微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
$ B3 T( G/ ?' r9 c
0 M0 ^0 y. h6 c" g3 v: P1 C! K # l0 b/ _! j1 n' ?9 q& q% o( A
\api\StatusesApi.class.php5 u+ `2 o$ D/ T( \, O) _# D
6 \/ v9 L$ a' ]9 I+ h) ~/ ofunction uploadpic(){
/ ?2 U m4 W( \( d% M# j if( $_FILES['pic'] ){9 I G: R$ T! K# C- C
//执行上传操作
/ G5 _/ Z" Z6 J T, d- e! P $savePath = $this->_getSaveTempPath();
, V, p+ L8 j) v9 d6 j/ j $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);6 ~% Z. d0 q6 Q& u' y2 }
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))2 f4 t9 n% r% @* n$ n
{
+ B' v" C* i( e1 X $result['boolen'] = 1;; K+ G# [ p. R; b1 a
$result['type_data'] = 'temp/'.$filename;
: z2 X& u8 j2 U- O7 r $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
0 }! W9 e6 o* A9 |6 `& w, }& M9 b } else {! Y8 M" _7 |& A" K/ d
$result['boolen'] = 0;0 X4 |! [6 _0 V2 u h8 W1 D
$result['message'] = '上传失败';
. w! p+ _! ]) Y N7 @8 M }+ G7 W7 ~! h- |. t l! t" l$ s0 D
}else{0 U' D- K9 Q7 S- ]
$result['boolen'] = 0;$ }: @2 M" J; O& \# h Z
$result['message'] = '上传失败';
, U/ y& E/ _ ]; }/ H }# h) H% t+ N. G4 b8 X
return $result;
. `) T" H$ `4 J. F/ R }
9 I. @/ X- W$ Yunloadpic()方法没有对文件类型进行验证' ^+ { q. Z6 ?4 f( ^. x. k' ]
& J( s, K Q4 S' B) y5 ]
可以构建表单, 选择任意文件, 提交到' @7 F9 ~' Z$ Y- G/ |
/index.php?app=w3g&mod=Index&act=doPost3 e1 H% L2 z# e+ H/ X- i
: c7 _) _! G& K" U/ g$ W* u
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)3 I: g) y4 g4 D; l5 g
, C# F; q4 n9 `- q& c( M
. S6 c1 J6 x) t0 `0 H) Q+ m
在登录thinksns官方微博后,9 b' G/ g! a6 W' I, b7 Y
构建以下表单:
3 V9 b) _" ~$ ?# O6 s% E# i. ~ 3 a7 _& U6 v, s
<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />- k, m# [3 @2 L- }
<textarea name="content">test</textarea>4 A [! u! H6 E" A: ^0 \
file: <input id="file" type="file" name="pic" />
w+ K1 T6 F! c& R<input type="submit" value="Post" />8 _* s3 B/ h, h1 I, w# f5 m! e s( b
</form>; ?7 N, [6 T# |% h2 y6 }; J
去掉缩略图的前缀(small_ )
+ Y( p, U: ~" P, Y7 g修复方案:
! t6 K; F/ k- S* X5 K( f) L0 I3 S5 f
4 |7 r' O" d9 K* Y\api\StatusesApi.class.php
: i9 F4 N; a: G2 _( R, ~ : i$ x/ |/ |" j2 o% \0 a
function uploadpic(){
1 K* f5 W W7 ~3 F1 \$ \$ [ /**% b! q9 G) T+ e( ]
* 20121018 @yelo+ n! ?1 s6 _, M, H* w
* 增加上传类型验证
+ S! ^1 I2 T5 D% w" n# g */
* u5 b, b. ^% b) ^8 x7 ~3 n $pathinfo = pathinfo($_FILES['pic']['name']);
# I0 h+ _+ F! @% E+ U' B0 j4 A& n! y $ext = $pathinfo['extension'];
! \! n0 |$ `; u4 `) o6 v, N/ c $allowExts = array('jpg', 'png', 'gif', 'jpeg');9 G: ]& Y \/ l* X) [" I
: t% O Q( x/ B/ u9 h $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);8 H' ?' C# m5 K+ d9 |2 G
7 d8 G* k9 M1 B h/ c
if( $uploadCondition ){; V; P% w: [" H) w u
//执行上传操作
* L: f t% V D) m$ W2 y $savePath = $this->_getSaveTempPath();
3 Q1 V" k; _/ x; Q2 J* [' x $filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
- c* M4 u9 K4 F5 n. M- S. M0 e5 _* Z0 t if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))
, E1 y. G3 _8 B, g, K {
, q0 G% e1 x9 R6 l& Y: h. k $result['boolen'] = 1;
. C0 i& ]/ E6 k" p! }% f $result['type_data'] = 'temp/'.$filename;
}/ o2 E; y% S! G3 S- R5 z $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
* I- K) l& x: b& F, }/ q& M } else {
/ {/ A0 R. A! y' m $result['boolen'] = 0;. C3 |1 A; y4 s* I5 X9 I2 e0 R
$result['message'] = '上传失败';
( Y7 g/ ]$ j) H- @ }
1 N- u8 x$ t0 }" Y A+ m- L: r1 e }else{
( \8 }4 l+ T' l# H. \! } $result['boolen'] = 0;; x: `4 ^; o- ^; d
$result['message'] = '上传失败';
( b" M U2 c( | }9 y4 s( @0 `) H6 \) @/ K* q* f
return $result;( A' s9 j3 ~8 {/ {
}
! {/ l: t4 H) H, A; {3 s$ n. M2 B" D! {4 y! ~
) g" x" [& R- l( V7 ]: \2 I
|
发表于 2012-12-4 11:12:30
收藏
支持
反对