Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code logic error causes file upload getshell Verify version:Thinkphp5.1.41/Thinkphp5.0.24 Install:composer create-project topthink/think tp 5.xxx
test version:Thinkphp5.1.41 If the user directly uses the move method of thinkphp like this:Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5_1/354121
<?php namespace app\index\controller; class Upload { public function index(){ // 获取表单上传文件 例如上传了001.jpg $file = request()->file('image'); // 移动到框架网站目录/uploads/ 目录下 $info = $file->move( './uploads'); if($info){ // 成功上传后 获取上传信息 // 输出 jpg echo $info->getExtension(); // 输出 20160820/42a79759f284b767dfcb2a0197904287.jpg echo $info->getSaveName(); // 输出 42a79759f284b767dfcb2a0197904287.jpg echo $info->getFilename(); }else{ // 上传失败获取错误信息 echo $file->getError(); } } }
Will cause the file with the suffix php to be uploaded directly Because in thinkphp\library\think\File.php line 272 it is allowed
thinkphp\library\think\File.php
public function checkImg() { $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION)); /* 对图像文件进行严格检测 */ if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && !in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) { $this->error = 'illegal image files'; return false; } return true; }
I think the problem is that true and false are written in reverse. And !in_array getImageType
The logic should be?
public function checkImg() { $extension = strtolower(pathinfo($this->getInfo('name'), PATHINFO_EXTENSION)); /* 对图像文件进行严格检测 */ if (in_array($extension, ['gif', 'jpg', 'jpeg', 'bmp', 'png', 'swf']) && in_array($this->getImageType($this->filename), [1, 2, 3, 4, 6, 13])) { return true; } return false; }
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Code logic error causes file upload getshell
Verify version:Thinkphp5.1.41/Thinkphp5.0.24
Install:composer create-project topthink/think tp 5.xxx
test version:Thinkphp5.1.41
If the user directly uses the move method of thinkphp
like this:Add an upload controller like the official documentation:https://www.kancloud.cn/manual/thinkphp5_1/354121
Will cause the file with the suffix php to be uploaded directly
Because in
thinkphp\library\think\File.phpline 272 it is allowedI think the problem is that true and false are written in reverse. And !in_array getImageType
The logic should be?
The text was updated successfully, but these errors were encountered: