微博上传图片时只在前端进行验证, 服务器端没有进行安全过滤。
. q- w& G: v s- Q6 g
, v" Z% _% @ _& v ' q3 w, @3 u$ i2 Q$ z2 g' I
\api\StatusesApi.class.php
& g4 J, c# _3 U, l7 T1 U
6 M1 [# f8 Z, G7 C3 P* Z4 [function uploadpic(){0 ~% W+ D; H2 m0 ?3 @
if( $_FILES['pic'] ){( }. s/ V" ^8 m9 W
//执行上传操作
& e5 R7 t. [7 L* [) ] $savePath = $this->_getSaveTempPath(); i1 y2 Q# L7 r3 S0 i& ^4 T
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);8 g R% q8 u3 U' {7 E4 r/ i. `' q9 @
if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))- S. i+ \4 [. x: B* e& _# V
{3 b$ }$ P7 J" Z- d. z2 j
$result['boolen'] = 1;
k5 \- z, y; Q5 u $result['type_data'] = 'temp/'.$filename;$ B8 F7 v! G }$ Z
$result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;
1 J2 M, U: K0 M2 U } else {
( p- |5 _) t7 Q9 u $result['boolen'] = 0; H3 N5 r9 }2 a; q& e( S- }0 W
$result['message'] = '上传失败';
/ x& B% I& V) [ }
: V( b& J' {6 n7 z/ ` }else{
* j0 c7 P0 V7 k& \# x $result['boolen'] = 0;
/ I# V, N O2 g0 v' U" h $result['message'] = '上传失败';
6 u1 j+ z2 ?6 b2 M( H }
+ {# ]3 ~+ b: r/ D/ V1 `/ areturn $result;6 V. m) W* ], y' j2 j- f8 p$ O) v8 _
}. q! J8 e3 W2 X8 B& B9 i% K: L# L- f
unloadpic()方法没有对文件类型进行验证
& Q7 `( V$ i7 E8 j5 i0 d) }' Q# m # P+ P7 Z% g: U
可以构建表单, 选择任意文件, 提交到
& [) S3 T1 {* K! y/index.php?app=w3g&mod=Index&act=doPost2 j0 s4 \5 x/ m, h x
4 W( f2 x& P7 W, B% S: l
在新提交的微博上可以找到上传的文件地址(去掉small_、middle_ 前缀)4 q F: D& p3 Q% f" R2 P3 K* v- i
( U4 D) [0 ?; M$ v
3 v. `* C, B# D! c( o3 B5 q在登录thinksns官方微博后,/ I; F. {: c9 N% x4 q
构建以下表单:# H* Z9 A3 F; ]7 ?# Q
4 A; F# h' e W- j<form action="http://t.thinksns.com/index.php?app=w3g&mod=Index&act=doPost" method="post" enctype="multipart/form-data" />
5 F8 ^& u8 ?, i5 ?<textarea name="content">test</textarea>9 J6 w7 h. b7 N9 W6 v5 `/ Q
file: <input id="file" type="file" name="pic" />
) C5 l6 P: o! I+ G<input type="submit" value="Post" />
9 a7 E* \, W$ o% _4 Y7 b! r</form>( F$ Z+ [6 b- J- w( s
去掉缩略图的前缀(small_ )% U1 ]1 ]1 y: A E/ h
修复方案:
8 q F! M/ J3 ^
/ V" F8 Z3 a- H% m4 k/ R% k/ A, C, Z/ x
\api\StatusesApi.class.php/ h p& Z5 e7 Z* ^4 ] _1 N* A
) b1 d/ Q. r- j9 J" q: g
function uploadpic(){" W0 q1 {2 b; q9 @
/**
4 J9 }5 O" ~$ Y1 g0 r * 20121018 @yelo
: L) J& N9 v( |/ I8 m2 A1 Y * 增加上传类型验证4 P* y6 t: V" s) P5 ^0 l; F' g! D
*/
) S' Z) i$ l$ Y# y3 y( ^ $pathinfo = pathinfo($_FILES['pic']['name']);% J- D0 c& b2 U: |
$ext = $pathinfo['extension'];
8 o' {5 W4 e+ ]1 O $allowExts = array('jpg', 'png', 'gif', 'jpeg');
+ U: A* ~" G+ H1 `
0 ]5 Q: ~ S! f& W& ]$ {5 I $uploadCondition = $_FILES['pic'] && in_array(strtolower($ext),$allowExts,true);
. r6 O& r) I+ r& }, e5 x. ~; f* p* O/ [
9 N: X S5 G# Q l8 e" K if( $uploadCondition ){" m' w) ]! T/ f. G* L" W+ n/ x
//执行上传操作
9 [/ s; H2 h$ c( ~/ {8 ` $savePath = $this->_getSaveTempPath();9 ?5 e' t' d- u: x0 H; ?& P" e
$filename = md5( time().'teste' ).'.'.substr($_FILES['pic']['name'],strpos($_FILES['pic']['name'],'.')+1);
) J+ r" F- L0 X" k if(@copy($_FILES['pic']['tmp_name'], $savePath.'/'.$filename) || @move_uploaded_file($_FILES['pic']['tmp_name'], $savePath.'/'.$filename))+ v; h2 G T* i) h% {# y" n0 Z. B* c
{
/ N9 D8 _2 V% m* d $result['boolen'] = 1;
# d$ }* e" C u8 ?7 K Y $result['type_data'] = 'temp/'.$filename;
; Q# {5 U9 B2 w2 {3 r $result['picurl'] = SITE_PATH.'/uploads/temp/'.$filename;3 Y% O: ^% ]! _: @0 s% r
} else {' P1 v5 O. h9 o$ N- i7 v
$result['boolen'] = 0;
* N! j0 D% v6 r $result['message'] = '上传失败';; w8 u9 l& \. u5 q* M- k6 G- }
}2 U0 X( ~$ j3 P! v
}else{
0 r2 g2 h* K6 }0 U1 G $result['boolen'] = 0;6 K# Y# i6 n0 a& ?& o' S$ w
$result['message'] = '上传失败';# v+ T9 i& n0 F* A9 R P ^; Y
}
0 ~) ^; C3 h" D# u9 d8 A+ Z; S& Ereturn $result;
% _( O8 g3 ? L/ d) a [. T }
2 u! u. Z& P( z! P4 i( A1 q. a: k
! D8 \, ~! j3 V% } |