微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
4 D. `# x5 w9 W) ]8 Z5 x% a) n+ f9 D" W. N$ y
; N& f; j/ u- p4 {6 B1 K9 o2 D
\api\StatusesApi.class.php
1 i0 H% T7 v* c9 ~) n
! P% R- [+ l& n. U- m/ Rfunction uploadpic(){9 t |" }4 J, }6 T6 h
if( $_FILES['pic'] ){3 D! c, g& g. w% E: u$ G
//执行上传操作
; w+ t+ f! E/ V& e, T $savePath = $this->_getSaveTempPath(); i% k5 [/ z- O' Z* W" Z; u2 n0 I( X
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
6 [* c; Z3 O% O6 X# D1 [ if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))& G, `7 {' D" B4 c# p7 o# w) }
{& ?. h6 b% C# c4 o& q
$result['boolen'] = 1;5 Y5 x" V; M! g, O% ^/ N: f
$result['type_data'] = 'temp/'.$filename;! y' I9 b& C) Q0 F
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;, ~) d+ X) v1 _3 J" ~! l4 L/ h, h$ `
} else {
- _- T2 ^3 R7 C- Q0 C( D, r $result['boolen'] = 0;, r2 M7 Y9 M6 f, q% O1 E+ e2 v0 }" ~
$result['message'] = '上传失败';
7 S% S8 R6 ~/ ]2 B, v. P! d8 E- a }
. ~; d4 c: E; y; } }else{
1 l1 c1 s0 `& N- q- X $result['boolen'] = 0;7 d/ U* j/ p6 y
$result['message'] = '上传失败';
, w: p- Y* O/ M2 i }' S! ~. z, G- W+ _7 Q8 P+ O" u
return $result;8 L& r* U) k- B' Z4 V1 q+ h" q
}
5 a. M4 {1 P4 \unloadpic()方法没有对文件类型进行验证! W$ r( | d& C( t# @
) z7 ?. r- J* z1 v9 d/ `; Y
可以构建表单, 选择任意文件, 提交到
7 h- j$ S- j: `/index.php?app=w3g&mod=Index&act=doPost
% s; U; f$ T( [9 _8 h9 i9 F. e! W% `. t
4 R8 G6 \$ }- V9 z) y3 i0 D7 m# X在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)
+ p- w% H- {+ f( C. k! c
5 g) X, V* ]5 ]: L9 ^+ n: M% c/ q' e8 R4 V0 _7 g+ a
在登录thinksns官方微博后,9 o2 O7 d( j! O( b3 \! [4 `' u$ T
构建以下表单:
: {3 D$ }# ^4 m' Z+ J) D
! o* a" y. X8 X8 v4 i0 V6 Q& |<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
/ a+ f+ E G3 @& C/ P7 W$ }( d( s<textarea name="content">test</textarea>
7 o( L. E4 q1 Ofile: <input id="file" type="file" name="pic" />
. I/ K7 ~' v$ X5 u( u<input type="submit" value="Post" />$ @8 |3 w w9 T0 \
</form>, W5 ]4 d/ S" H* W2 q3 O: {
去掉缩略图的前缀(small_ )
% ?1 y" q! r& ]0 u! C7 w修复方案:, d: @9 }7 b' X* j- f; S, i
# o/ u7 Y n! W+ L9 e0 E
* ?* `: }$ w9 V\api\StatusesApi.class.php
% E# O# j- o! w S+ c: t( M2 o5 H3 { 9 y7 I9 K$ P: t) j% V% c: X, k* b B3 Y
function uploadpic(){
3 G& r" A2 \+ x: n- o4 ?6 o: w /**& Q* M9 H, R( f/ ~. }3 n5 Y
* 20121018 @yelo
$ l/ J7 q6 J) M# X7 W+ |& Z * 增加上传类型验证
& ~. u! D1 u& ?: X' g* V" m, e */& c: \7 c# H& s/ F) w; r
$pathinfo = pathinfo($_FILES['pic']['name']);, S: U2 Y" w- {! w" l6 [2 Z9 M
$ext = $pathinfo['extension'];1 D* a% A+ k1 o( x
$allowExts = array('jpg', 'png', 'gif', 'jpeg');! e! H3 _5 [! g, Q% q1 i8 Y5 D/ M
- b' K) b1 Z. @: K $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
0 N% C9 i* N. e% M! P" c2 D* G 7 n: I4 E+ q1 q7 l
if( $uploadCondition ){; w4 I, ]) Y, E+ Q8 k9 y
//执行上传操作
# [# l; B* d: \. g4 C) ` $savePath = $this->_getSaveTempPath();8 }* [/ q2 _+ J9 O
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
/ H% t- }* s3 | if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
" f/ k) _! e' b' f {0 n/ O* G+ P; d0 F: L
$result['boolen'] = 1;" y- ~% I5 U6 v) t# K. Y6 C
$result['type_data'] = 'temp/'.$filename;
* @1 p6 t+ K L: E2 O $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;3 t3 H' G& c$ a& v5 }, ~* k
} else {
, l1 s% d# _. r8 L $result['boolen'] = 0;( g$ e1 ^0 F5 X$ Q
$result['message'] = '上传失败';
" \* @6 o; K; Q O }
* X! S2 S" x: E; L }else{& Z+ V4 U& {3 j. ]* o1 M: M
$result['boolen'] = 0;
! k5 ]* p( _2 w# _ $result['message'] = '上传失败';* l4 f( |; W" L# \ Y1 V% P. u
}
/ h' [9 r7 O1 j: @return $result;/ V1 c# |; {5 W
}+ Z/ }* W2 c/ T3 P9 e7 _
4 l# E; B4 _9 p5 X
' i/ ?" M' N: {: ]& G |
发表于 2012-12-4 11:12:30
收藏
支持
反对