Skip to content

Commit 7383d7a

Browse files
committed
File upload vulnerability
1 parent 2b34e26 commit 7383d7a

File tree

2 files changed

+28
-17
lines changed

2 files changed

+28
-17
lines changed

Diff for: server/Application/Api/Controller/AttachmentController.class.php

+4-11
Original file line numberDiff line numberDiff line change
@@ -78,11 +78,8 @@ public function uploadImg(){
7878
if (!$_FILES['editormd-image-file']) {
7979
return false;
8080
}
81-
82-
if (strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".php")
83-
|| strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".htm")
84-
|| strstr(strip_tags(strtolower($_FILES['editormd-image-file']['name'])), ".svg")
85-
) {
81+
82+
if(D("Attachment")->isDangerFilename($_FILES['editormd-image-file']['name'])){
8683
return false;
8784
}
8885

@@ -111,12 +108,8 @@ public function attachmentUpload(){
111108
if (!$uploadFile) {
112109
return false;
113110
}
114-
115-
if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
116-
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".htm")
117-
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".svg")
118-
119-
) {
111+
112+
if(D("Attachment")->isDangerFilename($uploadFile['name'])){
120113
$this->sendError(10100,'不支持此文件类型');
121114
return false;
122115
}

Diff for: server/Application/Api/Model/AttachmentModel.class.php

+24-6
Original file line numberDiff line numberDiff line change
@@ -57,13 +57,10 @@ public function deleteFile($file_id){
5757
public function upload($_files , $file_key , $uid , $item_id = 0 , $page_id = 0 ){
5858
$uploadFile = $_files[$file_key] ;
5959

60-
if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
61-
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
62-
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".svg")
63-
64-
) {
60+
if($this->isDangerFilename($uploadFile['name'])){
6561
return false;
66-
}
62+
}
63+
6764
$oss_open = D("Options")->get("oss_open" ) ;
6865
if ($oss_open) {
6966
$url = $this->uploadOss($uploadFile);
@@ -290,6 +287,27 @@ public function getQiuniuEndpointByKey($key,$bucket){
290287

291288
}
292289

290+
// 判断文件名是否包含危险的扩展名
291+
public function isDangerFilename($filename){
292+
293+
$isDangerStr = function ($filename , $keyword){
294+
if(strstr(strip_tags(strtolower( $filename )), $keyword) ){
295+
return true ;
296+
}
297+
return false;
298+
};
299+
if (
300+
$isDangerStr($filename , ".php")
301+
|| $isDangerStr($filename , ".svg")
302+
|| $isDangerStr($filename , ".htm")
303+
|| $isDangerStr($filename , "%")
304+
) {
305+
return true;
306+
}
307+
308+
return false;
309+
}
310+
293311

294312

295313
}

0 commit comments

Comments
 (0)