Skip to content

Commit

Permalink
File upload vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@star7th
star7th committed Jan 26, 2022
1 parent 2b34e26 commit 7383d7a
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 17 deletions.
15 changes: 4 additions & 11 deletions server/Application/Api/Controller/AttachmentController.class.php
View file
Expand Up @@ -78,11 +78,8 @@ public function uploadImg(){
if (!$_FILES['editormd-image-file']) {
return false;
}

if (strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".php")
|| strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".htm")
|| strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".svg")
) {

if(D("Attachment")->isDangerFilename($_FILES['editormd-image-file']['name'])){
return false;
}

Expand Down Expand Up @@ -111,12 +108,8 @@ public function attachmentUpload(){
if (!$uploadFile) {
return false;
}

if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".htm")
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".svg")

) {

if(D("Attachment")->isDangerFilename($uploadFile['name'])){
$this->sendError(10100,'不支持此文件类型');
return false;
}
Expand Down
30 changes: 24 additions & 6 deletions server/Application/Api/Model/AttachmentModel.class.php
View file
Expand Up @@ -57,13 +57,10 @@ public function deleteFile($file_id){
public function upload($_files , $file_key , $uid , $item_id = 0 , $page_id = 0 ){
$uploadFile = $_files[$file_key] ;

if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".svg")

) {
if($this->isDangerFilename($uploadFile['name'])){
return false;
}
}

$oss_open = D("Options")->get("oss_open" ) ;
if ($oss_open) {
$url = $this->uploadOss($uploadFile);
Expand Down Expand Up @@ -290,6 +287,27 @@ public function getQiuniuEndpointByKey($key,$bucket){

}

// 判断文件名是否包含危险的扩展名
public function isDangerFilename($filename){

$isDangerStr = function ($filename , $keyword){
if(strstr(strip_tags(strtolower( $filename )), $keyword) ){
return true ;
}
return false;
};
if (
$isDangerStr($filename , ".php")
|| $isDangerStr($filename , ".svg")
|| $isDangerStr($filename , ".htm")
|| $isDangerStr($filename , "%")
) {
return true;
}

return false;
}



}

0 comments on commit 7383d7a

Please sign in to comment.