jpeg');
8 o: m, r/ q% b p9 M# J
# V) y! M( ?8 ?: B( Q $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);1 `% }# V' ]& J, B3 ~
?: m1 ?; W+ {7 g6 b: w
if( $uploadCondition ){: K$ N, M/ L1 g; @$ q! D
//执行上传操作
1 x2 j/ _2 F- ]; }; }) C; @: x% R $savePath = $this->_getSaveTempPath();
( h7 S& `5 \: j4 E4 ` $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
$ ?6 x2 K5 j+ x- ^) x if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
' l# ^/ ?) ] e {
2 l6 q. S" ^: o. | $result['boolen'] = 1;( s8 m1 O- n$ w+ G) J
$result['type_data'] = 'temp/'.$filename;1 u2 `0 |& a( {3 _
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;6 d, X) O% F H% C! g" j- F
} else {
f$ Q& u/ w4 S. L! X $result['boolen'] = 0;8 H& k2 D, i. m
$result['message'] = '上传失败';+ Z, n. U y% l3 @8 b
}
3 A% h+ W7 j+ t# O }else{% K# L: Z' t8 d8 y* a; R2 [
$result['boolen'] = 0;. J' y/ _0 \" \1 n$ i
$result['message'] = '上传失败';
. J" A2 S# ]. G5 j0 n3 X" W }
, n. v" L d6 v7 Kreturn $result;
1 }+ a( D9 X, f! D8 r }( [9 Y( l. V2 r, d$ S. U5 y
1 Z4 E' ^" ~1 P5 l0 T
# P7 f1 A' ]- v5 w5 j |
发表于 2012-12-4 11:12:30
收藏
支持
反对