前台会员头像上传任意文件,finecms v5.2及之后的版本已修复此漏洞,大家可以对比一下代码确认
涉及文件:/finecms/dayrui/controllers/member/Account.php
public function upload() {
// 创建图片存储文件夹
$dir = SYS_UPLOAD_PATH.'/member/'.$this->uid.'/';
@dr_dir_delete($dir);
!is_dir($dir) && dr_mkdirs($dir);
if ($_POST['tx']) {
$file = str_replace(' ', '+', $_POST['tx']);
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $file, $result)){
$new_file = $dir.'0x0.'.$result[2];
if (!@file_put_contents($new_file, base64_decode(str_replace($result[1], '', $file)))) {
exit(dr_json(0, '目录权限不足或磁盘已满'));
接收txt的参数.然后匹配了正则.最后取出内容和文件后缀部分。再直接存盘.文件名都是统一的0x0
仅仅是需要记住当前用户的id就可以搞定了
网络修复方案:
if (preg_match('/^(data:\s*image\/(png|jpg|jpeg);base64,)/', $file, $result)){
官方修复方案:升级到最新版,或手动替换代码
public function upload() {
// 创建图片存储文件夹
$dir = dr_upload_temp_path().'member/'.$this->uid.'/';
@dr_dir_delete($dir);
!is_dir($dir) && dr_mkdirs($dir);
if ($_POST['tx']) {
$file = str_replace(' ', '+', $_POST['tx']);
if (preg_match('/^(data:\s*image\/(\w+);base64,)/', $file, $result)){
$new_file = $dir.'0x0.'.$result[2];
if (!in_array(strtolower($result[2]), array('jpg', 'jpeg', 'png', 'gif'))) {
exit(dr_json(0, '目录权限不足'));
}
if (!@file_put_contents($new_file, base64_decode(str_replace($result[1], '', $file)))) {
exit(dr_json(0, '目录权限不足'));
} else {
list($width, $height, $type, $attr) = getimagesize($new_file);
if (!$type) {
@unlink($new_file);
exit(function_exists('iconv') ? iconv('UTF-8', 'GBK', '图片字符串不规范') : 'error3');
}
$this->load->library('image_lib');
$config['create_thumb'] = TRUE;
$config['thumb_marker'] = '';
$config['maintain_ratio'] = FALSE;
$config['source_image'] = $new_file;
foreach (array(30, 45, 90, 180) as $a) {
$config['width'] = $config['height'] = $a;
$config['new_image'] = $dir.$a.'x'.$a.'.'.$result[2];
$this->image_lib->initialize($config);
if (!$this->image_lib->resize()) {
exit(dr_json(0, '上传错误:'.$this->image_lib->display_errors()));
break;
}
}
// ok
$my = SYS_UPLOAD_PATH.'/member/'.$this->uid.'/';
@dr_dir_delete($my);
!is_dir($my) && dr_mkdirs($my);
$c = 0;
if ($fp = @opendir($dir)) {
while (FALSE !== ($file = readdir($fp))) {
$ext = substr(strrchr($file, '.'), 1);
if (in_array(strtolower($ext), array('jpg', 'jpeg', 'png', 'gif'))) {
if (copy($dir.$file, $my.$file)) {
$c++;
}
}
}
closedir($fp);
}
if (!$c) {
exit(dr_json(0, fc_lang('未找到目录中的图片')));
}
}
} else {
exit(dr_json(0, '图片字符串不规范'));
}
} else {
exit(dr_json(0, '图片不存在'));
}
转载于:https://blog.51cto.com/13785115/2128603